From 93292e8cec5e8790eb89c4c3735d8d6b5ca0b495 Mon Sep 17 00:00:00 2001 From: craig Date: Mon, 9 Dec 2024 11:00:35 +0000 Subject: [PATCH 01/13] add simple installation Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED more detailed installation guide and examples rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 307 +++++++++++++++--- .../install/configure/aws/kustomization.yaml | 5 +- .../configure/kitchen-sink/kustomization.yaml | 9 - .../redis-storage/kustomization.yaml | 2 +- .../configure/aws-credentials.env.sample | 5 + .../configure/cluster-issuer.yaml | 20 ++ .../configure/kustomization.yaml | 29 ++ .../full-example-aws/configure/limitador.yaml | 11 + .../configure/redis-credentials.env.sample | 3 + .../install/kustomization.yaml | 17 + .../no-gateway-provider/kustomization.yaml | 9 + config/install/standard/kuadrant-version.yaml | 6 - config/install/standard/kustomization.yaml | 10 +- 13 files changed, 369 insertions(+), 64 deletions(-) delete mode 100644 config/install/configure/kitchen-sink/kustomization.yaml create mode 100644 config/install/full-example-aws/configure/aws-credentials.env.sample create mode 100644 config/install/full-example-aws/configure/cluster-issuer.yaml create mode 100644 config/install/full-example-aws/configure/kustomization.yaml create mode 100644 config/install/full-example-aws/configure/limitador.yaml create mode 100644 config/install/full-example-aws/configure/redis-credentials.env.sample create mode 100644 config/install/full-example-aws/install/kustomization.yaml create mode 100644 config/install/no-gateway-provider/kustomization.yaml delete mode 100644 config/install/standard/kuadrant-version.yaml diff --git a/config/install/README.md b/config/install/README.md index 343431719..79af821e4 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -1,101 +1,326 @@ -# Install Kuadrant and Sail via OLM +# Install and Configure Kuadrant and Sail via OLM and the CLI + +This document will walk you through setting up the required configuration to install kaudrant using kustomize or a tool that leverages kustomize such as kubectl along with OLM. It will walk you step by step through installation and building up your needed configuration. The full example is available to view and use here [Full AWS Example](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/full-example-aws) ## Prerequisites -- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo -- OLM (operator lifecycle manager) -- cert-manager +- OCP or K8s cluster and CLI available. +- OLM is installed [operator lifecycle manager releases](https://github.com/operator-framework/operator-lifecycle-manager/releases) +- Gateway Provider Installed: By default this guide will install the [Sail Operator](https://github.com/istio-ecosystem/sail-operator) that will configure and install an Istio installation. Kuadrant is intended to work with [Istio](https://istio.io) or [Envoy Gateway](https://gateway.envoyproxy.io/) as a gateway provider before you can make use of Kuadrant one of these providers should be installed. +- (Optional) cert-manager: - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) -- AWS, Azure or GCP with DNS capabilities. (Optional) -- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) +- (Optional) Access to AWS, Azure or GCP with DNS services. +- (Optional) Accessible Redis instance, for persistent storage for your rate limit counters. -> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/install/standard/kuadrant-version.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) > Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) -## Setup the environment +## Basic Installation -> Note this uses the community operatorhub catalog. If you are installing on OpenShift and want to use the redhat provided catalog use the second command. +This first step will install just Kuadrant at a given released version (post v1.x) in the `kuadrant-system` namespace. There will be no credentials/dns providers configured (This is the most basic setup but means TLSPolicy and DNSPolicy will not be able to be used). This basic install will also setup a gateway provider via Istio and the Sail Operator. +Create the following `kustomization.yaml` in a directory locally. For the purpose of this doc, we will use: `kuadrant/install` (but if can be anything you would prefer). -```bash -# community catalog -kubectl apply -k config/install/standard -``` +> Setting the version to install: You can set the version of kuadrant to install by adding / changing the `?ref=v1.0.1`. + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard?ref=v1.0.1 #set the versio by adding ?ref=v1.0.1 change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + #- https://github.com/Kuadrant/kuadrant-operator//config/install/openshift?ref=v1.0.1 #use if targeting an OCP cluster. Change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases). + +patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: kuadrant + spec: + source: kuadrant-operator-catalog + sourceNamespace: kuadrant-system + name: kuadrant-operator + channel: 'stable' #set to preview if not using a release (for example if using main) + +``` + +And execute the following to apply it to a cluster: ```bash -# redhat catalog -kubectl apply -k config/install/openshift +# change the location depending on where you created the kustomization.yaml +kubectl apply -k + ``` -Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: +#### Verify the operators are installed: + +Once OLM has finished installing the operators (this can take several minutes). You should see the following in the kuadrant-system namespace: ```bash kubectl get deployments -n kuadrant-system - +## Output # NAME READY UP-TO-DATE AVAILABLE AGE # authorino-operator 1/1 1 1 83m # dns-operator-controller-manager 1/1 1 1 83m # kuadrant-console-plugin 1/1 1 1 83m # kuadrant-operator-controller-manager 1/1 1 1 83m # limitador-operator-controller-manager 1/1 1 1 83m + ``` +You can also view the subscription for information: +```bash +kubectl get subscription -n kuadrant-system -o=yaml + +``` + +### Install the operand components + +Kuadrant has 2 additional operand components that it manages (Authorino that provides data plane auth and Limitador that provides data plane rate limiting). To set these up lets add a new `kustomization.yaml` in a new sub directory. We will re-use this later for further configuration. We do this as a separate step as we want to have the operators installed and in place first. + +Add the following to your local directory. For the purpose of this doc, we will use: `kuadrant/configure/`. + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + +``` + +Lets apply this to your cluster: ```bash -kubectl get deployments -n gateway-system +kubectl apply -k -# NAME READY UP-TO-DATE AVAILABLE AGE -# istiod 1/1 1 1 61s -# sail-operator 1/1 1 1 81m ``` -## Configure the installation +### Verify kuadrant is installed and ready: + +```bash +kubectl get kuadrant kuadrant -n kuadrant-system -o=wide + +# NAME STATUS AGE +# kuadrant Ready 109s -### TLS and DNS integration +``` +You should see the condition with type `Ready` with a message of `kuadrant is ready`. -Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS + +### Verify Istio is configured and ready: + +```bash +kubectl get istio -n gateway-system + +#sample output +# NAME REVISIONS READY IN USE ACTIVE REVISION VERSION AGE +# default 1 1 1 Healthy v1.23.0 3d22h +``` + + + +At this point Kuadrant is installed and ready to be used as is Istio as the gateway provider. This means AuthPolicy and RateLimitPolicy can now be configured and used to protect any Gateways you create. + + +## Configure a DNS provider credentials and a Certificate Issuer + +In this section will build on the previous steps and expand the `kustomization.yaml` we created in the previous step. + +In order for cert-manager and the Kuadrant DNS operator to be able to access and manage DNS records and setup TLS certificates and provide external connectivity for your endpoints, you need to setup a credential for these components. To do this, we will use a Kubernetes secret via a kustomize secret generator. You can find other example overlays for each supported cloud provider under the [configure directory](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/configure). + +An example lets-encrypt certificate issuer is provided, but for more information on certificate issuers take a look at the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/). + + +Lets modify our existing local kustomize overlay to setup these secrets and the cluster certificate issuer: + +First you will need to setup the required `.env` file specified in the kuztomization.yaml file in the same directory as your existing configure kustomization. Below is an example for AWS: + +```bash +touch kudarant/configure/aws-credentials.env ``` -kubectl apply -k config/install/configure/aws +Add the following to your new file + ``` +KUADRANT_AWS_ACCESS_KEY_ID=xxx +KUADRANT_AWS_SECRET_ACCESS_KEY=xxx +KUADRANT_AWS_REGION=eu-west-1 -This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation. +``` -### Validate +With this setup, lets update our configure kustomization and also define a TLS clusterissuer:: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). Ensure you name the file correctly. + + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + + +``` -Validate Kuadrant is ready via the kuadrant resource status condition +Example Lets-Encrypt Cluster Issuer that uses the aws credential. Create this in the same directory as the configure kustomization.yaml: ```bash -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +touch kuadrant/configure/cluster-issuer.yaml ``` -At this point Kuadrant is ready to use. Below are some additional configuration that can be applied. +Add the following to this new file: + +```yaml +# example lets-encrypt cluster issuer that will work with the credentials we will add +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: lets-encrypt-aws +spec: + acme: + privateKeySecretRef: + name: le-secret + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: AWS_ACCESS_KEY_ID + name: aws-provider-credentials #notice this matches the name of the secret we created. + region: us-east-1 #override if needed + secretAccessKeySecretRef: + key: AWS_SECRET_ACCESS_KEY + name: aws-provider-credentials + +``` + +To configure our installation, re-apply the configure kustomization on the cluster (note this doesn't need to be done in different steps, but is done so here to illustrate how you can build up your configuration of Kuadrant). + +```bash +kubectl apply -k kuadrant/configure +``` + +The cluster issuer should become ready: + +```bash +kubectl get clusterissuer -o=wide + +# NAME READY STATUS AGE +# lets-encrypt-aws True The ACME account was registered with the ACME server 14s + +``` + +We create two credentials. One for use with DNSPolicy in the gateway-system namespace and one for use by cert-manager in the `cert-manager` namespace. With these credentials in place and the cluster issuer configured. You are now ready to start using DNSPolicy and TLSPolicy to secure and connect your Gateways. + + +## Using External Redis + +To connect `Limitador` the component responsible for rate limiting to redis so that its counters are stored and shared with other limitador instances follow these steps: + +Again we will build on the configure kustomization we started. In the same way we did for the cloud provider credentials, we need to setup a `redis-credential.env` file in the same directory as the kustomization. + + +```bash +touch kudarant/configure/redis-credentials.env + +``` + +Add the redis connection string to this file in the following format: + +``` +URL=redis://xxxx +``` + +Next we need to add a new secret generator to our existing configure file at `kuadrant/configure/kustomization.yaml` add it below the other `secretGenerators` + +```yaml + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' +``` + +We also need to replace the existing limitador resource. Add the following to the `kuadrant/configure` directory. + +```bash +touch kuadrant/configure/limitador.yaml +``` + +Add the following to the `limitador.yaml` file: + +```yaml + +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: limitador + namespace: kuadrant-system +spec: + storage: + redis: + configSecretRef: + name: redis-credentials + +``` + +Add the new resource to your `kuadrant/configure/kustomization.yaml` file under the resources section: + +```yaml +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). + - limitador.yaml # NEW + +``` -### External Redis -create a `redis-credential.env` in the `config/install/configure/redis-storage` dir +Re-Apply the configuration to setup the new secret and limitador configuration: + +>Note you will see a warning here about last applied configuration. This is because we are replacing the resource setup by the kuadrant-operator however this warning wont cause any issues for the installation. ```bash -kubectl apply -k config/install/configure/redis-storage +kubectl apply -k kuadrant/configure/ ``` -This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts. +Limitador is now configured to use the provided redis connection URL as a backend store for rate limit counters. Limitador will becomes temporarily unavailable as it restarts. ### Validate Validate Kuadrant is in a ready state as before: ```bash -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=wide + +# NAME STATUS AGE +# kuadrant Ready 61m + ``` -## Set up observability +## Set up observability (OpenShift Only) Verify that user workload monitoring is enabled in your Openshift cluster. If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this. @@ -110,7 +335,8 @@ kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonp Install the gateway & Kuadrant metrics components and configuration, including Grafana. ```bash -kubectl apply -k config/install/configure/observability +# change the version as needed +kubectl apply -k https://github.com/Kuadrant/kuadrant-operator//config/install/configure/observability?ref=v1.0.1 ``` Configure the Openshift thanos-query instance as a data source in Grafana. @@ -126,7 +352,7 @@ kubectl apply -k config/observability/openshift/grafana Create the example dashboards in Grafana ```bash -kubectl apply -k examples/dashboards +kubectl apply -k https://github.com/Kuadrant/kuadrant-operator//examples/dashboards?ref=v1.0.1 ``` Access the Grafana UI, using the default user/pass of root/secret. @@ -136,3 +362,8 @@ For more information on the example dashboards, check out the [documentation](ht ```bash kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}" ``` + + +### Next Steps + +- Try out one of our user-guides [secure, connect protect](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/full-walkthrough/secure-protect-connect-k8s/#overview) diff --git a/config/install/configure/aws/kustomization.yaml b/config/install/configure/aws/kustomization.yaml index 831238e72..c7cff08ad 100644 --- a/config/install/configure/aws/kustomization.yaml +++ b/config/install/configure/aws/kustomization.yaml @@ -4,7 +4,8 @@ kind: Kustomization ## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first! resources: - - ../standard + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard + # - https://github.com/Kuadrant/kuadrant-operator//config/install/openshift # use this one if installing on OCP - cluster-issuer.yaml generatorOptions: @@ -17,7 +18,7 @@ secretGenerator: - name: aws-provider-credentials namespace: cert-manager envs: - - aws-credentials.env + - aws-credentials.env # you will need to setup this file locally type: 'kuadrant.io/aws' - name: aws-provider-credentials namespace: gateway-system diff --git a/config/install/configure/kitchen-sink/kustomization.yaml b/config/install/configure/kitchen-sink/kustomization.yaml deleted file mode 100644 index 74bde7691..000000000 --- a/config/install/configure/kitchen-sink/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../dns-aws - - ../dns-azure - - ../dns-gcp - - ../redis-storage - - ../tls-lets-encrypt diff --git a/config/install/configure/redis-storage/kustomization.yaml b/config/install/configure/redis-storage/kustomization.yaml index 862321f8f..f1f3e6abc 100644 --- a/config/install/configure/redis-storage/kustomization.yaml +++ b/config/install/configure/redis-storage/kustomization.yaml @@ -14,4 +14,4 @@ secretGenerator: namespace: kuadrant-system envs: - redis-credentials.env - type: 'kuadrant.io/aws' + type: 'kuadrant.io/redis' diff --git a/config/install/full-example-aws/configure/aws-credentials.env.sample b/config/install/full-example-aws/configure/aws-credentials.env.sample new file mode 100644 index 000000000..1eb0cc908 --- /dev/null +++ b/config/install/full-example-aws/configure/aws-credentials.env.sample @@ -0,0 +1,5 @@ +# If using this you will need to rename the file and remove the .sample suffix and remove this comment + +KUADRANT_AWS_ACCESS_KEY_ID=xxx +KUADRANT_AWS_SECRET_ACCESS_KEY=xxx +KUADRANT_AWS_REGION=eu-west-1 diff --git a/config/install/full-example-aws/configure/cluster-issuer.yaml b/config/install/full-example-aws/configure/cluster-issuer.yaml new file mode 100644 index 000000000..b6f95e5f0 --- /dev/null +++ b/config/install/full-example-aws/configure/cluster-issuer.yaml @@ -0,0 +1,20 @@ +# example lets-encrypt cluster issuer that will work with the credentials we will add +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: lets-encrypt-aws +spec: + acme: + privateKeySecretRef: + name: le-secret + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: AWS_ACCESS_KEY_ID + name: aws-provider-credentials #notice this matches the name of the secret we created. + region: us-east-1 #override if needed + secretAccessKeySecretRef: + key: AWS_SECRET_ACCESS_KEY + name: aws-provider-credentials diff --git a/config/install/full-example-aws/configure/kustomization.yaml b/config/install/full-example-aws/configure/kustomization.yaml new file mode 100644 index 000000000..b3979f665 --- /dev/null +++ b/config/install/full-example-aws/configure/kustomization.yaml @@ -0,0 +1,29 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). + - limitador.yaml + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' diff --git a/config/install/full-example-aws/configure/limitador.yaml b/config/install/full-example-aws/configure/limitador.yaml new file mode 100644 index 000000000..a5a3c2e2d --- /dev/null +++ b/config/install/full-example-aws/configure/limitador.yaml @@ -0,0 +1,11 @@ +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: limitador + namespace: kuadrant-system +spec: + storage: + redis: + configSecretRef: + name: redis-credentials + diff --git a/config/install/full-example-aws/configure/redis-credentials.env.sample b/config/install/full-example-aws/configure/redis-credentials.env.sample new file mode 100644 index 000000000..c874708e3 --- /dev/null +++ b/config/install/full-example-aws/configure/redis-credentials.env.sample @@ -0,0 +1,3 @@ +# If using this you will need to rename the file and remove the .sample suffix and remove this comment + +URL=redis://xxxx diff --git a/config/install/full-example-aws/install/kustomization.yaml b/config/install/full-example-aws/install/kustomization.yaml new file mode 100644 index 000000000..37bce8e21 --- /dev/null +++ b/config/install/full-example-aws/install/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + #- https://github.com/Kuadrant/kuadrant-operator//config/install/openshift?ref=v1.0.1 #use if targeting an OCP cluster. Change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases). + +patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: kuadrant + spec: + source: kuadrant-operator-catalog + sourceNamespace: kuadrant-system + name: kuadrant-operator + channel: 'stable' #set to preview if not using a release (for example if using main) diff --git a/config/install/no-gateway-provider/kustomization.yaml b/config/install/no-gateway-provider/kustomization.yaml new file mode 100644 index 000000000..f8154c297 --- /dev/null +++ b/config/install/no-gateway-provider/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# note by default this will install the version of kuadrant you checkout from v1 onwards +# if you want to install a different released version you can use the patch options below. +# If you want to install the latest development tag, remove the subscription patch +resources: + - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml + - ../../deploy/olm diff --git a/config/install/standard/kuadrant-version.yaml b/config/install/standard/kuadrant-version.yaml deleted file mode 100644 index 8eba0cb4b..000000000 --- a/config/install/standard/kuadrant-version.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: CatalogSource -metadata: - name: kuadrant-operator-catalog -spec: - image: quay.io/kuadrant/kuadrant-operator-catalog:latest #change this to the version you want to install diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml index 69d773e2e..f2fe5a105 100644 --- a/config/install/standard/kustomization.yaml +++ b/config/install/standard/kustomization.yaml @@ -2,15 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization # note by default this will install the version of kuadrant you checkout from v1 onwards -# if you want to install a different version you can use the patch option below +# if you want to install a different released version you can use the patch options below. +# If you want to install the latest development tag, remove the subscription patch resources: - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml - sail-operator.yaml - ../../deploy/olm -# patches: -# - target: -# group: operators.coreos.com -# version: v1alpha1 -# kind: CatalogSource -# name: kuadrant-operator-catalog -# path: kuadrant-version.yaml From 536680d1ac405ef6d412895a54f95e02cdbcd85e Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 12 Dec 2024 12:50:51 +0000 Subject: [PATCH 02/13] add default limitador and authorino resources Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 103 ++++++++++++------ .../install/configure/standard/authorino.yaml | 9 ++ .../configure/standard/kustomization.yaml | 2 + .../install/configure/standard/limitador.yaml | 6 + 4 files changed, 87 insertions(+), 33 deletions(-) create mode 100644 config/install/configure/standard/authorino.yaml create mode 100644 config/install/configure/standard/limitador.yaml diff --git a/config/install/README.md b/config/install/README.md index 79af821e4..146827443 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -2,10 +2,25 @@ This document will walk you through setting up the required configuration to install kaudrant using kustomize or a tool that leverages kustomize such as kubectl along with OLM. It will walk you step by step through installation and building up your needed configuration. The full example is available to view and use here [Full AWS Example](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/full-example-aws) + +steps: + +1. [Basic Install](#basic-installation) + +2. [Configure DNS and TLS integration](#configure-dns-and-tls-integration) + +3. [Use External Redis](#use-an-external-redis) + +4. [Setup Observability (OpenShift Specific)](#set-up-observability-openshift-only) + +5. [Set resource requests and limits](#set-resource-limits) + +6. [Configure Data Plane Resilience](#resilient-deployment-of-data-plane-components) + ## Prerequisites - OCP or K8s cluster and CLI available. - OLM is installed [operator lifecycle manager releases](https://github.com/operator-framework/operator-lifecycle-manager/releases) -- Gateway Provider Installed: By default this guide will install the [Sail Operator](https://github.com/istio-ecosystem/sail-operator) that will configure and install an Istio installation. Kuadrant is intended to work with [Istio](https://istio.io) or [Envoy Gateway](https://gateway.envoyproxy.io/) as a gateway provider before you can make use of Kuadrant one of these providers should be installed. +- (Optional) Gateway Provider Installed: By default this guide will install the [Sail Operator](https://github.com/istio-ecosystem/sail-operator) that will configure and install an Istio installation. Kuadrant is intended to work with [Istio](https://istio.io) or [Envoy Gateway](https://gateway.envoyproxy.io/) as a gateway provider before you can make use of Kuadrant one of these providers should be installed. - (Optional) cert-manager: - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) @@ -55,6 +70,12 @@ kubectl apply -k #### Verify the operators are installed: +OLM should begin installing the dependencies for Kuadrant. To wait for them to be ready, run: + +```bash +kubectl -n kuadrant-system wait --timeout=160s --for=condition=Available deployments --all +``` + Once OLM has finished installing the operators (this can take several minutes). You should see the following in the kuadrant-system namespace: ```bash @@ -81,7 +102,15 @@ kubectl get subscription -n kuadrant-system -o=yaml Kuadrant has 2 additional operand components that it manages (Authorino that provides data plane auth and Limitador that provides data plane rate limiting). To set these up lets add a new `kustomization.yaml` in a new sub directory. We will re-use this later for further configuration. We do this as a separate step as we want to have the operators installed and in place first. -Add the following to your local directory. For the purpose of this doc, we will use: `kuadrant/configure/`. +Add the following to your local directory. For the purpose of this doc, we will use: `kuadrant/configure/kustomization.yaml`. + +```bash +touch configure/kustomization.yaml + +``` + +Add the following to the new kustomization.yaml: + ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -127,7 +156,7 @@ kubectl get istio -n gateway-system At this point Kuadrant is installed and ready to be used as is Istio as the gateway provider. This means AuthPolicy and RateLimitPolicy can now be configured and used to protect any Gateways you create. -## Configure a DNS provider credentials and a Certificate Issuer +## Configure DNS and TLS integration In this section will build on the previous steps and expand the `kustomization.yaml` we created in the previous step. @@ -235,7 +264,7 @@ kubectl get clusterissuer -o=wide We create two credentials. One for use with DNSPolicy in the gateway-system namespace and one for use by cert-manager in the `cert-manager` namespace. With these credentials in place and the cluster issuer configured. You are now ready to start using DNSPolicy and TLSPolicy to secure and connect your Gateways. -## Using External Redis +## Use an External Redis To connect `Limitador` the component responsible for rate limiting to redis so that its counters are stored and shared with other limitador instances follow these steps: @@ -263,45 +292,29 @@ Next we need to add a new secret generator to our existing configure file at `ku type: 'kuadrant.io/redis' ``` -We also need to replace the existing limitador resource. Add the following to the `kuadrant/configure` directory. - -```bash -touch kuadrant/configure/limitador.yaml -``` +We also need to patch the existing `Limitador` resource. Add the following to the `kuadrant/configure/kustomization.yaml` -Add the following to the `limitador.yaml` file: ```yaml -apiVersion: limitador.kuadrant.io/v1alpha1 -kind: Limitador -metadata: - name: limitador - namespace: kuadrant-system -spec: - storage: - redis: - configSecretRef: - name: redis-credentials - -``` - -Add the new resource to your `kuadrant/configure/kustomization.yaml` file under the resources section: - -```yaml -kind: Kustomization -resources: - - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) - - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). - - limitador.yaml # NEW +patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + storage: + redis: + configSecretRef: + name: redis-credentials ``` Re-Apply the configuration to setup the new secret and limitador configuration: ->Note you will see a warning here about last applied configuration. This is because we are replacing the resource setup by the kuadrant-operator however this warning wont cause any issues for the installation. - ```bash kubectl apply -k kuadrant/configure/ ``` @@ -320,6 +333,30 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ``` + + + + +## Resilient Deployment of data plane components + +### Set Resource Limits + +**Limitador** + +Add the following your local `limitador` resource spec: + +```yaml +resourceRequirements: + requests: + cpu: 10m + memory: 10Mi +``` +### Setup Topology Constraints + +## Setup PodDisruptionBudgets + + + ## Set up observability (OpenShift Only) Verify that user workload monitoring is enabled in your Openshift cluster. diff --git a/config/install/configure/standard/authorino.yaml b/config/install/configure/standard/authorino.yaml new file mode 100644 index 000000000..cc3cb4228 --- /dev/null +++ b/config/install/configure/standard/authorino.yaml @@ -0,0 +1,9 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: authorino + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '1' +spec: + replicas: 1 diff --git a/config/install/configure/standard/kustomization.yaml b/config/install/configure/standard/kustomization.yaml index a09fcd6e0..2572b4c02 100644 --- a/config/install/configure/standard/kustomization.yaml +++ b/config/install/configure/standard/kustomization.yaml @@ -3,3 +3,5 @@ kind: Kustomization resources: - sail.yaml - kuadrant.yaml + - limitador.yaml + - authorino.yaml diff --git a/config/install/configure/standard/limitador.yaml b/config/install/configure/standard/limitador.yaml new file mode 100644 index 000000000..2a1c2dd7a --- /dev/null +++ b/config/install/configure/standard/limitador.yaml @@ -0,0 +1,6 @@ +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: limitador + namespace: kuadrant-system +spec: {} From 8d1a4ad66691c2c870c99e260d2e31378221cac1 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 12 Dec 2024 14:56:40 +0000 Subject: [PATCH 03/13] standard authorino rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/configure/standard/authorino.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/config/install/configure/standard/authorino.yaml b/config/install/configure/standard/authorino.yaml index cc3cb4228..75c8bfaf1 100644 --- a/config/install/configure/standard/authorino.yaml +++ b/config/install/configure/standard/authorino.yaml @@ -2,8 +2,15 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: name: authorino - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: '1' spec: + clusterWide: true + listener: + tls: + enabled: false + oidcServer: + tls: + enabled: false + supersedingHostSubsets: true + tracing: + endpoint: '' replicas: 1 From 4b0cf040ddab89bcefabf292380c610717b977c5 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 12 Dec 2024 15:00:31 +0000 Subject: [PATCH 04/13] add ns rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/configure/standard/authorino.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/install/configure/standard/authorino.yaml b/config/install/configure/standard/authorino.yaml index 75c8bfaf1..1d8ac2dbb 100644 --- a/config/install/configure/standard/authorino.yaml +++ b/config/install/configure/standard/authorino.yaml @@ -2,6 +2,7 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: name: authorino + namespace: kuadrant-system spec: clusterWide: true listener: From 70cf954174ac12e8ac0374354e949591f9e4a9f4 Mon Sep 17 00:00:00 2001 From: craig Date: Mon, 16 Dec 2024 15:28:10 +0000 Subject: [PATCH 05/13] install rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 69 +++++++++++++++++-- .../configure/standard/kustomization.yaml | 4 +- 2 files changed, 65 insertions(+), 8 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index 146827443..7a0fb7417 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -182,7 +182,7 @@ KUADRANT_AWS_REGION=eu-west-1 ``` -With this setup, lets update our configure kustomization and also define a TLS clusterissuer:: +With this setup, lets update our configure kustomization and also define a TLS clusterissuer. The full file should look like: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -312,6 +312,54 @@ patches: # remove the subscription patch if you are installing a development ver ``` +Your full kustomize will now be: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=olm-installation #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). Ensure you name the file correctly. + + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' + +patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + storage: + redis: + configSecretRef: + name: redis-credentials + +``` + Re-Apply the configuration to setup the new secret and limitador configuration: @@ -334,23 +382,32 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ``` - - - ## Resilient Deployment of data plane components ### Set Resource Limits **Limitador** -Add the following your local `limitador` resource spec: +Add the following your local `limitador` patch in your `kuadrant/configure/kustomize.yaml` spec: ```yaml resourceRequirements: requests: cpu: 10m - memory: 10Mi + memory: 10Mi # set these based on your own needs. +``` + +re-apply the configuration: + +```bash +kubectl apply -k kuadrant/configure/ + ``` + + +**Authorino** + + ### Setup Topology Constraints ## Setup PodDisruptionBudgets diff --git a/config/install/configure/standard/kustomization.yaml b/config/install/configure/standard/kustomization.yaml index 2572b4c02..77b39d959 100644 --- a/config/install/configure/standard/kustomization.yaml +++ b/config/install/configure/standard/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - sail.yaml - - kuadrant.yaml - limitador.yaml - authorino.yaml + - sail.yaml + - kuadrant.yaml From 75ebea1c0ec966cdac88ddb7afc1b68cbb12b612 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 19 Dec 2024 14:44:19 +0000 Subject: [PATCH 06/13] add authorino and limitador patches Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 158 ++++++++++++++---- .../full-example-aws/configure/authorino.yaml | 0 .../configure/kustomization.yaml | 24 +++ .../patches/authorino-replicas-patch.yaml | 6 + .../patches/authorino-topoloy-patch.yaml | 22 +++ .../patches/limitador-topology-patch.yaml | 16 ++ 6 files changed, 192 insertions(+), 34 deletions(-) create mode 100644 config/install/full-example-aws/configure/authorino.yaml create mode 100644 config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml create mode 100644 config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml create mode 100644 config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml diff --git a/config/install/README.md b/config/install/README.md index 7a0fb7417..cd49df9e8 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -1,25 +1,25 @@ -# Install and Configure Kuadrant and Sail via OLM and the CLI +# Install and Configure Kuadrant and Sail via OLM using the kubectl CLI -This document will walk you through setting up the required configuration to install kaudrant using kustomize or a tool that leverages kustomize such as kubectl along with OLM. It will walk you step by step through installation and building up your needed configuration. The full example is available to view and use here [Full AWS Example](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/full-example-aws) +This document will walk you through setting up the required configuration to install kaudrant using [kustomize](https://kustomize.io/) or a tool that leverages kustomize such as kubectl along with OLM. It will also go through more advanced configuration options to enable building up a resilient configuration. You can view the full configuration built here: [Full AWS Example](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/full-example-aws). -steps: 1. [Basic Install](#basic-installation) 2. [Configure DNS and TLS integration](#configure-dns-and-tls-integration) -3. [Use External Redis](#use-an-external-redis) +3. [External Redis for Rate Limit Counters](#use-an-external-redis) -4. [Setup Observability (OpenShift Specific)](#set-up-observability-openshift-only) +4. [Limitador Resilient Configuration](#limitador-topologyconstraints-poddisruptionbudget-and-resource-limits) -5. [Set resource requests and limits](#set-resource-limits) +5. [Authorino Resilient Configuration](#authorino-topologyconstraints-poddisruptionbudget-and-resource-limits) + +4. [[OpenShift Specific] Setup Observability ](#set-up-observability-openshift-only) -6. [Configure Data Plane Resilience](#resilient-deployment-of-data-plane-components) ## Prerequisites - OCP or K8s cluster and CLI available. -- OLM is installed [operator lifecycle manager releases](https://github.com/operator-framework/operator-lifecycle-manager/releases) +- OLM installed [operator lifecycle manager releases](https://github.com/operator-framework/operator-lifecycle-manager/releases) - (Optional) Gateway Provider Installed: By default this guide will install the [Sail Operator](https://github.com/istio-ecosystem/sail-operator) that will configure and install an Istio installation. Kuadrant is intended to work with [Istio](https://istio.io) or [Envoy Gateway](https://gateway.envoyproxy.io/) as a gateway provider before you can make use of Kuadrant one of these providers should be installed. - (Optional) cert-manager: - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) @@ -33,20 +33,28 @@ steps: ## Basic Installation -This first step will install just Kuadrant at a given released version (post v1.x) in the `kuadrant-system` namespace. There will be no credentials/dns providers configured (This is the most basic setup but means TLSPolicy and DNSPolicy will not be able to be used). This basic install will also setup a gateway provider via Istio and the Sail Operator. +This first step will install just Kuadrant at a given released version (post v1.x) in the `kuadrant-system` namespace and the Sail Operator. There will be no credentials/dns providers configured (This is the most basic setup but means TLSPolicy and DNSPolicy will not be able to be used). + +Start by creating the following `kustomization.yaml` in a directory locally. For the purpose of this doc, we will use: `~/kuadrant/` directory. + +```bash +export KUADRANT_DIR=~/kuadrant +mkdir -p $KUADRANT_DIR/install +touch $KUADRANT_DIR/install/kustomization.yaml -Create the following `kustomization.yaml` in a directory locally. For the purpose of this doc, we will use: `kuadrant/install` (but if can be anything you would prefer). +``` -> Setting the version to install: You can set the version of kuadrant to install by adding / changing the `?ref=v1.0.1`. +> Setting the version to install: You can set the version of kuadrant to install by adding / changing the `?ref=v1.0.1` in the resource links. ```yaml +# add this to the kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - https://github.com/Kuadrant/kuadrant-operator//config/install/standard?ref=v1.0.1 #set the versio by adding ?ref=v1.0.1 change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) #- https://github.com/Kuadrant/kuadrant-operator//config/install/openshift?ref=v1.0.1 #use if targeting an OCP cluster. Change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases). -patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel +patches: # remove this subscription patch if you are installing a development version. It will then use the "preview" channel - patch: |- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription @@ -64,7 +72,7 @@ And execute the following to apply it to a cluster: ```bash # change the location depending on where you created the kustomization.yaml -kubectl apply -k +kubectl apply -k $KUADRANT_DIR/install ``` @@ -76,6 +84,8 @@ OLM should begin installing the dependencies for Kuadrant. To wait for them to b kubectl -n kuadrant-system wait --timeout=160s --for=condition=Available deployments --all ``` +> Note: you may see ` no matching resources found ` if the deployments are not yet present. + Once OLM has finished installing the operators (this can take several minutes). You should see the following in the kuadrant-system namespace: ```bash @@ -91,7 +101,7 @@ kubectl get deployments -n kuadrant-system ``` -You can also view the subscription for information: +You can also view the subscription for information about the install: ```bash kubectl get subscription -n kuadrant-system -o=yaml @@ -100,12 +110,13 @@ kubectl get subscription -n kuadrant-system -o=yaml ### Install the operand components -Kuadrant has 2 additional operand components that it manages (Authorino that provides data plane auth and Limitador that provides data plane rate limiting). To set these up lets add a new `kustomization.yaml` in a new sub directory. We will re-use this later for further configuration. We do this as a separate step as we want to have the operators installed and in place first. +Kuadrant has 2 additional operand components that it manages: `Authorino` that provides data plane auth integration and `Limitador` that provides data plane rate limiting. To set these up lets add a new `kustomization.yaml` in a new sub directory. We will re-use this later for further configuration. We do this as a separate step as we want to have the operators installed first. -Add the following to your local directory. For the purpose of this doc, we will use: `kuadrant/configure/kustomization.yaml`. +Add the following to your local directory. For the purpose of this doc, we will use: `$KUADRANT_DIR/configure/kustomization.yaml`. ```bash -touch configure/kustomization.yaml +mkdir -p $KUADRANT_DIR/configure +touch $KUADRANT_DIR/configure/kustomization.yaml ``` @@ -124,7 +135,7 @@ Lets apply this to your cluster: ```bash -kubectl apply -k +kubectl apply -k $KUADRANT_DIR/configure ``` @@ -170,7 +181,7 @@ Lets modify our existing local kustomize overlay to setup these secrets and the First you will need to setup the required `.env` file specified in the kuztomization.yaml file in the same directory as your existing configure kustomization. Below is an example for AWS: ```bash -touch kudarant/configure/aws-credentials.env +touch ~/kudarant/configure/aws-credentials.env ``` Add the following to your new file @@ -182,7 +193,7 @@ KUADRANT_AWS_REGION=eu-west-1 ``` -With this setup, lets update our configure kustomization and also define a TLS clusterissuer. The full file should look like: +With this setup, lets update our configure kustomization and also define a TLS ClusterIssuer. The full file should look like: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -272,7 +283,7 @@ Again we will build on the configure kustomization we started. In the same way w ```bash -touch kudarant/configure/redis-credentials.env +touch ~/kudarant/configure/redis-credentials.env ``` @@ -297,7 +308,7 @@ We also need to patch the existing `Limitador` resource. Add the following to th ```yaml -patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel +patches: - patch: |- apiVersion: limitador.kuadrant.io/v1alpha1 kind: Limitador @@ -312,7 +323,7 @@ patches: # remove the subscription patch if you are installing a development ver ``` -Your full kustomize will now be: +Your full `kustomize.yaml` will now be: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -345,7 +356,7 @@ secretGenerator: - redis-credentials.env type: 'kuadrant.io/redis' -patches: # remove the subscription patch if you are installing a development version. It will then use the "preview" channel +patches: - patch: |- apiVersion: limitador.kuadrant.io/v1alpha1 kind: Limitador @@ -364,7 +375,7 @@ patches: # remove the subscription patch if you are installing a development ver Re-Apply the configuration to setup the new secret and limitador configuration: ```bash -kubectl apply -k kuadrant/configure/ +kubectl apply -k $KUADRANT_DIR/configure/ ``` Limitador is now configured to use the provided redis connection URL as a backend store for rate limit counters. Limitador will becomes temporarily unavailable as it restarts. @@ -384,33 +395,112 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ## Resilient Deployment of data plane components -### Set Resource Limits +### Limitador: TopologyConstraints, PodDisruptionBudget and Resource Limits -**Limitador** - -Add the following your local `limitador` patch in your `kuadrant/configure/kustomize.yaml` spec: +To set limits, replicas and a `PodDisruptionBudget` for limitador you can add the following to the existing patch in your local `limitador` in the `$KUADRANT_DIR/configure/kustomize.yaml` spec: ```yaml +pdb: + maxUnavailable: 1 +replicas: 2 resourceRequirements: requests: cpu: 10m memory: 10Mi # set these based on your own needs. ``` -re-apply the configuration: +re-apply the configuration. This will result in two instances of limitador being available and podDisruptionBudget being setup: + +```bash +kubectl apply -k $KUADRANT_DIR/configure/ + +``` + +For topology constraints, you will need to patch the limitador deployment directly: + +add the below `yaml` to a `limitador-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory + +```yaml +spec: + template: + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + +``` + +Apply this to the existing limitador deployment ```bash -kubectl apply -k kuadrant/configure/ +kubectl patch deployment limitador-limitador -n kuadrant-system --patch-file $KUADRANT_DIR/configure/patches/limitador-topoloy-patch.yaml +``` + +### Authorino: TopologyConstraints, PodDisruptionBudget and Resource Limits + +To increase the number of replicas for Authorino add a new patch to the `$KUADRANT_DIR/configure/kustomization.yaml` + +```yaml + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + spec: + replicas: 2 ``` +and re-apply the configuration: -**Authorino** +```bash +kubectl apply -k $KUADRANT_DIR/configure/ +``` +To add resource limits and or topology constraints to Authorino. You will need to patch the Authorino deployment directly: +Add the below `yaml` to a `authorino-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory -### Setup Topology Constraints +```yaml +spec: + template: + spec: + containers: + - name: authorino + resources: + requests: + cpu: 10m # set your own needed limits here + memory: 10Mi # set your own needed limits here + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + +``` + +Apply the patch: -## Setup PodDisruptionBudgets +```bash +kubectl patch deployment authorino -n kuadrant-system --patch-file $KUADRANT_DIR/configure/patches/authorino-topoloy-patch.yaml +``` diff --git a/config/install/full-example-aws/configure/authorino.yaml b/config/install/full-example-aws/configure/authorino.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/config/install/full-example-aws/configure/kustomization.yaml b/config/install/full-example-aws/configure/kustomization.yaml index b3979f665..ef29509d7 100644 --- a/config/install/full-example-aws/configure/kustomization.yaml +++ b/config/install/full-example-aws/configure/kustomization.yaml @@ -27,3 +27,27 @@ secretGenerator: envs: - redis-credentials.env type: 'kuadrant.io/redis' + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + storage: + redis: + configSecretRef: + name: redis-credentials + resourceRequirements: + requests: + cpu: 10m + memory: 10Mi # set these based on your own needs. + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + spec: + replicas: 2 diff --git a/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml b/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml new file mode 100644 index 000000000..c6e867ecd --- /dev/null +++ b/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml @@ -0,0 +1,6 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: authorino +spec: + replicas: 2 diff --git a/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml b/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml new file mode 100644 index 000000000..680f45925 --- /dev/null +++ b/config/install/full-example-aws/configure/patches/authorino-topoloy-patch.yaml @@ -0,0 +1,22 @@ +spec: + template: + spec: + containers: + - name: authorino + resources: + requests: + cpu: 10m # set your own needed limits here + memory: 10Mi # set your own needed limits here + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + authorino-resource: authorino diff --git a/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml b/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml new file mode 100644 index 000000000..4692b9488 --- /dev/null +++ b/config/install/full-example-aws/configure/patches/limitador-topology-patch.yaml @@ -0,0 +1,16 @@ +spec: + template: + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador + - maxSkew: 1 + topologyKey: kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + limitador-resource: limitador From cd879dfea566349b90afd5f30b909e31c9989011 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 19 Dec 2024 15:16:01 +0000 Subject: [PATCH 07/13] final version Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 129 +++++++++++++++++++++++++++++++-------- 1 file changed, 105 insertions(+), 24 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index cd49df9e8..b6c40145f 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -169,7 +169,7 @@ At this point Kuadrant is installed and ready to be used as is Istio as the gate ## Configure DNS and TLS integration -In this section will build on the previous steps and expand the `kustomization.yaml` we created in the previous step. +In this section will build on the previous steps and expand the `kustomization.yaml` we created in `$KUADRANT_DIR/configure`. In order for cert-manager and the Kuadrant DNS operator to be able to access and manage DNS records and setup TLS certificates and provide external connectivity for your endpoints, you need to setup a credential for these components. To do this, we will use a Kubernetes secret via a kustomize secret generator. You can find other example overlays for each supported cloud provider under the [configure directory](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/configure). @@ -181,19 +181,19 @@ Lets modify our existing local kustomize overlay to setup these secrets and the First you will need to setup the required `.env` file specified in the kuztomization.yaml file in the same directory as your existing configure kustomization. Below is an example for AWS: ```bash -touch ~/kudarant/configure/aws-credentials.env +touch $KUADRANT_DIR/configure/aws-credentials.env ``` Add the following to your new file ``` -KUADRANT_AWS_ACCESS_KEY_ID=xxx -KUADRANT_AWS_SECRET_ACCESS_KEY=xxx -KUADRANT_AWS_REGION=eu-west-1 +AWS_ACCESS_KEY_ID=xxx +AWS_SECRET_ACCESS_KEY=xxx +AWS_REGION=eu-west-1 ``` -With this setup, lets update our configure kustomization and also define a TLS ClusterIssuer. The full file should look like: +With this setup, lets update our configure kustomization to generate the needed secrets. We will also define a TLS ClusterIssuer (see below). The full `kustomization.yaml` file should look like: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -224,10 +224,10 @@ secretGenerator: ``` -Example Lets-Encrypt Cluster Issuer that uses the aws credential. Create this in the same directory as the configure kustomization.yaml: +Below is an example Lets-Encrypt Cluster Issuer that uses the aws credential we setup above. Create this in the same directory as the configure kustomization.yaml: ```bash -touch kuadrant/configure/cluster-issuer.yaml +touch $KUADRANT_DIR/configure/cluster-issuer.yaml ``` Add the following to this new file: @@ -256,10 +256,10 @@ spec: ``` -To configure our installation, re-apply the configure kustomization on the cluster (note this doesn't need to be done in different steps, but is done so here to illustrate how you can build up your configuration of Kuadrant). +To apply our changes (note this doesn't need to be done in different steps, but is done so here to illustrate how you can build up your configuration of Kuadrant) execute: ```bash -kubectl apply -k kuadrant/configure +kubectl apply -k $KUADRANT_DIR/configure ``` The cluster issuer should become ready: @@ -272,18 +272,18 @@ kubectl get clusterissuer -o=wide ``` -We create two credentials. One for use with DNSPolicy in the gateway-system namespace and one for use by cert-manager in the `cert-manager` namespace. With these credentials in place and the cluster issuer configured. You are now ready to start using DNSPolicy and TLSPolicy to secure and connect your Gateways. +We create two credentials. One for use with `DNSPolicy` in the gateway-system namespace and one for use by cert-manager in the `cert-manager` namespace. With these credentials in place and the cluster issuer configured. You are now ready to start using DNSPolicy and TLSPolicy to secure and connect your Gateways. ## Use an External Redis -To connect `Limitador` the component responsible for rate limiting to redis so that its counters are stored and shared with other limitador instances follow these steps: +To connect `Limitador` (the component responsible for rate limiting requests) to redis so that its counters are stored and can be shared with other limitador instances follow these steps: -Again we will build on the configure kustomization we started. In the same way we did for the cloud provider credentials, we need to setup a `redis-credential.env` file in the same directory as the kustomization. +Again we will build on the kustomization we started. In the same way we did for the cloud provider credentials, we need to setup a `redis-credential.env` file in the same directory as the kustomization. ```bash -touch ~/kudarant/configure/redis-credentials.env +touch $KUADRANT_DIR/configure/redis-credentials.env ``` @@ -293,7 +293,7 @@ Add the redis connection string to this file in the following format: URL=redis://xxxx ``` -Next we need to add a new secret generator to our existing configure file at `kuadrant/configure/kustomization.yaml` add it below the other `secretGenerators` +Next we need to add a new secret generator to our existing configure file at `$KUADRANT_DIR/configure/kustomization.yaml` add it below the other `secretGenerators` ```yaml - name: redis-credentials @@ -303,7 +303,7 @@ Next we need to add a new secret generator to our existing configure file at `ku type: 'kuadrant.io/redis' ``` -We also need to patch the existing `Limitador` resource. Add the following to the `kuadrant/configure/kustomization.yaml` +We also need to patch the existing `Limitador` resource. Add the following to the `$KUADRANT_DIR/configure/kustomization.yaml` ```yaml @@ -329,7 +329,7 @@ Your full `kustomize.yaml` will now be: apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=olm-installation #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). Ensure you name the file correctly. @@ -372,13 +372,13 @@ patches: ``` -Re-Apply the configuration to setup the new secret and limitador configuration: +Re-Apply the configuration to setup the new secret and configuration: ```bash kubectl apply -k $KUADRANT_DIR/configure/ ``` -Limitador is now configured to use the provided redis connection URL as a backend store for rate limit counters. Limitador will becomes temporarily unavailable as it restarts. +Limitador is now configured to use the provided redis connection URL as a data store for rate limit counters. Limitador will become temporarily unavailable as it restarts. ### Validate @@ -397,7 +397,7 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ### Limitador: TopologyConstraints, PodDisruptionBudget and Resource Limits -To set limits, replicas and a `PodDisruptionBudget` for limitador you can add the following to the existing patch in your local `limitador` in the `$KUADRANT_DIR/configure/kustomize.yaml` spec: +To set limits, replicas and a `PodDisruptionBudget` for limitador you can add the following to the existing limitador patch in your local `limitador` in the `$KUADRANT_DIR/configure/kustomize.yaml` spec: ```yaml pdb: @@ -409,7 +409,7 @@ resourceRequirements: memory: 10Mi # set these based on your own needs. ``` -re-apply the configuration. This will result in two instances of limitador being available and podDisruptionBudget being setup: +re-apply the configuration. This will result in two instances of limitador becoming available and a `podDisruptionBudget` being setup: ```bash kubectl apply -k $KUADRANT_DIR/configure/ @@ -418,7 +418,12 @@ kubectl apply -k $KUADRANT_DIR/configure/ For topology constraints, you will need to patch the limitador deployment directly: -add the below `yaml` to a `limitador-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory +add the below `yaml` to a `limitador-topoloy-patch.yaml` file under a `$KUADRANT_DIR/configure/patches` directory: + +```bash +mkdir -p $KUADRANT_DIR/configure/patches +touch $KUADRANT_DIR/configure/patches/limitador-topoloy-patch.yaml +``` ```yaml spec: @@ -456,8 +461,9 @@ To increase the number of replicas for Authorino add a new patch to the `$KUADRA kind: Authorino metadata: name: authorino + namespace: kuadrant-system spec: - replicas: 2 + replicas: 2 ``` @@ -468,7 +474,11 @@ kubectl apply -k $KUADRANT_DIR/configure/ ``` To add resource limits and or topology constraints to Authorino. You will need to patch the Authorino deployment directly: -Add the below `yaml` to a `authorino-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory +Add the below `yaml` to a `authorino-topoloy-patch.yaml` under the `$KUADRANT_DIR/configure/patches` directory: + +```bash +touch $KUADRANT_DIR/configure/patches/authorino-topoloy-patch.yaml +``` ```yaml spec: @@ -502,7 +512,78 @@ Apply the patch: kubectl patch deployment authorino -n kuadrant-system --patch-file $KUADRANT_DIR/configure/patches/authorino-topoloy-patch.yaml ``` +Kuadrant is now installed and ready to use and the data plane components are configured to be distributed and resilient. + +For reference the full configure kustomization should look like: +```yaml +kind: Kustomization +resources: + - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) + - cluster-issuer.yaml +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager # assumes cert-manager namespace exists. + envs: + - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system # this is the namespace where your gateway will be provisioned + envs: + - aws-credentials.env #notice this matches the .env file above. you need to set up this file locally first. + type: 'kuadrant.io/aws' + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/redis' + +patches: + - patch: |- + apiVersion: limitador.kuadrant.io/v1alpha1 + kind: Limitador + metadata: + name: limitador + namespace: kuadrant-system + spec: + pdb: + maxUnavailable: 1 + replicas: 2 + resourceRequirements: + requests: + cpu: 10m + memory: 10Mi # set these based on your own needs. + storage: + redis: + configSecretRef: + name: redis-credentials + - patch: |- + apiVersion: operator.authorino.kuadrant.io/v1beta1 + kind: Authorino + metadata: + name: authorino + namespace: kuadrant-system + spec: + replicas: 2 + +``` +The configure directory should contain the following: +``` +configure/ +├── aws-credentials.env +├── cluster-issuer.yaml +├── kustomization.yaml +├── patches +│   ├── authorino-topoloy-patch.yaml +│   └── limitador-topoloy-patch.yaml +└── redis-credentials.env +``` ## Set up observability (OpenShift Only) From a2c6039bde54cf4c7b1f444639488674d0d80ab6 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 19 Dec 2024 15:27:25 +0000 Subject: [PATCH 08/13] update full example dir Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- .../full-example-aws/configure/authorino.yaml | 0 .../configure/cluster-issuer.yaml | 1 - .../full-example-aws/configure/kustomization.yaml | 15 +++++++++------ .../full-example-aws/configure/limitador.yaml | 11 ----------- .../patches/authorino-replicas-patch.yaml | 6 ------ 5 files changed, 9 insertions(+), 24 deletions(-) delete mode 100644 config/install/full-example-aws/configure/authorino.yaml delete mode 100644 config/install/full-example-aws/configure/limitador.yaml delete mode 100644 config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml diff --git a/config/install/full-example-aws/configure/authorino.yaml b/config/install/full-example-aws/configure/authorino.yaml deleted file mode 100644 index e69de29bb..000000000 diff --git a/config/install/full-example-aws/configure/cluster-issuer.yaml b/config/install/full-example-aws/configure/cluster-issuer.yaml index b6f95e5f0..5ee8446dc 100644 --- a/config/install/full-example-aws/configure/cluster-issuer.yaml +++ b/config/install/full-example-aws/configure/cluster-issuer.yaml @@ -1,4 +1,3 @@ -# example lets-encrypt cluster issuer that will work with the credentials we will add apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: diff --git a/config/install/full-example-aws/configure/kustomization.yaml b/config/install/full-example-aws/configure/kustomization.yaml index ef29509d7..b09c2652d 100644 --- a/config/install/full-example-aws/configure/kustomization.yaml +++ b/config/install/full-example-aws/configure/kustomization.yaml @@ -3,7 +3,6 @@ kind: Kustomization resources: - https://github.com/Kuadrant/kuadrant-operator//config/install/configure/standard?ref=v1.0.1 #change this version as needed (see https://github.com/Kuadrant/kuadrant-operator/releases) - cluster-issuer.yaml #(comment if you dont want to use it. The issuer yaml is defined below). - - limitador.yaml generatorOptions: disableNameSuffixHash: true @@ -36,18 +35,22 @@ patches: name: limitador namespace: kuadrant-system spec: - storage: - redis: - configSecretRef: - name: redis-credentials + pdb: + maxUnavailable: 1 + replicas: 2 resourceRequirements: requests: cpu: 10m memory: 10Mi # set these based on your own needs. + storage: + redis: + configSecretRef: + name: redis-credentials - patch: |- apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: name: authorino + namespace: kuadrant-system spec: - replicas: 2 + replicas: 2 diff --git a/config/install/full-example-aws/configure/limitador.yaml b/config/install/full-example-aws/configure/limitador.yaml deleted file mode 100644 index a5a3c2e2d..000000000 --- a/config/install/full-example-aws/configure/limitador.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: limitador.kuadrant.io/v1alpha1 -kind: Limitador -metadata: - name: limitador - namespace: kuadrant-system -spec: - storage: - redis: - configSecretRef: - name: redis-credentials - diff --git a/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml b/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml deleted file mode 100644 index c6e867ecd..000000000 --- a/config/install/full-example-aws/configure/patches/authorino-replicas-patch.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operator.authorino.kuadrant.io/v1beta1 -kind: Authorino -metadata: - name: authorino -spec: - replicas: 2 From 613422c3358dd4d38a053d2563d224327be5383c Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Fri, 20 Dec 2024 07:44:52 +0000 Subject: [PATCH 09/13] Update config/install/README.md Co-authored-by: David Martin --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index b6c40145f..216242a64 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -91,7 +91,7 @@ Once OLM has finished installing the operators (this can take several minutes). ```bash kubectl get deployments -n kuadrant-system -## Output +## Output (kuadrant-console-plugin deployment only installed on OpenShift) # NAME READY UP-TO-DATE AVAILABLE AGE # authorino-operator 1/1 1 1 83m # dns-operator-controller-manager 1/1 1 1 83m From 9775ebe0dc6721a27e5e348ad22c00247e7cc3c0 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Fri, 20 Dec 2024 07:45:02 +0000 Subject: [PATCH 10/13] Update config/install/README.md Co-authored-by: David Martin --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 216242a64..bfa0ca46d 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -149,7 +149,7 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ``` -You should see the condition with type `Ready` with a message of `kuadrant is ready`. +You should see the condition with type `Ready`. ### Verify Istio is configured and ready: From df9f14b7b128d0f2688621008c94dfebe49b77d6 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Fri, 20 Dec 2024 07:46:29 +0000 Subject: [PATCH 11/13] Update config/install/README.md Co-authored-by: David Martin --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index bfa0ca46d..f0f7097b6 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -167,7 +167,7 @@ kubectl get istio -n gateway-system At this point Kuadrant is installed and ready to be used as is Istio as the gateway provider. This means AuthPolicy and RateLimitPolicy can now be configured and used to protect any Gateways you create. -## Configure DNS and TLS integration +## (Optional) Configure DNS and TLS integration In this section will build on the previous steps and expand the `kustomization.yaml` we created in `$KUADRANT_DIR/configure`. From ad61a0b33c2de2fb40f60731558357f0d0dd34b8 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Fri, 20 Dec 2024 07:47:08 +0000 Subject: [PATCH 12/13] Update config/install/README.md Co-authored-by: David Martin --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index f0f7097b6..9d65b3947 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -211,7 +211,7 @@ generatorOptions: secretGenerator: - name: aws-provider-credentials - namespace: cert-manager # assumes cert-manager namespace exists. + namespace: cert-manager # change this to the namespace where cert-manager is running. envs: - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally type: 'kuadrant.io/aws' From 6714c4eb8878c17388d657588e51ce26454c8bd4 Mon Sep 17 00:00:00 2001 From: craig Date: Mon, 9 Dec 2024 11:00:35 +0000 Subject: [PATCH 13/13] add new installation guide covering resilient deployment Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index 9d65b3947..f014f59c0 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -31,6 +31,8 @@ This document will walk you through setting up the required configuration to ins > Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) +> Note: this document focuses on AWS integration for DNS. If you want to use a different provider, there are examples under the [configure directory](https://github.com/Kuadrant/kuadrant-operator/tree/main/config/install/configure) + ## Basic Installation This first step will install just Kuadrant at a given released version (post v1.x) in the `kuadrant-system` namespace and the Sail Operator. There will be no credentials/dns providers configured (This is the most basic setup but means TLSPolicy and DNSPolicy will not be able to be used). @@ -149,7 +151,7 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=wide ``` -You should see the condition with type `Ready`. +You should see the condition with type `Ready` with a message of `kuadrant is ready`. ### Verify Istio is configured and ready: @@ -167,7 +169,7 @@ kubectl get istio -n gateway-system At this point Kuadrant is installed and ready to be used as is Istio as the gateway provider. This means AuthPolicy and RateLimitPolicy can now be configured and used to protect any Gateways you create. -## (Optional) Configure DNS and TLS integration +## Configure DNS and TLS integration In this section will build on the previous steps and expand the `kustomization.yaml` we created in `$KUADRANT_DIR/configure`. @@ -211,7 +213,7 @@ generatorOptions: secretGenerator: - name: aws-provider-credentials - namespace: cert-manager # change this to the namespace where cert-manager is running. + namespace: cert-manager # assumes cert-manager namespace exists. envs: - aws-credentials.env # notice this matches the .env file above. You will need to setup this file locally type: 'kuadrant.io/aws'