From d0a911ff3076ca812d9c1835e8535ac526c5761b Mon Sep 17 00:00:00 2001 From: Dustin Kaiser <8209087+mrnicegyu11@users.noreply.github.com> Date: Thu, 17 Oct 2024 09:40:45 +0200 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20k8s:=20Introduce=20Namespa?= =?UTF-8?q?ces=20+=20Cleanups=20(#836)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * wip * wip * wip * wip * Update charts/Makefile Co-authored-by: Yury Hrytsuk <50014626+YuryHrytsuk@users.noreply.github.com> * fix typo * Change suggestions @yuryHrytsuk * Add web entrypoint again --------- Co-authored-by: Dustin Kaiser Co-authored-by: Yury Hrytsuk <50014626+YuryHrytsuk@users.noreply.github.com> --- charts/Makefile | 42 +++++++++++++------ charts/README.md | 8 ++++ charts/adminer/values.yaml.gotmpl | 1 + .../values.selfsigned.yaml.gotmpl | 6 +++ charts/traefik/values.insecure.yaml.gotmpl | 19 +++++---- charts/traefik/values.secure.yaml.gotmpl | 9 ++-- charts/traefik/values.webinternal.yaml.gotmpl | 2 +- 7 files changed, 62 insertions(+), 25 deletions(-) diff --git a/charts/Makefile b/charts/Makefile index 8bf61fee..71ee46e9 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -7,33 +7,32 @@ CONFIG_DIR := $(shell dirname $(REPO_CONFIG_LOCATION)) CHART_DIRS := $(wildcard $(REPO_BASE_DIR)/charts/*/) .PHONY: .check-helmfile-installed -.check-helmfile-installed: +.check-helmfile-installed: ## Checks if helmfile is installed @if ! command -v helmfile >/dev/null 2>&1; then \ echo "'helmfile' is not installed. Install it to continue ...";\ fi -helmfile.yaml: simcore-charts/helmfile.yaml +helmfile.yaml: simcore-charts/helmfile.yaml ## Copies the helmfile.yaml to the charts directory cp $(CONFIG_DIR)/$@ $(REPO_BASE_DIR)/charts/helmfile.yaml -simcore-charts/helmfile.yaml: +simcore-charts/helmfile.yaml: ## Copies the simcore helmfile to the charts directory cp $(CONFIG_DIR)/helmfile.simcore.yaml $(REPO_BASE_DIR)/charts/$@ .PHONY: helmfile-lint -helmfile-lint: .check-helmfile-installed helmfile.yaml +helmfile-lint: .check-helmfile-installed helmfile.yaml ## Lints the helmfile set -a; source $(REPO_CONFIG_LOCATION); set +a; \ helmfile lint .PHONY: .helmfile-local-post-install -.helmfile-local-post-install: +.helmfile-local-post-install: ## Post install steps for local helmfile deployment @$(MAKE) -s configure-local-hosts @echo ""; - @echo "Cluster has been deployed locally: http://$(MACHINE_FQDN)"; + @echo "Cluster has been deployed locally: https://$(MACHINE_FQDN)"; @echo " For secure connections self-signed certificates are used."; - @echo " Install their root-ca certificate in your system for smooth experience."; - @echo " For insecure connections make sure to disable automatic https redirects in your browser."; + @echo ""; .PHONY: helmfile-apply -helmfile-apply: .check-helmfile-installed helmfile.yaml +helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile configuration set -a; source $(REPO_CONFIG_LOCATION); set +a; \ helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml apply @@ -41,17 +40,34 @@ helmfile-apply: .check-helmfile-installed helmfile.yaml $(MAKE) -s .helmfile-local-post-install; \ fi +.PHONY: helmfile-sync +helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration (use `helmfile-apply` to deploy the app) + set -a; source $(REPO_CONFIG_LOCATION); set +a; \ + helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync + + @if [ "$(MACHINE_FQDN)" = "osparc.local" ]; then \ + $(MAKE) -s .helmfile-local-post-install; \ + fi + + .PHONY: configure-local-hosts -configure-local-hosts: - @echo "Addings $(MACHINE_FQDN) hosts to /etc/hosts ..." +configure-local-hosts: ## Adds local hosts entries for the machine + @echo "Adding $(MACHINE_FQDN) hosts to /etc/hosts ..." @grep -q '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' /etc/hosts || echo '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' | sudo tee -a /etc/hosts .PHONY: helmfile-diff -helmfile-diff: .check-helmfile-installed helmfile.yaml +helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences that would be applied by helmfile @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff .PHONY: helmfile-delete -helmfile-delete: .check-helmfile-installed helmfile.yaml +helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete + +.PHONY: up +up: helmfile-apply ## Start the stack + +.PHONY: leave +leave: ## Leaves kind cluster + kind delete clusters kind diff --git a/charts/README.md b/charts/README.md index 13767e80..45d83630 100644 --- a/charts/README.md +++ b/charts/README.md @@ -23,6 +23,14 @@ source: https://kind.sigs.k8s.io/docs/user/quick-start Follow the instructions here: https://helm.sh/docs/intro/install/ +Install the helm-diff plugin: `helm plugin install https://github.com/databus23/helm-diff` + +`via https://doc.traefik.io/traefik/user-guides/crd-acme/#ingressroute-definition` +Install traefik-v3 CRDs: `kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml` + +`via https://doc.traefik.io/traefik/user-guides/crd-acme/#ingressroute-definition` +Install traefik-v3 RBAC: `kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml` + #### helmfile If you have a different OS / architecture, pick a different link from [release artifacts](https://github.com/helmfile/helmfile/releases) diff --git a/charts/adminer/values.yaml.gotmpl b/charts/adminer/values.yaml.gotmpl index 1e542426..fb419e49 100644 --- a/charts/adminer/values.yaml.gotmpl +++ b/charts/adminer/values.yaml.gotmpl @@ -49,6 +49,7 @@ ingress: enabled: true className: "" annotations: + namespace: {{ .Release.Namespace }} cert-manager.io/cluster-issuer: "cert-issuer" traefik.ingress.kubernetes.io/router.entrypoints: websecure tls: diff --git a/charts/cert-manager/values.selfsigned.yaml.gotmpl b/charts/cert-manager/values.selfsigned.yaml.gotmpl index c9ca571b..125713df 100644 --- a/charts/cert-manager/values.selfsigned.yaml.gotmpl +++ b/charts/cert-manager/values.selfsigned.yaml.gotmpl @@ -22,6 +22,12 @@ extraObjects: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "1" spec: + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Control destination namespaces: emptystring means all + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces isCA: true commonName: local-ca subject: diff --git a/charts/traefik/values.insecure.yaml.gotmpl b/charts/traefik/values.insecure.yaml.gotmpl index a43addfe..d63d52c5 100644 --- a/charts/traefik/values.insecure.yaml.gotmpl +++ b/charts/traefik/values.insecure.yaml.gotmpl @@ -3,11 +3,12 @@ extraObjects: kind: Service metadata: name: traefik-api + namespace: {{.Release.Namespace}} spec: type: ClusterIP selector: app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-default + app.kubernetes.io/instance: {{.Release.Namespace}}-traefik ports: - port: 8080 name: traefik @@ -17,7 +18,7 @@ extraObjects: kind: Secret metadata: name: traefik-authorized-users - namespace: default + namespace: {{.Release.Namespace}} data: users: |2 {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }} @@ -32,16 +33,18 @@ extraObjects: kind: Ingress metadata: name: traefik-dashboard + namespace: {{.Release.Namespace}} annotations: traefik.ingress.kubernetes.io/router.entrypoints: web,websecure # allow http(s) for local deployment - traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd # namespace + middleware name + traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd # namespace + middleware name + cert-manager.io/cluster-issuer: "cert-issuer" spec: tls: - - hosts: - - k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }} - secretName: monitoring-tls + - hosts: + - {{ requiredEnv "K8S_MONITORING_FQDN" }} + secretName: monitoring-tls rules: - - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }} + - host: {{ requiredEnv "K8S_MONITORING_FQDN" }} http: paths: - path: /dashboard @@ -51,7 +54,7 @@ extraObjects: name: traefik-api port: name: traefik - - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }} + - host: {{ requiredEnv "K8S_MONITORING_FQDN" }} http: paths: - path: /api diff --git a/charts/traefik/values.secure.yaml.gotmpl b/charts/traefik/values.secure.yaml.gotmpl index 87d7337d..bf6e46bf 100644 --- a/charts/traefik/values.secure.yaml.gotmpl +++ b/charts/traefik/values.secure.yaml.gotmpl @@ -10,11 +10,12 @@ extraObjects: kind: Service metadata: name: traefik-api + namespace: {{.Release.Namespace}} spec: type: ClusterIP selector: app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-default + app.kubernetes.io/instance: {{.Release.Namespace}}-traefik ports: - port: 8080 name: traefik @@ -25,7 +26,7 @@ extraObjects: kind: Secret metadata: name: traefik-authorized-users - namespace: default + namespace: {{.Release.Namespace}} data: users: |2 {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }} @@ -53,9 +54,11 @@ extraObjects: kind: Ingress metadata: name: traefik-dashboard + namespace: {{.Release.Namespace}} annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd # namespace + middleware name + cert-manager.io/cluster-issuer: "cert-issuer" spec: tls: - hosts: diff --git a/charts/traefik/values.webinternal.yaml.gotmpl b/charts/traefik/values.webinternal.yaml.gotmpl index c4acc4f4..871c5477 100644 --- a/charts/traefik/values.webinternal.yaml.gotmpl +++ b/charts/traefik/values.webinternal.yaml.gotmpl @@ -9,4 +9,4 @@ ports: http3: enabled: false middlewares: - - default-internal-ipallowlist@kubernetescrd + - {{.Release.Namespace}}-internal-ipallowlist@kubernetescrd