-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add a basic kustomize install Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * Add observability steps and configuration (#1006) Signed-off-by: David Martin <[email protected]> * updates for install doc Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED Update observability resources to use gateway-system namespace (#969) Signed-off-by: David Martin <[email protected]> add example for external api usage * remove links Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * Apply suggestions from code review Co-authored-by: Rachel Lawton <[email protected]> * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> * remove links update multi cluster options Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * fix indent Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * re-add changes Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * re-add changes Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * Update config/install/README.md Co-authored-by: Rachel Lawton <[email protected]> --------- Signed-off-by: David Martin <[email protected]> Co-authored-by: Rachel Lawton <[email protected]> Co-authored-by: David Martin <[email protected]>
- Loading branch information
1 parent
5e9176b
commit 526b0c9
Showing
33 changed files
with
879 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,7 @@ testbin/* | |
.vscode | ||
*.swp | ||
*.swo | ||
*.env | ||
*~ | ||
/kuadrant-operator | ||
tmp | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
# Install Kuadrant and Sail via OLM | ||
|
||
## Prerequisites | ||
- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo | ||
- OLM (operator lifecycle manager) | ||
- cert-manager | ||
- [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) | ||
- [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) | ||
- AWS, Azure or GCP with DNS capabilities. (Optional) | ||
- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) | ||
|
||
|
||
> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) | ||
> Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) | ||
## Setup the environment | ||
|
||
``` | ||
kubectl apply -k config/install/standard | ||
``` | ||
|
||
Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: | ||
|
||
``` | ||
kubectl get deployments -n kuadrant-system | ||
# NAME READY UP-TO-DATE AVAILABLE AGE | ||
# authorino-operator 1/1 1 1 83m | ||
# dns-operator-controller-manager 1/1 1 1 83m | ||
# kuadrant-console-plugin 1/1 1 1 83m | ||
# kuadrant-operator-controller-manager 1/1 1 1 83m | ||
# limitador-operator-controller-manager 1/1 1 1 83m | ||
``` | ||
|
||
|
||
|
||
``` | ||
kubectl get deployments -n gateway-system | ||
# NAME READY UP-TO-DATE AVAILABLE AGE | ||
# istiod 1/1 1 1 61s | ||
# sail-operator 1/1 1 1 81m | ||
``` | ||
|
||
## Configure the installation | ||
|
||
### TLS and DNS integration | ||
|
||
|
||
Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS | ||
|
||
``` | ||
kubectl apply -k config/install/configure/aws | ||
``` | ||
|
||
This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation. | ||
|
||
### Validate | ||
|
||
Validate Kuadrant is ready via the kuadrant resource status condition | ||
|
||
``` | ||
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml | ||
``` | ||
|
||
At this point Kuadrant is ready to use. Below are some additional configuration that can be applied. | ||
|
||
### External Redis | ||
|
||
create a `redis-credential.env` in the `config/install/configure/redis-storage` dir | ||
|
||
``` | ||
kubectl apply -k config/install/configure/redis-storage | ||
``` | ||
|
||
This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts. | ||
|
||
### Validate | ||
|
||
Validate Kuadrant is in a ready state as before: | ||
|
||
``` | ||
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml | ||
``` | ||
|
||
## Set up observability | ||
|
||
Verify that user workload monitoring is enabled in your Openshift cluster. | ||
If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this. | ||
|
||
|
||
```bash | ||
kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload | ||
# (expected output) | ||
# enableUserWorkload: true | ||
``` | ||
|
||
Install the gateway & Kuadrant metrics components and configuration, including Grafana. | ||
|
||
```bash | ||
kubectl apply -k config/install/configure/observability | ||
``` | ||
|
||
Configure the Openshift thanos-query instance as a data source in Grafana. | ||
|
||
```bash | ||
TOKEN="Bearer $(oc whoami -t)" | ||
HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')" | ||
echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env | ||
echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env | ||
kubectl apply -k config/observability/openshift/grafana | ||
``` | ||
|
||
Create the example dashboards in Grafana | ||
|
||
```bash | ||
kubectl apply -k examples/dashboards | ||
``` | ||
|
||
Access the Grafana UI, using the default user/pass of root/secret. | ||
You should see the example dashboards in the 'monitoring' folder. | ||
For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/). | ||
|
||
```bash | ||
kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: lets-encrypt-aws | ||
spec: | ||
acme: | ||
privateKeySecretRef: | ||
name: le-secret | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
solvers: | ||
- dns01: | ||
route53: | ||
accessKeyIDSecretRef: | ||
key: AWS_ACCESS_KEY_ID | ||
name: aws-credentials | ||
region: us-east-1 #override if needed | ||
secretAccessKeySecretRef: | ||
key: AWS_SECRET_ACCESS_KEY | ||
name: aws-credentials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first! | ||
|
||
resources: | ||
- ../standard | ||
- cluster-issuer.yaml | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
labels: | ||
app.kubernetes.io/part-of: kuadrant | ||
app.kubernetes.io/managed-by: kustomize | ||
|
||
secretGenerator: | ||
- name: aws-provider-credentials | ||
namespace: cert-manager | ||
envs: | ||
- aws-credentials.env | ||
type: 'kuadrant.io/aws' | ||
- name: aws-provider-credentials | ||
namespace: gateway-system | ||
envs: | ||
- aws-credentials.env | ||
type: 'kuadrant.io/aws' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
## TODO | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: letsencrypt-azure | ||
spec: | ||
acme: | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
# email: $EMAIL_ADDRESS | ||
privateKeySecretRef: | ||
name: letsencrypt | ||
solvers: | ||
- dns01: | ||
azureDNS: | ||
clientID: AZURE_CERT_MANAGER_SP_APP_ID | ||
clientSecretSecretRef: | ||
# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS. | ||
name: azuredns-config | ||
key: client-secret | ||
subscriptionID: AZURE_SUBSCRIPTION_ID | ||
tenantID: AZURE_TENANT_ID | ||
resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP | ||
hostedZoneName: AZURE_DNS_ZONE | ||
# Azure Cloud Environment, default to AzurePublicCloud | ||
environment: AzurePublicCloud |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first! | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
labels: | ||
app.kubernetes.io/part-of: kuadrant | ||
app.kubernetes.io/managed-by: kustomize | ||
|
||
secretGenerator: | ||
- name: azure-provider-credentials | ||
namespace: kuadrant-system | ||
envs: | ||
- azure-credentials.env | ||
type: 'kuadrant.io/azure' | ||
- name: azure-provider-credentials | ||
namespace: cert-manager | ||
envs: | ||
- azure-credentials.env | ||
type: 'kuadrant.io/azure' | ||
- name: azure-provider-credentials | ||
namespace: gateway-system | ||
envs: | ||
- azure-credentials.env | ||
type: 'kuadrant.io/azure' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
## TODO | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: letsencrypt-gcp | ||
spec: | ||
acme: | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
# email: $EMAIL_ADDRESS | ||
privateKeySecretRef: | ||
name: letsencrypt | ||
solvers: | ||
- dns01: | ||
cloudDNS: | ||
# The ID of the GCP project | ||
project: $PROJECT_ID | ||
# This is the secret used to access the service account | ||
serviceAccountSecretRef: | ||
name: gcp-provider-credentials | ||
key: key.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first! | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
labels: | ||
app.kubernetes.io/part-of: kuadrant | ||
app.kubernetes.io/managed-by: kustomize | ||
|
||
secretGenerator: | ||
- name: gcp-provider-credentials | ||
namespace: kuadrant-system | ||
envs: | ||
- gcp-credentials.env | ||
type: 'kuadrant.io/gcp' | ||
- name: gcp-provider-credentials | ||
namespace: cert-manager | ||
envs: | ||
- gcp-credentials.env | ||
type: 'kuadrant.io/gcp' | ||
- name: gcp-provider-credentials | ||
namespace: gateway-system | ||
envs: | ||
- gcp-credentials.env | ||
type: 'kuadrant.io/gcp' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- ../dns-aws | ||
- ../dns-azure | ||
- ../dns-gcp | ||
- ../redis-storage | ||
- ../tls-lets-encrypt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0 | ||
- ../../../observability/openshift/ | ||
- ../../../observability/prometheus/monitors/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- limitador.yaml | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
labels: | ||
app.kubernetes.io/part-of: kuadrant | ||
app.kubernetes.io/managed-by: kustomize | ||
|
||
secretGenerator: | ||
- name: redis-credentials | ||
namespace: kuadrant-system | ||
envs: | ||
- redis-credentials.env | ||
type: 'kuadrant.io/aws' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: limitador.kuadrant.io/v1alpha1 | ||
kind: Limitador | ||
metadata: | ||
name: limitador | ||
namespace: kuadrant-system | ||
spec: | ||
storage: | ||
redis: | ||
configSecretRef: | ||
name: redis-credentials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kuadrant.io/v1beta1 | ||
kind: Kuadrant | ||
metadata: | ||
name: kuadrant | ||
namespace: kuadrant-system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- sail.yaml | ||
- kuadrant.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: sailoperator.io/v1alpha1 | ||
kind: Istio | ||
metadata: | ||
name: default | ||
spec: | ||
namespace: gateway-system | ||
updateStrategy: | ||
type: InPlace | ||
inactiveRevisionDeletionGracePeriodSeconds: 30 | ||
version: v1.23.0 | ||
values: | ||
pilot: | ||
autoscaleEnabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- cluster-issuer.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml | ||
- sail-operator.yaml | ||
- ../../deploy/olm | ||
|
||
patches: | ||
- patch: |- | ||
apiVersion: operators.coreos.com/v1alpha1 | ||
kind: CatalogSource | ||
metadata: | ||
name: kuadrant-operator-catalog | ||
spec: | ||
image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4 #change this to the version you want to install |
Oops, something went wrong.