From a4876c533229ddb96775b07b760fb2a29d54a447 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Fri, 20 Dec 2024 10:44:21 +0000 Subject: [PATCH] Improved Kuadrant installation via Olm and kustomize (#1075) * add simple installation Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED more detailed installation guide and examples rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * add default limitador and authorino resources Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * standard authorino rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * add ns rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * install rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * add authorino and limitador patches Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * final version Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * update full example dir Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED * Update config/install/README.md Co-authored-by: David Martin * Update config/install/README.md Co-authored-by: David Martin * Update config/install/README.md Co-authored-by: David Martin * Update config/install/README.md Co-authored-by: David Martin * add new installation guide covering resilient deployment Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --------- Co-authored-by: David Martin --- config/install/README.md | 572 ++++++++++++++++-- .../install/configure/aws/kustomization.yaml | 5 +- .../configure/kitchen-sink/kustomization.yaml | 9 - .../redis-storage/kustomization.yaml | 2 +- .../install/configure/standard/authorino.yaml | 17 + .../configure/standard/kustomization.yaml | 2 + .../install/configure/standard/limitador.yaml | 6 + .../configure/aws-credentials.env.sample | 5 + .../configure/cluster-issuer.yaml | 19 + .../configure/kustomization.yaml | 56 ++ .../patches/authorino-topoloy-patch.yaml | 22 + .../patches/limitador-topology-patch.yaml | 16 + .../configure/redis-credentials.env.sample | 3 + .../install/kustomization.yaml | 17 + .../no-gateway-provider/kustomization.yaml | 9 + config/install/standard/kuadrant-version.yaml | 6 - config/install/standard/kustomization.yaml | 10 +- 17 files changed, 713 insertions(+), 63 deletions(-) delete mode 100644 config/install/configure/kitchen-sink/kustomization.yaml create mode 100644 config/install/configure/standard/authorino.yaml create mode 100644 config/install/configure/standard/limitador.yaml create mode 100644 config/install/full-example-aws/configure/aws-credentials.env.sample create mode 100644 config/install/full-example-aws/configure/cluster-issuer.yaml create mode 100644 config/install/full-example-aws/configure/kustomization.yaml create mode 100644 config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml create mode 100644 config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml create mode 100644 config/install/full-example-aws/configure/redis-credentials.env.sample create mode 100644 config/install/full-example-aws/install/kustomization.yaml create mode 100644 config/install/no-gateway-provider/kustomization.yaml delete mode 100644 config/install/standard/kuadrant-version.yaml diff --git a/config/install/README.md b/config/install/README.md index 343431719..f014f59c0 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -1,101 +1,593 @@ -# Install Kuadrant and Sail via OLM +# Install and Configure Kuadrant and Sail via OLM using the kubectl CLI + +This document will walk you through setting up the required configuration to install kaudrant using [kustomize](https://kustomize.io/) or a tool that leverages kustomize such as kubectl along with OLM. It will also go through more advanced configuration options to enable building up a resilient configuration. You can view the full configuration built here: [Full AWS Example](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/full-example-aws). + + + +1. [Basic Install](#basic-installation) + +2. [Configure DNS and TLS integration](#configure-dns-and-tls-integration) + +3. [External Redis for Rate Limit Counters](#use-an-external-redis) + +4. [Limitador Resilient Configuration](#limitador-topologyconstraints-poddisruptionbudget-and-resource-limits) + +5. [Authorino Resilient Configuration](#authorino-topologyconstraints-poddisruptionbudget-and-resource-limits) + +4. [[OpenShift Specific] Setup Observability ](#set-up-observability-openshift-only) + ## Prerequisites -- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo -- OLM (operator lifecycle manager) -- cert-manager +- OCP or K8s cluster and CLI available. +- OLM installed [operator lifecycle manager releases](https://github.com/operator-framework/operator-lifecycle-manager/releases) +- (Optional) Gateway Provider Installed: By default this guide will install the [Sail Operator](https://github.com/istio-ecosystem/sail-operator) that will configure and install an Istio installation. Kuadrant is intended to work with [Istio](https://istio.io) or [Envoy Gateway](https://gateway.envoyproxy.io/) as a gateway provider before you can make use of Kuadrant one of these providers should be installed. +- (Optional) cert-manager: - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) -- AWS, Azure or GCP with DNS capabilities. (Optional) -- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) +- (Optional) Access to AWS, Azure or GCP with DNS services. +- (Optional) Accessible Redis instance, for persistent storage for your rate limit counters. -> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/install/standard/kuadrant-version.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) > Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) -## Setup the environment +> Note: this document focuses on AWS integration for DNS. If you want to use a different provider, there are examples under the [configure directory](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/configure) + +## Basic Installation -> Note this uses the community operatorhub catalog. If you are installing on OpenShift and want to use the redhat provided catalog use the second command. +This first step will install just Kuadrant at a given released version (post v1.x) in the `kuadrant-system` namespace and the Sail Operator. There will be no credentials/dns providers configured (This is the most basic setup but means TLSPolicy and DNSPolicy will not be able to be used). +Start by creating the following `kustomization.yaml` in a directory locally. For the purpose of this doc, we will use: `~/kuadrant/` directory. ```bash -# community catalog -kubectl apply -k config/install/standard -``` +export KUADRANT_DIR=~/kuadrant +mkdir -p $KUADRANT_DIR/install +touch $KUADRANT_DIR/install/kustomization.yaml + +``` + +> Setting the version to install: You can set the version of kuadrant to install by adding / changing the `?ref=v1.0.1` in the resource links. + +```yaml +# add this to the kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard?ref=v1.0.1 #set the versio by adding ?ref=v1.0.1 change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + #- https://github.com/Kuadrant/kuadrant-operator//config/install/openshift?ref=v1.0.1 #use if targeting an OCP cluster. Change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases). + +patches: # remove this subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: kuadrant + spec: + source: kuadrant-operator-catalog + sourceNamespace: kuadrant-system + name: kuadrant-operator + channel: 'stable' #set to preview if not using a release (for example if using main) + +``` + +And execute the following to apply it to a cluster: ```bash -# redhat catalog -kubectl apply -k config/install/openshift +# change the location depending on where you created the kustomization.yaml +kubectl apply -k $KUADRANT_DIR/install + ``` -Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: +#### Verify the operators are installed: + +OLM should begin installing the dependencies for Kuadrant. To wait for them to be ready, run: ```bash -kubectl get deployments -n kuadrant-system +kubectl -n kuadrant-system wait --timeout=160s --for=condition=Available deployments --all +``` +> Note: you may see ` no matching resources found ` if the deployments are not yet present. +Once OLM has finished installing the operators (this can take several minutes). You should see the following in the kuadrant-system namespace: + +```bash +kubectl get deployments -n kuadrant-system + +## Output (kuadrant-console-plugin deployment only installed on OpenShift) # NAME READY UP-TO-DATE AVAILABLE AGE # authorino-operator 1/1 1 1 83m # dns-operator-controller-manager 1/1 1 1 83m # kuadrant-console-plugin 1/1 1 1 83m # kuadrant-operator-controller-manager 1/1 1 1 83m # limitador-operator-controller-manager 1/1 1 1 83m + +``` + +You can also view the subscription for information about the install: + +```bash +kubectl get subscription -n kuadrant-system -o=yaml + ``` +### Install the operand components +Kuadrant has 2 additional operand components that it manages: `Authorino` that provides data plane auth integration and `Limitador` that provides data plane rate limiting. To set these up lets add a new `kustomization.yaml` in a new sub directory. We will re-use this later for further configuration. We do this as a separate step as we want to have the operators installed first. + +Add the following to your local directory. For the purpose of this doc, we will use: `$KUADRANT_DIR/configure/kustomization.yaml`. ```bash -kubectl get deployments -n gateway-system +mkdir -p $KUADRANT_DIR/configure +touch $KUADRANT_DIR/configure/kustomization.yaml + +``` + +Add the following to the new kustomization.yaml: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) -# NAME READY UP-TO-DATE AVAILABLE AGE -# istiod 1/1 1 1 61s -# sail-operator 1/1 1 1 81m ``` -## Configure the installation +Lets apply this to your cluster: -### TLS and DNS integration +```bash + +kubectl apply -k $KUADRANT_DIR/configure +``` -Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS +### Verify kuadrant is installed and ready: + +```bash +kubectl get kuadrant kuadrant -n kuadrant-system -o=wide + +# NAME STATUS AGE +# kuadrant Ready 109s ``` -kubectl apply -k config/install/configure/aws + +You should see the condition with type `Ready` with a message of `kuadrant is ready`. + + +### Verify Istio is configured and ready: + +```bash +kubectl get istio -n gateway-system + +#sample output +# NAME REVISIONS READY IN USE ACTIVE REVISION VERSION AGE +# default 1 1 1 Healthy v1.23.0 3d22h ``` -This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation. -### Validate -Validate Kuadrant is ready via the kuadrant resource status condition +At this point Kuadrant is installed and ready to be used as is Istio as the gateway provider. This means AuthPolicy and RateLimitPolicy can now be configured and used to protect any Gateways you create. + + +## Configure DNS and TLS integration + +In this section will build on the previous steps and expand the `kustomization.yaml` we created in `$KUADRANT_DIR/configure`. + +In order for cert-manager and the Kuadrant DNS operator to be able to access and manage DNS records and setup TLS certificates and provide external connectivity for your endpoints, you need to setup a credential for these components. To do this, we will use a Kubernetes secret via a kustomize secret generator. You can find other example overlays for each supported cloud provider under the [configure directory](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/configure). + +An example lets-encrypt certificate issuer is provided, but for more information on certificate issuers take a look at the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/). + + +Lets modify our existing local kustomize overlay to setup these secrets and the cluster certificate issuer: + +First you will need to setup the required `.env` file specified in the kuztomization.yaml file in the same directory as your existing configure kustomization. Below is an example for AWS: + +```bash +touch $KUADRANT_DIR/configure/aws-credentials.env + +``` +Add the following to your new file + +``` +AWS_ACCESS_KEY_ID=xxx +AWS_SECRET_ACCESS_KEY=xxx +AWS_REGION=eu-west-1 + +``` + +With this setup, lets update our configure kustomization to generate the needed secrets. We will also define a TLS ClusterIssuer (see below). The full `kustomization.yaml` file should look like: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). Ensure you name the file correctly. + + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + + +``` + +Below is an example Lets-Encrypt Cluster Issuer that uses the aws credential we setup above. Create this in the same directory as the configure kustomization.yaml: + +```bash +touch $KUADRANT_DIR/configure/cluster-issuer.yaml +``` + +Add the following to this new file: + +```yaml +# example lets-encrypt cluster issuer that will work with the credentials we will add +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: lets-encrypt-aws +spec: + acme: + privateKeySecretRef: + name: le-secret + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: AWS_ACCESS_KEY_ID + name: aws-provider-credentials #notice this matches the name of the secret we created. + region: us-east-1 #override if needed + secretAccessKeySecretRef: + key: AWS_SECRET_ACCESS_KEY + name: aws-provider-credentials + +``` + +To apply our changes (note this doesn't need to be done in different steps, but is done so here to illustrate how you can build up your configuration of Kuadrant) execute: + +```bash +kubectl apply -k $KUADRANT_DIR/configure +``` + +The cluster issuer should become ready: ```bash -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get clusterissuer -o=wide + +# NAME READY STATUS AGE +# lets-encrypt-aws True The ACME account was registered with the ACME server 14s + ``` -At this point Kuadrant is ready to use. Below are some additional configuration that can be applied. +We create two credentials. One for use with `DNSPolicy` in the gateway-system namespace and one for use by cert-manager in the `cert-manager` namespace. With these credentials in place and the cluster issuer configured. You are now ready to start using DNSPolicy and TLSPolicy to secure and connect your Gateways. + -### External Redis +## Use an External Redis + +To connect `Limitador` (the component responsible for rate limiting requests) to redis so that its counters are stored and can be shared with other limitador instances follow these steps: + +Again we will build on the kustomization we started. In the same way we did for the cloud provider credentials, we need to setup a `redis-credential.env` file in the same directory as the kustomization. -create a `redis-credential.env` in the `config/install/configure/redis-storage` dir ```bash -kubectl apply -k config/install/configure/redis-storage +touch $KUADRANT_DIR/configure/redis-credentials.env + ``` -This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts. +Add the redis connection string to this file in the following format: + +``` +URL=redis://xxxx +``` + +Next we need to add a new secret generator to our existing configure file at `$KUADRANT_DIR/configure/kustomization.yaml` add it below the other `secretGenerators` + +```yaml + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' +``` + +We also need to patch the existing `Limitador` resource. Add the following to the `$KUADRANT_DIR/configure/kustomization.yaml` + + +```yaml + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + storage: + redis: + configSecretRef: + name: redis-credentials + +``` + +Your full `kustomize.yaml` will now be: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). Ensure you name the file correctly. + + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + storage: + redis: + configSecretRef: + name: redis-credentials + +``` + + +Re-Apply the configuration to setup the new secret and configuration: + +```bash +kubectl apply -k $KUADRANT_DIR/configure/ +``` + +Limitador is now configured to use the provided redis connection URL as a data store for rate limit counters. Limitador will become temporarily unavailable as it restarts. ### Validate Validate Kuadrant is in a ready state as before: ```bash -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=wide + +# NAME STATUS AGE +# kuadrant Ready 61m + +``` + + +## Resilient Deployment of data plane components + +### Limitador: TopologyConstraints, PodDisruptionBudget and Resource Limits + +To set limits, replicas and a `PodDisruptionBudget` for limitador you can add the following to the existing limitador patch in your local `limitador` in the `$KUADRANT_DIR/configure/kustomize.yaml` spec: + +```yaml +pdb: + maxUnavailable: 1 +replicas: 2 +resourceRequirements: + requests: + cpu: 10m + memory: 10Mi # set these based on your own needs. +``` + +re-apply the configuration. This will result in two instances of limitador becoming available and a `podDisruptionBudget` being setup: + +```bash +kubectl apply -k $KUADRANT_DIR/configure/ + ``` -## Set up observability +For topology constraints, you will need to patch the limitador deployment directly: + +add the below `yaml` to a `limitador-topoloy-patch.yaml` file under a `$KUADRANT_DIR/configure/patches` directory: + +```bash +mkdir -p $KUADRANT_DIR/configure/patches +touch $KUADRANT_DIR/configure/patches/limitador-topoloy-patch.yaml +``` + +```yaml +spec: + template: + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + +``` + +Apply this to the existing limitador deployment + +```bash +kubectl patch deployment limitador-limitador -n kuadrant-system --patch-file $KUADRANT_DIR/configure/patches/limitador-topoloy-patch.yaml +``` + +### Authorino: TopologyConstraints, PodDisruptionBudget and Resource Limits + +To increase the number of replicas for Authorino add a new patch to the `$KUADRANT_DIR/configure/kustomization.yaml` + +```yaml + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + namespace: kuadrant-system + spec: + replicas: 2 + +``` + +and re-apply the configuration: + +```bash +kubectl apply -k $KUADRANT_DIR/configure/ +``` + +To add resource limits and or topology constraints to Authorino. You will need to patch the Authorino deployment directly: +Add the below `yaml` to a `authorino-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory: + +```bash +touch $KUADRANT_DIR/configure/patches/authorino-topoloy-patch.yaml +``` + +```yaml +spec: + template: + spec: + containers: + - name: authorino + resources: + requests: + cpu: 10m # set your own needed limits here + memory: 10Mi # set your own needed limits here + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + +``` + +Apply the patch: + +```bash +kubectl patch deployment authorino -n kuadrant-system --patch-file $KUADRANT_DIR/configure/patches/authorino-topoloy-patch.yaml +``` + +Kuadrant is now installed and ready to use and the data plane components are configured to be distributed and resilient. + +For reference the full configure kustomization should look like: +```yaml +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + pdb: + maxUnavailable: 1 + replicas: 2 + resourceRequirements: + requests: + cpu: 10m + memory: 10Mi # set these based on your own needs. + storage: + redis: + configSecretRef: + name: redis-credentials + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + namespace: kuadrant-system + spec: + replicas: 2 + +``` +The configure directory should contain the following: + +``` +configure/ +├── aws-credentials.env +├── cluster-issuer.yaml +├── kustomization.yaml +├── patches +│   ├── authorino-topoloy-patch.yaml +│   └── limitador-topoloy-patch.yaml +└── redis-credentials.env +``` + +## Set up observability (OpenShift Only) Verify that user workload monitoring is enabled in your Openshift cluster. If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this. @@ -110,7 +602,8 @@ kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonp Install the gateway & Kuadrant metrics components and configuration, including Grafana. ```bash -kubectl apply -k config/install/configure/observability +# change the version as needed +kubectl apply -k https://github.com/Kuadrant/kuadrant-operator//config/install/configure/observability?ref=v1.0.1 ``` Configure the Openshift thanos-query instance as a data source in Grafana. @@ -126,7 +619,7 @@ kubectl apply -k config/observability/openshift/grafana Create the example dashboards in Grafana ```bash -kubectl apply -k examples/dashboards +kubectl apply -k https://github.com/Kuadrant/kuadrant-operator//examples/dashboards?ref=v1.0.1 ``` Access the Grafana UI, using the default user/pass of root/secret. @@ -136,3 +629,8 @@ For more information on the example dashboards, check out the [documentation](ht ```bash kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}" ``` + + +### Next Steps + +- Try out one of our user-guides [secure, connect protect](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/full-walkthrough/secure-protect-connect-k8s/#overview) diff --git a/config/install/configure/aws/kustomization.yaml b/config/install/configure/aws/kustomization.yaml index 2d4cbd932..24fe21cf2 100644 --- a/config/install/configure/aws/kustomization.yaml +++ b/config/install/configure/aws/kustomization.yaml @@ -5,7 +5,8 @@ kind: Kustomization # You can start by copying `aws-credentials.env.sample` and customising it as needed. resources: - - ../standard + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard + # - https://github.com/Kuadrant/kuadrant-operator//config/install/openshift # use this one if installing on OCP - cluster-issuer.yaml generatorOptions: @@ -18,7 +19,7 @@ secretGenerator: - name: aws-provider-credentials namespace: cert-manager envs: - - aws-credentials.env + - aws-credentials.env # you will need to setup this file locally type: 'kuadrant.io/aws' - name: aws-provider-credentials namespace: gateway-system diff --git a/config/install/configure/kitchen-sink/kustomization.yaml b/config/install/configure/kitchen-sink/kustomization.yaml deleted file mode 100644 index 74bde7691..000000000 --- a/config/install/configure/kitchen-sink/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../dns-aws - - ../dns-azure - - ../dns-gcp - - ../redis-storage - - ../tls-lets-encrypt diff --git a/config/install/configure/redis-storage/kustomization.yaml b/config/install/configure/redis-storage/kustomization.yaml index 862321f8f..f1f3e6abc 100644 --- a/config/install/configure/redis-storage/kustomization.yaml +++ b/config/install/configure/redis-storage/kustomization.yaml @@ -14,4 +14,4 @@ secretGenerator: namespace: kuadrant-system envs: - redis-credentials.env - type: 'kuadrant.io/aws' + type: 'kuadrant.io/redis' diff --git a/config/install/configure/standard/authorino.yaml b/config/install/configure/standard/authorino.yaml new file mode 100644 index 000000000..1d8ac2dbb --- /dev/null +++ b/config/install/configure/standard/authorino.yaml @@ -0,0 +1,17 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: authorino + namespace: kuadrant-system +spec: + clusterWide: true + listener: + tls: + enabled: false + oidcServer: + tls: + enabled: false + supersedingHostSubsets: true + tracing: + endpoint: '' + replicas: 1 diff --git a/config/install/configure/standard/kustomization.yaml b/config/install/configure/standard/kustomization.yaml index a09fcd6e0..77b39d959 100644 --- a/config/install/configure/standard/kustomization.yaml +++ b/config/install/configure/standard/kustomization.yaml @@ -1,5 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - limitador.yaml + - authorino.yaml - sail.yaml - kuadrant.yaml diff --git a/config/install/configure/standard/limitador.yaml b/config/install/configure/standard/limitador.yaml new file mode 100644 index 000000000..2a1c2dd7a --- /dev/null +++ b/config/install/configure/standard/limitador.yaml @@ -0,0 +1,6 @@ +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: limitador + namespace: kuadrant-system +spec: {} diff --git a/config/install/full-example-aws/configure/aws-credentials.env.sample b/config/install/full-example-aws/configure/aws-credentials.env.sample new file mode 100644 index 000000000..1eb0cc908 --- /dev/null +++ b/config/install/full-example-aws/configure/aws-credentials.env.sample @@ -0,0 +1,5 @@ +# If using this you will need to rename the file and remove the .sample suffix and remove this comment + +KUADRANT_AWS_ACCESS_KEY_ID=xxx +KUADRANT_AWS_SECRET_ACCESS_KEY=xxx +KUADRANT_AWS_REGION=eu-west-1 diff --git a/config/install/full-example-aws/configure/cluster-issuer.yaml b/config/install/full-example-aws/configure/cluster-issuer.yaml new file mode 100644 index 000000000..5ee8446dc --- /dev/null +++ b/config/install/full-example-aws/configure/cluster-issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: lets-encrypt-aws +spec: + acme: + privateKeySecretRef: + name: le-secret + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: AWS_ACCESS_KEY_ID + name: aws-provider-credentials #notice this matches the name of the secret we created. + region: us-east-1 #override if needed + secretAccessKeySecretRef: + key: AWS_SECRET_ACCESS_KEY + name: aws-provider-credentials diff --git a/config/install/full-example-aws/configure/kustomization.yaml b/config/install/full-example-aws/configure/kustomization.yaml new file mode 100644 index 000000000..b09c2652d --- /dev/null +++ b/config/install/full-example-aws/configure/kustomization.yaml @@ -0,0 +1,56 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + pdb: + maxUnavailable: 1 + replicas: 2 + resourceRequirements: + requests: + cpu: 10m + memory: 10Mi # set these based on your own needs. + storage: + redis: + configSecretRef: + name: redis-credentials + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + namespace: kuadrant-system + spec: + replicas: 2 diff --git a/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml b/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml new file mode 100644 index 000000000..680f45925 --- /dev/null +++ b/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml @@ -0,0 +1,22 @@ +spec: + template: + spec: + containers: + - name: authorino + resources: + requests: + cpu: 10m # set your own needed limits here + memory: 10Mi # set your own needed limits here + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino diff --git a/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml b/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml new file mode 100644 index 000000000..4692b9488 --- /dev/null +++ b/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml @@ -0,0 +1,16 @@ +spec: + template: + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador diff --git a/config/install/full-example-aws/configure/redis-credentials.env.sample b/config/install/full-example-aws/configure/redis-credentials.env.sample new file mode 100644 index 000000000..c874708e3 --- /dev/null +++ b/config/install/full-example-aws/configure/redis-credentials.env.sample @@ -0,0 +1,3 @@ +# If using this you will need to rename the file and remove the .sample suffix and remove this comment + +URL=redis://xxxx diff --git a/config/install/full-example-aws/install/kustomization.yaml b/config/install/full-example-aws/install/kustomization.yaml new file mode 100644 index 000000000..37bce8e21 --- /dev/null +++ b/config/install/full-example-aws/install/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + #- https://github.com/Kuadrant/kuadrant-operator//config/install/openshift?ref=v1.0.1 #use if targeting an OCP cluster. Change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases). + +patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: kuadrant + spec: + source: kuadrant-operator-catalog + sourceNamespace: kuadrant-system + name: kuadrant-operator + channel: 'stable' #set to preview if not using a release (for example if using main) diff --git a/config/install/no-gateway-provider/kustomization.yaml b/config/install/no-gateway-provider/kustomization.yaml new file mode 100644 index 000000000..f8154c297 --- /dev/null +++ b/config/install/no-gateway-provider/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# note by default this will install the version of kuadrant you checkout from v1 onwards +# if you want to install a different released version you can use the patch options below. +# If you want to install the latest development tag, remove the subscription patch +resources: + - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml + - ../../deploy/olm diff --git a/config/install/standard/kuadrant-version.yaml b/config/install/standard/kuadrant-version.yaml deleted file mode 100644 index 8eba0cb4b..000000000 --- a/config/install/standard/kuadrant-version.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: CatalogSource -metadata: - name: kuadrant-operator-catalog -spec: - image: quay.io/kuadrant/kuadrant-operator-catalog:latest #change this to the version you want to install diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml index 69d773e2e..f2fe5a105 100644 --- a/config/install/standard/kustomization.yaml +++ b/config/install/standard/kustomization.yaml @@ -2,15 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization # note by default this will install the version of kuadrant you checkout from v1 onwards -# if you want to install a different version you can use the patch option below +# if you want to install a different released version you can use the patch options below. +# If you want to install the latest development tag, remove the subscription patch resources: - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml - sail-operator.yaml - ../../deploy/olm -# patches: -# - target: -# group: operators.coreos.com -# version: v1alpha1 -# kind: CatalogSource -# name: kuadrant-operator-catalog -# path: kuadrant-version.yaml