Skip to content

Commit

Permalink
Revise cluster-gateway charts
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha committed Mar 4, 2024
1 parent be184f7 commit 272ff7c
Show file tree
Hide file tree
Showing 22 changed files with 771 additions and 141 deletions.
21 changes: 10 additions & 11 deletions charts/cluster-gateway-manager/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,21 @@ The command removes all the Kubernetes components associated with the chart and

The following table lists the configurable parameters of the `cluster-gateway-manager` chart and their default values.

| Parameter | Description | Default |
|---------------------------------|----------------------------------------|--------------------------------------------------|
| image | Image of the cluster-gateway instances | <code>oamdev/cluster-gateway-manager</code> |
| tag | | <code></code> |
| clusterGateway.image | | <code>oamdev/cluster-gateway</code> |
| clusterGateway.installNamespace | | <code>vela-system</code> |
| clusterGateway.secretNamespace | | <code>open-cluster-management-credentials</code> |
| replicas | Number of replicas | <code>1</code> |
| manualSecretManagement | | <code>true</code> |
| konnectivityEgress | | <code>false</code> |
| Parameter | Description | Default |
|---------------------------------|----------------------------------------|--------------------------------------------------------------|
| image | Image of the cluster-gateway instances | <code>ghcr.io/kluster-manager/cluster-gateway-manager</code> |
| tag | | <code>latest</code> |
| clusterGateway.image | | <code>ghcr.io/kluster-manager/cluster-gateway</code> |
| clusterGateway.installNamespace | | <code>cluster-gateway</code> |
| replicas | Number of replicas | <code>1</code> |
| manualSecretManagement | | <code>false</code> |
| clusterProxy.enabled | | <code>true</code> |


Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:

```bash
$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=oamdev/cluster-gateway-manager
$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=ghcr.io/kluster-manager/cluster-gateway-manager
```

Alternatively, a YAML file that specifies the values for the parameters can be provided while
Expand Down
670 changes: 670 additions & 0 deletions ...luster-gateway-manager/crds/addon.open-cluster-management.io_clustermanagementaddons.yaml
View file

Large diffs are not rendered by default.

9 changes: 0 additions & 9 deletions ...er/crds/clustergatewayconfigurations.yaml → ...ment.io_clustergatewayconfigurations.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: clustergatewayconfigurations.proxy.open-cluster-management.io
spec:
group: proxy.open-cluster-management.io
Expand Down Expand Up @@ -174,9 +171,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
2 changes: 1 addition & 1 deletion charts/cluster-gateway-manager/templates/addon-manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
serviceAccount: cluster-gateway-manager
containers:
- name: cluster-gateway-manager
image: {{ .Values.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }}
image: {{ .Values.image }}:{{ .Values.tag | default .Chart.AppVersion }}
imagePullPolicy: IfNotPresent
args:
- --leader-elect=true
10 changes: 3 additions & 7 deletions charts/cluster-gateway-manager/templates/clustergatewayconfiguration.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
apiVersion: proxy.open-cluster-management.io/v1alpha1
apiVersion: config.gateway.open-cluster-management.io/v1alpha1
kind: ClusterGatewayConfiguration
metadata:
name: cluster-gateway
spec:
image: {{ .Values.clusterGateway.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }}
image: {{ .Values.clusterGateway.image }}:{{ .Values.tag | default .Chart.AppVersion }}
installNamespace: {{ .Values.clusterGateway.installNamespace }}
secretNamespace: {{ .Values.clusterGateway.secretNamespace }}
secretManagement:
{{ if .Values.manualSecretManagement }}
type: Manual
Expand All @@ -15,15 +14,12 @@ spec:
name: cluster-gateway
{{ end }}
egress:
{{ if .Values.konnectivityEgress }}
type: ClusterProxy
{{ if .Values.clusterProxy.enabled }}
clusterProxy:
proxyServerHost: "proxy-entrypoint.open-cluster-management-addon"
proxyServerPort: 8090
credentials:
namespace: open-cluster-management-addon
proxyClientCASecretName: proxy-server-ca
proxyClientSecretName: proxy-client
{{ else }}
type: Direct
{{ end }}
8 changes: 5 additions & 3 deletions charts/cluster-gateway-manager/templates/clustermanagementaddon.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ spec:
addOnMeta:
displayName: cluster-gateway
description: cluster-gateway
addOnConfiguration:
crdName: clustergatewayconfigurations.proxy.open-cluster-management.io
crName: cluster-gateway
supportedConfigs:
- group: config.gateway.open-cluster-management.io
resource: clustergatewayconfigurations
defaultConfig:
name: cluster-gateway
4 changes: 2 additions & 2 deletions charts/cluster-gateway-manager/templates/clusterrolebindings.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:addon-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:addon-manager
subjects:
- kind: ServiceAccount
name: cluster-gateway-manager
Expand Down
6 changes: 3 additions & 3 deletions charts/cluster-gateway-manager/templates/clusterroles.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:addon-manager
rules:
- apiGroups:
- cluster.open-cluster-management.io
Expand All @@ -18,13 +18,13 @@ rules:
verbs:
- "*"
- apiGroups:
- proxy.open-cluster-management.io
- config.gateway.open-cluster-management.io
resources:
- clustergatewayconfigurations
verbs:
- "*"
- apiGroups:
- cluster.core.oam.dev
- gateway.open-cluster-management.io
resources:
- clustergateways/health
- clustergateways/proxy
Expand Down
13 changes: 0 additions & 13 deletions charts/cluster-gateway-manager/templates/rolebinder-kubesystem.yaml
View file

This file was deleted.

13 changes: 0 additions & 13 deletions charts/cluster-gateway-manager/templates/rolebinder.yaml
View file

This file was deleted.

15 changes: 8 additions & 7 deletions charts/cluster-gateway-manager/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
# Image of the cluster-gateway instances
image: oamdev/cluster-gateway-manager
image: ghcr.io/kluster-manager/cluster-gateway-manager

tag:
tag: latest

clusterGateway:
image: oamdev/cluster-gateway
installNamespace: vela-system
secretNamespace: open-cluster-management-credentials
image: ghcr.io/kluster-manager/cluster-gateway
installNamespace: cluster-gateway

# Number of replicas
replicas: 1

manualSecretManagement: true
konnectivityEgress: false
manualSecretManagement: false
clusterProxy:
enabled: true
23 changes: 10 additions & 13 deletions charts/cluster-gateway/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,24 +45,21 @@ The command removes all the Kubernetes components associated with the chart and

The following table lists the configurable parameters of the `cluster-gateway` chart and their default values.

| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------|---------------------------------------------------------------------|
| image | Image of the cluster-gateway instances | <code>oamdev/cluster-gateway</code> |
| tag | | <code></code> |
| replicas | Number of replicas | <code>1</code> |
| secretNamespace | A secured namespace for reading cluster secrets | <code>open-cluster-management-credentials</code> |
| ocmIntegration.enabled | | <code>false</code> |
| ocmIntegration.clusterProxy.enabled | | <code>false</code> |
| ocmIntegration.clusterProxy.endpoint.host | | <code>proxy-entrypoint.open-cluster-management-cluster-proxy</code> |
| ocmIntegration.clusterProxy.endpoint.port | | <code>8090</code> |
| featureGate.healthiness | | <code>false</code> |
| featureGate.secretCache | | <code>false</code> |
| Parameter | Description | Default |
|----------------------------|----------------------------------------|---------------------------------------------------------------------|
| image | Image of the cluster-gateway instances | <code>ghcr.io/kluster-manager/cluster-gateway</code> |
| tag | | <code></code> |
| replicas | Number of replicas | <code>1</code> |
| clusterProxy.enabled | | <code>true</code> |
| clusterProxy.endpoint.host | | <code>proxy-entrypoint.open-cluster-management-cluster-proxy</code> |
| clusterProxy.endpoint.port | | <code>8090</code> |
| featureGate.healthiness | | <code>false</code> |


Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:

```bash
$ helm upgrade -i cluster-gateway appscode/cluster-gateway -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=oamdev/cluster-gateway
$ helm upgrade -i cluster-gateway appscode/cluster-gateway -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=ghcr.io/kluster-manager/cluster-gateway
```

Alternatively, a YAML file that specifies the values for the parameters can be provided while
Expand Down
4 changes: 2 additions & 2 deletions charts/cluster-gateway/templates/apiservice.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.cluster.core.oam.dev
name: v1alpha1.gateway.open-cluster-management.io
labels:
api: cluster-extension-apiserver
apiserver: "true"
spec:
version: v1alpha1
group: cluster.core.oam.dev
group: gateway.open-cluster-management.io
groupPriorityMinimum: 2000
service:
name: gateway-service
Expand Down
16 changes: 6 additions & 10 deletions charts/cluster-gateway/templates/cluster-gateway-apiserver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,24 +25,20 @@ spec:
secretName: proxy-server-ca
containers:
- name: gateway
image: {{ .Values.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }}
image: {{ .Values.image }}:{{ .Values.tag | default .Chart.AppVersion }}
imagePullPolicy: IfNotPresent
args:
- --secure-port=9443
- --secret-namespace={{ .Values.secretNamespace }}
{{ if .Values.ocmIntegration.enabled }}
- --ocm-integration=true
{{ if .Values.ocmIntegration.clusterProxy.enabled }}
- --proxy-host={{ .Values.ocmIntegration.clusterProxy.endpoint.host }}
- --proxy-port={{ .Values.ocmIntegration.clusterProxy.endpoint.port }}
{{ if .Values.clusterProxy.enabled }}
- --proxy-host={{ .Values.clusterProxy.endpoint.host }}
- --proxy-port={{ .Values.clusterProxy.endpoint.port }}
- --proxy-ca-cert=/etc/ca/ca.crt
- --proxy-cert=/etc/tls/tls.crt
- --proxy-key=/etc/tls/tls.key
{{ end }}
{{ end }}
- --feature-gates={{ if .Values.featureGate.healthiness }}HealthinessCheck=true,{{ end }}{{ if .Values.featureGate.secretCache }}SecretCache=true,{{ end }}
- --feature-gates={{ if .Values.featureGate.healthiness }}HealthinessCheck=true,{{ end }}
# TODO: certificate rotation, otherwise the self-signed will expire in 1 year
{{ if .Values.ocmIntegration.clusterProxy.enabled }}
{{ if .Values.clusterProxy.enabled }}
volumeMounts:
- name: proxy-client
mountPath: "/etc/tls/"
Expand Down
4 changes: 2 additions & 2 deletions charts/cluster-gateway/templates/clusterrolebindings.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:apiserver
subjects:
- kind: ServiceAccount
name: cluster-gateway
Expand Down
27 changes: 25 additions & 2 deletions charts/cluster-gateway/templates/clusterroles.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: open-cluster-management:cluster-gateway:managedcluster-reader
name: open-cluster-management:cluster-gateway:apiserver
rules:
- apiGroups:
- cluster.open-cluster-management.io
Expand Down Expand Up @@ -42,4 +42,27 @@ rules:
resources:
- subjectaccessreviews
verbs:
- "*"
- "*"
# read/update managed cluster addons
- apiGroups:
- addon.open-cluster-management.io
resources:
- managedclusteraddons
verbs:
- get
- list
- watch
- create
- update
- patch
# read managed service account credentials
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
resourceNames:
- cluster-gateway
19 changes: 17 additions & 2 deletions charts/cluster-gateway/templates/rolebindings.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# to read the config for terminating authentication
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:extension-apiserver-authentication-reader:cluster-gateway
name: extension-apiserver-authentication-reader:cluster-gateway
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand All @@ -10,4 +11,18 @@ roleRef:
subjects:
- kind: ServiceAccount
name: cluster-gateway
namespace: {{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
---
# to delegate authentication and authorization
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auth-delegator:cluster-gateway
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: cluster-gateway
namespace: {{ .Release.Namespace }}
4 changes: 0 additions & 4 deletions charts/cluster-gateway/templates/secret-namespace.yaml
View file

This file was deleted.

13 changes: 0 additions & 13 deletions charts/cluster-gateway/templates/secret-rolebindings.yaml
View file

This file was deleted.

Loading

0 comments on commit 272ff7c

Please sign in to comment.