Skip to content

Commit

Permalink
docs: TLS and DNS Policy user guides
Browse files Browse the repository at this point in the history
  • Loading branch information
mikenairn committed Nov 21, 2023
1 parent 0c9289d commit d5287a0
Show file tree
Hide file tree
Showing 4 changed files with 440 additions and 1 deletion.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,7 @@ deploy-dependencies: kustomize dependencies-manifests ## Deploy dependencies to
.PHONY: install-metallb
install-metallb: $(KUSTOMIZE) ## Installs the metallb load balancer allowing use of an LoadBalancer type with a gateway
$(KUSTOMIZE) build config/metallb | kubectl apply -f -
kubectl -n metallb-system wait --for=condition=ready pod --selector=app=metallb --timeout=60s

.PHONY: uninstall-metallb
uninstall-metallb: $(KUSTOMIZE)
Expand Down
224 changes: 224 additions & 0 deletions doc/user-guides/gateway-dns.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
# Gateway DNS for Cluster Operators

This user guide walks you through an example of how to configure DNS for all routes attached to an ingress gateway.

<br/>

## Requisites

- [Docker](https://docker.io)
- [Rout53 Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html)

### Setup

This step uses tooling from the Kuadrant Operator component to create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io),
where it installs Istio, Kubernetes Gateway API and Kuadrant itself.

Clone the project:

```shell
git clone https://github.com/Kuadrant/kuadrant-operator && cd kuadrant-operator
```

Setup the environment:

```shell
make local-setup
```

Install metallb:
```shell
make install-metallb
```

Fetch the current kind networks subnet:
```shell
docker network inspect kind -f '{{ (index .IPAM.Config 0).Subnet }}'
```
Response:
```shell
"172.18.0.0/16"
```

Create IPAddressPool within kind network(Fetched by the command above) e.g. 172.18.200
```shell
kubectl -n metallb-system apply -f -<<EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: kuadrant-local
spec:
addresses:
- 172.18.200.0/24
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: empty
EOF
```

Create a namespace:
```shell
kubectl create namespace my-gateways
```

Export a root domain and hosted zone id:
```shell
export ROOT_DOMAIN=<ROOT_DOMAIN>
export AWS_HOSTED_ZONE_ID=<AWS_HOSTED_ZONE_ID>
```

> **Note:** ROOT_DOMAIN and AWS_HOSTED_ZONE_ID should be set to your AWS hosted zone *name* and *id* respectively.
### Create a ManagedZone

Create AWS credentials secret
```shell
export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>

kubectl -n my-gateways create secret generic aws-credentials \
--type=kuadrant.io/aws \
--from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
```

Create a ManagedZone
```sh
kubectl -n my-gateways apply -f - <<EOF
apiVersion: kuadrant.io/v1alpha1
kind: ManagedZone
metadata:
name: $ROOT_DOMAIN
spec:
id: $AWS_HOSTED_ZONE_ID
domainName: $ROOT_DOMAIN
description: "my managed zone"
dnsProviderSecretRef:
name: aws-credentials
namespace: my-gateways
EOF
```

Check it's ready
```shell
kubectl get managedzones -n my-gateways
```

### Create an ingress gateway

Create a gateway using your ROOT_DOMAIN as part of a listener hostname:
```sh
kubectl -n my-gateways apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: prod-web
spec:
gatewayClassName: istio
listeners:
- allowedRoutes:
namespaces:
from: All
name: api
hostname: "*.$ROOT_DOMAIN"
port: 80
protocol: HTTP
EOF
```

Check gateway status:
```shell
kubectl get gateway prod-web -n my-gateways
```
Response:
```shell
NAME CLASS ADDRESS PROGRAMMED AGE
prod-web istio 172.18.200.0 True 25s
```

### Enable DNS on the gateway

Create a Kuadrant `DNSPolicy` to configure DNS:
```shell
kubectl -n my-gateways apply -f - <<EOF
apiVersion: kuadrant.io/v1alpha1
kind: DNSPolicy
metadata:
name: prod-web
spec:
targetRef:
name: prod-web
group: gateway.networking.k8s.io
kind: Gateway
routingStrategy: simple
EOF
```

Check policy status:
```shell
kubectl get dnspolicy -n my-gateways
```
Response:
```shell
NAME READY
prod-web True
```

### Deploy a sample API to test DNS

Deploy the sample API:
```shell
kubectl -n my-gateways apply -f examples/toystore/toystore.yaml
kubectl -n my-gateways wait --for=condition=Available deployments toystore --timeout=60s
```

Route traffic to the API from our gateway:
```shell
kubectl -n my-gateways apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: toystore
spec:
parentRefs:
- name: prod-web
namespace: my-gateways
hostnames:
- "*.$ROOT_DOMAIN"
rules:
- backendRefs:
- name: toystore
port: 80
EOF
```

Verify a DNSRecord resource is created:
```shell
kubectl get dnsrecords -n my-gateways
NAME READY
prod-web-api True
```

### Verify DNS works by sending requests

Verify DNS using dig:
```shell
dig foo.$ROOT_DOMAIN +short
```
Response:
```shell
172.18.200.0
```

Verify DNS using curl:

```shell
curl http://api.$ROOT_DOMAIN
```

## Cleanup

```shell
make local-cleanup
```
Loading

0 comments on commit d5287a0

Please sign in to comment.