Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP]Manager Service Mesh Configuration in the Helm Chart #3367

Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

[WIP]Manager Service Mesh Configuration in the Helm Chart #3367

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fde44b3
Add values for deploying Consul Connector with helm
iNoahNothing Apr 22, 2021
5cd8183
add automatic istio sidecar manual injection to chart
iNoahNothing Apr 22, 2021
c3427d5
template out version
iNoahNothing Apr 22, 2021
2e21b48
Update consul mesh support after debugging
iNoahNothing Apr 23, 2021
35aebb4
Create TLSContext for istio upstream in chart
iNoahNothing Apr 23, 2021
57e697a
Merge branch 'master' of github.com:datawire/ambassador into nkrause/…
iNoahNothing Apr 27, 2021
d496434
Update CHANGELOG and README
iNoahNothing Apr 27, 2021
e7050b9
Merge branch 'master' of github.com:datawire/ambassador into nkrause/…
iNoahNothing Apr 28, 2021
e3b9178
make the istio sidecar image location configurable
iNoahNothing Apr 28, 2021
1f2dc52
Fix linting issues
iNoahNothing Apr 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/ambassador/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ numbering uses [semantic versioning](http://semver.org).

## Next Release

(no changes yet)
- Feature: Expose values for managing Service Mesh integration config in the Helm chart.

## v6.7.2

Expand Down
99 changes: 99 additions & 0 deletions charts/ambassador/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,12 @@ The following tables lists the configurable parameters of the Ambassador chart a
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` |
| `metrics.serviceMonitor.selector` | Label Selector for Prometheus to find ServiceMonitors | `{ prometheus: kube-prometheus }` |
| `serviceMesh.consulConnect.enable` | Enable the Consul Connect integration in the helm chart which installs the Consul Connector for exporting consul mTLS certificates | `false` |
| `serviceMesh.consulConnect.connector` | Create and configure the Consul Connector in the Chart. Set to `false` if you want to manually create and manage it. See the values file for more information. | |
| `serviceMesh.consulConnect.consulServer` | Configure different options for the Consul Server. See the values file for more information. | |
| `serviceMesh.istio.enable` | Enable the Istio integration and have Helm automatically inject the Istio proxy sidecar. See the values file for more information. | `false` |
| `serviceMesh.istio.image` | Where to pull the image of Istio that you are running. **This must be set!** | |
| `serviceMesh.istio.tlsContext` | Manage the `TLSContext` created to expose Istio mTLS certificates to Ambassador. See the values file for more information. | |
| `servicePreview.enabled` | If true, install Service Preview components: traffic-manager & traffic-agent (`enableAES` needs to also be to `true`) | `false` |
| `servicePreview.trafficManager.image.repository` | Ambassador Traffic-manager image | Same value as `image.repository` |
| `servicePreview.trafficManager.image.tag` | Ambassador Traffic-manager image tag | Same value as `image.tag` |
Expand Down Expand Up @@ -276,6 +282,99 @@ security:
# rule: MustRunAsNonRoot
```

### Service Mesh Integrations

Ambassador integrates with the three major service meshes. Istio and Consul Connect integrations require additional configuration that can be managed by the chart.

```yaml
serviceMesh:

consulConnect:
enable: false

connector:
## The Consul Connector is used to export the mTLS certificates used by
## Consul to a Kubernetes Secret.
##
## Default: true
create: true
secret:
## The name of the Kubernetes Secret the connect will write the Consul
## mTLS certificates.
##
## Default: ambassador-consul-connect
name: ambassador-consul-connect

## The namespace the Consul Connect mTLS Secret will be written to
##
## Default: Same namespace as the consul connector.
# namespace:
tlsContext:
## The name of the TLSContext Ambassador will use to read the mTLS
## certificates output from the Consul Connector.
##
## Default: ambassador-consul
name: ambassador-consul

consulServer:
## The address you can reach Consul on.
##
## Default: The IP address of the host machine.
# address:

## The port you can reach the Consul on.
##
## Defaults: 8500 for HTTP 8501 for HTTPS
port: 8500

tls:
## Control whether to talk to Consul over TLS or not
##
## Default: false
enabled: false

## Toggle whether Ambassador should validate the Consul server
## certificate
##
## Default: false
validate: false

## The ACL token to use when communicating with Consul if ACLs are enabled
##
## Default: nil
aclToken:

istio:
## Ambassador integrates with Istio by manually injecting the sidecar so
## that we can get the mTLS certificates without Istio hijacking
## Ambassador's Pod network. Setting this to true will set up that manual
## injection automatically.
##
## NOTE!!! This is not compatible with manually adding the sidecar via the
## sidecarContainers value.
enable: false

## Which image of the Istio sidecar to inject.
##
## NOTE!! Must match the version of Istio you are running.
image:
repository: istio/proxyv2
tag:

tlsContext:
## Controls whether the chart should create the TLSContext that Ambassador
## uses to read the mTLS certificates from Istio.
##
## Default: true
create: true

## The name of the TLSContext Ambassador will use to read the mTLS
## certificates grabbed by the Istio sidecar.
##
## Default: istio-upstream
name: istio-upstream
```

### Annotations

Ambassador is configured using Kubernetes Custom Resource Definitions (CRDs). If you are unable to use CRDs, Ambassador can also be configured using annotations on services. The `service.annotations` section of the values file contains commented out examples of [Ambassador Module](https://www.getambassador.io/reference/core/ambassador) and a global [TLSContext](https://www.getambassador.io/reference/core/tls) configurations which are typically created in the Ambassador service.
Expand Down
210 changes: 210 additions & 0 deletions charts/ambassador/templates/consul-connector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
{{- if and .Values.serviceMesh.consulConnect.enable .Values.serviceMesh.consulConnect.connector.create }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "ambassador.fullname" . }}-consul-connect
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
product: aes
rules:
- apiGroups: [""]
resources:
- secrets
verbs: ["get", "list", "create", "delete", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ambassador.fullname" . }}-consul-connect
namespace: {{ include "ambassador.namespace" . }}
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
product: aes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "ambassador.fullname" . }}-consul-connect
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
product: aes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "ambassador.fullname" . }}-consul-connect
subjects:
- kind: ServiceAccount
name: {{ include "ambassador.fullname" . }}-consul-connect
namespace: {{ include "ambassador.namespace" . }}
---
apiVersion: getambassador.io/v2
kind: TLSContext
metadata:
name: {{ .Values.serviceMesh.consulConnect.connector.tlsContext.name }}
{{- if .Values.serviceMesh.consulConnect.connector.secret.namespace }}
namespace: {{ .Values.serviceMesh.consulConnect.connector.secret.namespace }}
{{- else }}
namespace: {{ include "ambassador.namespace" . }}
{{- end }}
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
app.kubernetes.io/component: {{ include "ambassador.name" . }}-consul-connect
{{- end }}
product: aes
spec:
hosts: []
secret: {{ .Values.serviceMesh.consulConnect.connector.secret.name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "ambassador.fullname" . }}-consul-connector
namespace: {{ include "ambassador.namespace" . }}
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
app.kubernetes.io/component: {{ include "ambassador.name" . }}-consul-connector
{{- end }}
product: aes
annotations:
a8r.io/owner: "Ambassador Labs"
a8r.io/repository: github.com/datawire/ambassador
a8r.io/description: "The Ambassador Edge Stack Consul Connect integration."
a8r.io/documentation: https://www.getambassador.io/docs/edge-stack/latest/
a8r.io/chat: http://a8r.io/Slack
a8r.io/bugs: https://github.com/datawire/ambassador/issues
a8r.io/support: https://www.getambassador.io/about-us/support/
a8r.io/dependencies: "consul-server.default"
spec:
ports:
- name: ambassador-consul-connector
port: 80
selector:
component: consul-connect
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ambassador.fullname" . }}-consul-connect-integration
namespace: {{ include "ambassador.namespace" . }}
labels:
{{- if ne .Values.deploymentTool "getambassador.io" }}
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deploymentTool }}
app.kubernetes.io/managed-by: {{ .Values.deploymentTool }}
{{- else }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
app.kubernetes.io/component: {{ include "ambassador.name" . }}-consul-connector
{{- end }}
product: aes
spec:
replicas: 1
selector:
matchLabels:
app: ambassador
component: consul-connect
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: ambassador
component: consul-connect
annotations:
"consul.hashicorp.com/connect-inject": "false"
spec:
serviceAccountName: {{ include "ambassador.fullname" . }}-consul-connect
terminationGracePeriodSeconds: 0
containers:
- name: consul-connect-integration
image: docker.io/datawire/aes:1.13.1
command: [ "consul_connect_integration" ]
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 50Mi
env:
# Consul runs as a DaemonSet on each Node therefore we need to talk to the Host machine.
# See: https://www.consul.io/docs/platform/k8s/run.html#architecture
- name: _CONSUL_HOST
{{- if .Values.serviceMesh.consulConnect.consulServer.address }}
value: {{ .Values.serviceMesh.consulConnect.consulServer.address }}
{{- else }}
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- end }}
- name: _CONSUL_PORT
value: {{ .Values.serviceMesh.consulConnect.consulServer.port | quote }}
- name: CONSUL_HTTP_SSL
value: {{ .Values.serviceMesh.consulConnect.consulServer.tls.enabled | quote }}
- name: CONSUL_HTTP_SSL_VERIFY
value: {{ .Values.serviceMesh.consulConnect.consulServer.tls.validate | quote }}
- name: CONSUL_HTTP_TOKEN
value: {{ .Values.serviceMesh.consulConnect.consulServer.aclToken | quote }}
- name: _AMBASSADOR_TLS_SECRET_NAME
value: {{ .Values.serviceMesh.consulConnect.connector.secret.name }}
- name: _AMBASSADOR_TLS_SECRET_NAMESPACE
{{- if .Values.serviceMesh.consulConnect.connector.secret.namespace }}
value: {{ .Values.serviceMesh.consulConnect.connector.secret.namespace }}
{{- else }}
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- end }}
Loading