From 81a9ff04dedc4dde7c07d8846a788b0a5c8ed779 Mon Sep 17 00:00:00 2001 From: Ryan Lo Date: Sun, 6 Sep 2020 13:09:06 +0800 Subject: [PATCH] SUBMARINE-616. Deploying Traefik as Ingress controller in Submarine ### What is this PR for? 1. Declaring traefik-helm-chart as a dependency(subchart). And it should be optional. 2. Add an Ingress object to route to submarine-server service and using NodePort (port 32080/TCP) to expose. After installing Submarine with helm, users can directly access submarine-workbench from your browser. If users dont want to use Traefik as default ingress controller, they can modify the value ".Value.submarine.traefik.enabled" ### What type of PR is it? [Feature] ### Todos * [ ] - Task ### What is the Jira issue? [SUBMARINE-616](https://issues.apache.org/jira/projects/SUBMARINE/issues/SUBMARINE-616) ### How should this be tested? [Travis CI](https://travis-ci.org/github/lowc1012/submarine/builds/724193208) ### Screenshots (if appropriate) image1 image2 ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Ryan Lo Closes #393 from lowc1012/SUBMARINE-616 and squashes the following commits: 7629eaa [Ryan Lo] SUBMARINE-616. Update helm.md 876d4cc [Ryan Lo] SUBMARINE-616. Update docs/userdocs/k8s/helm.md 79e46c5 [Ryan Lo] SUBMARINE-616. Change kind-config path and rename files df45f5c [Ryan Lo] SUBMARINE-616. Deploying Traefik as Ingress controller in Submarine on k8s --- .github/workflows/python.yml | 23 ++ docs/userdocs/k8s/helm.md | 33 +- helm-charts/submarine/Chart.yaml | 11 +- .../submarine/charts/traefik/.helmignore | 40 +++ .../submarine/charts/traefik/Chart.yaml | 30 ++ .../charts/traefik/crds/ingressroute-tcp.yaml | 29 ++ .../charts/traefik/crds/ingressroute-udp.yaml | 30 ++ .../charts/traefik/crds/ingressroute.yaml | 29 ++ .../charts/traefik/crds/middlewares.yaml | 29 ++ .../charts/traefik/crds/tls-options.yaml | 29 ++ .../charts/traefik/crds/tls-stores.yaml | 30 ++ .../charts/traefik/crds/traefik-services.yaml | 29 ++ .../charts/traefik/templates/_helpers.tpl | 71 ++++ .../dashboard-hook-ingressroute.yaml | 45 +++ .../charts/traefik/templates/deployment.yaml | 260 ++++++++++++++ .../charts/traefik/templates/hpa.yaml | 37 ++ .../templates/pod-disruption-budget.yaml | 39 ++ .../charts/traefik/templates/pvc.yaml | 42 +++ .../templates/rbac/cluster-role-binding.yaml | 35 ++ .../traefik/templates/rbac/cluster-role.yaml | 66 ++++ .../traefik/templates/rbac/role-binding.yaml | 35 ++ .../charts/traefik/templates/rbac/role.yaml | 66 ++++ .../templates/rbac/service-account.yaml | 31 ++ .../charts/traefik/templates/service.yaml | 126 +++++++ .../submarine/charts/traefik/values.yaml | 336 ++++++++++++++++++ .../templates/submarine-ingress.yaml | 16 + helm-charts/submarine/values.yaml | 3 +- 27 files changed, 1543 insertions(+), 7 deletions(-) create mode 100644 helm-charts/submarine/charts/traefik/.helmignore create mode 100644 helm-charts/submarine/charts/traefik/Chart.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/ingressroute-tcp.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/ingressroute-udp.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/ingressroute.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/middlewares.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/tls-options.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/tls-stores.yaml create mode 100644 helm-charts/submarine/charts/traefik/crds/traefik-services.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/_helpers.tpl create mode 100644 helm-charts/submarine/charts/traefik/templates/dashboard-hook-ingressroute.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/deployment.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/hpa.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/pod-disruption-budget.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/pvc.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/rbac/cluster-role-binding.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/rbac/cluster-role.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/rbac/role-binding.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/rbac/role.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/rbac/service-account.yaml create mode 100644 helm-charts/submarine/charts/traefik/templates/service.yaml create mode 100644 helm-charts/submarine/charts/traefik/values.yaml create mode 100644 helm-charts/submarine/templates/submarine-ingress.yaml diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 636a726daf..caecb1bbe5 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -40,10 +40,33 @@ jobs: timeout-minutes: 120 steps: - uses: actions/checkout@v1 + - name: Create the kind config + run: | + cat < ./kind-config-kind.yaml + kind: Cluster + apiVersion: kind.x-k8s.io/v1alpha4 + nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + authorization-mode: "AlwaysAllow" + extraPortMappings: + - containerPort: 32080 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + EOF - uses: engineerd/setup-kind@v0.4.0 with: version: "v0.7.0" image: kindest/node:v1.15.6 + config: ./kind-config-kind.yaml - name: Show K8s cluster information run: | kubectl cluster-info diff --git a/docs/userdocs/k8s/helm.md b/docs/userdocs/k8s/helm.md index aab95e0000..acf795bf6d 100644 --- a/docs/userdocs/k8s/helm.md +++ b/docs/userdocs/k8s/helm.md @@ -22,7 +22,9 @@ under the License. ## Deploy Submarine Using Helm Chart (Recommended) -Submarine's Helm Chart will not only deploy Submarine Server, but also deploys TF Operator / PyTorch Operator (which will be used by Submarine Server to run TF/PyTorch jobs on K8s). +Submarine's Helm Chart will deploy Submarine Server, TF/PyTorch Operator, Notebook controller +and Traefik. We use the TF/PyTorch operator to run tf/pytorch job, the notebook controller to +manage jupyter notebook and Traefik as reverse-proxy. ### Install Helm @@ -72,15 +74,36 @@ notebook-controller-deployment-5db8b6cbf7-k65jm 1/1 Running 0 5 pytorch-operator-7ff5d96d59-gx7f5 1/1 Running 0 5s submarine-database-8d95d74f7-ntvqp 1/1 Running 0 5s submarine-server-b6cd4787b-7bvr7 1/1 Running 0 5s +submarine-traefik-9bb6f8577-66sx6 1/1 Running 0 5s tf-job-operator-7844656dd-lfgmd 1/1 Running 0 5s ``` -### Enable local access to Submarine Server -Submarine server by default expose 8080 port within K8s cluster. -To access the server from outside of the cluster, we need to expose the service. -We can either use port-forward, or use K8s `Ingress`, here is an example of port-forward. +### Access to Submarine Server +Submarine server by default expose 8080 port within K8s cluster. After Submarine v0.5 +uses Traefik as reverse-proxy by default. If you don't want to +use Traefik, you can modify below value to ***false*** in `./helm-charts/submarine/values.yaml`. +```yaml +# Use Traefik by default +traefik: + enabled: true +``` + +To access the server from outside of the cluster, we use Traefik ingress controller and +NodePort for external access.\ +Please refer to `./helm-charts/submarine/charts/traefik/values.yaml` and [Traefik docs](https://docs.traefik.io/) +for more details if you want to customize the default value for Traefik. + +``` +# Use nodePort and Traefik ingress controller by default. +# To access the submarine server, open the following URL in your browser. +http://127.0.0.1:32080 +``` + +Or you can use port-forward to forward a local port to a port on the +submarine server pod. ```bash +# Use port-forward kubectl port-forward svc/submarine-server 8080:8080 # In another terminal. Run below command to verify it works diff --git a/helm-charts/submarine/Chart.yaml b/helm-charts/submarine/Chart.yaml index 40aaa43c44..9e40ebf321 100644 --- a/helm-charts/submarine/Chart.yaml +++ b/helm-charts/submarine/Chart.yaml @@ -21,4 +21,13 @@ description: Submarine is Cloud Native Machine Learning Platform. name: submarine version: 0.5.0-SNAPSHOT icon: https://submarine.apache.org/assets/themes/submarine/img/submarine_white_logo.png - +dependencies: +- name: tfjob + version: "0.1.0" +- name: pytorchjob + version: "0.1.0" +- name: notebook-controller + version: "0.1.0" +- name: traefik + version: "9.1.0" + condition: submarine.traefik.enabled diff --git a/helm-charts/submarine/charts/traefik/.helmignore b/helm-charts/submarine/charts/traefik/.helmignore new file mode 100644 index 0000000000..cab781adbf --- /dev/null +++ b/helm-charts/submarine/charts/traefik/.helmignore @@ -0,0 +1,40 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/submarine/charts/traefik/Chart.yaml b/helm-charts/submarine/charts/traefik/Chart.yaml new file mode 100644 index 0000000000..5ec6bc5632 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/Chart.yaml @@ -0,0 +1,30 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: v2 +name: traefik +description: A Traefik based Kubernetes ingress controller +type: application +version: 9.1.0 +appVersion: 2.2.8 +keywords: + - traefik + - ingress +home: https://traefik.io/ +sources: + - https://github.com/containous/traefik +icon: https://raw.githubusercontent.com/containous/traefik/v2.2/docs/content/assets/img/traefik.logo.png diff --git a/helm-charts/submarine/charts/traefik/crds/ingressroute-tcp.yaml b/helm-charts/submarine/charts/traefik/crds/ingressroute-tcp.yaml new file mode 100644 index 0000000000..7dbaceaedf --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/ingressroute-tcp.yaml @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/ingressroute-udp.yaml b/helm-charts/submarine/charts/traefik/crds/ingressroute-udp.yaml new file mode 100644 index 0000000000..4efa15da88 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/ingressroute-udp.yaml @@ -0,0 +1,30 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/ingressroute.yaml b/helm-charts/submarine/charts/traefik/crds/ingressroute.yaml new file mode 100644 index 0000000000..d42e4576aa --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/ingressroute.yaml @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/middlewares.yaml b/helm-charts/submarine/charts/traefik/crds/middlewares.yaml new file mode 100644 index 0000000000..8b19370d30 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/middlewares.yaml @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/tls-options.yaml b/helm-charts/submarine/charts/traefik/crds/tls-options.yaml new file mode 100644 index 0000000000..4bc26976fd --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/tls-options.yaml @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/tls-stores.yaml b/helm-charts/submarine/charts/traefik/crds/tls-stores.yaml new file mode 100644 index 0000000000..728345460c --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/tls-stores.yaml @@ -0,0 +1,30 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/crds/traefik-services.yaml b/helm-charts/submarine/charts/traefik/crds/traefik-services.yaml new file mode 100644 index 0000000000..7eb8ab9a99 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/crds/traefik-services.yaml @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/helm-charts/submarine/charts/traefik/templates/_helpers.tpl b/helm-charts/submarine/charts/traefik/templates/_helpers.tpl new file mode 100644 index 0000000000..d599823ea3 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/_helpers.tpl @@ -0,0 +1,71 @@ +{{/* +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "traefik.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "traefik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "traefik.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +The name of the service account to use +*/}} +{{- define "traefik.serviceAccountName" -}} +{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}} +{{- end -}} + +{{/* +Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. +By convention this will simply use the / to match the name of the +service generated. +Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` +*/}} +{{- define "providers.kubernetesIngress.publishedServicePath" -}} +{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/dashboard-hook-ingressroute.yaml b/helm-charts/submarine/charts/traefik/templates/dashboard-hook-ingressroute.yaml new file mode 100644 index 0000000000..9565b93764 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/dashboard-hook-ingressroute.yaml @@ -0,0 +1,45 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if .Values.ingressRoute.dashboard.enabled -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "traefik.fullname" . }}-dashboard + annotations: + helm.sh/hook: "post-install,post-upgrade" + {{- with .Values.ingressRoute.dashboard.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.ingressRoute.dashboard.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/deployment.yaml b/helm-charts/submarine/charts/traefik/templates/deployment.yaml new file mode 100644 index 0000000000..0c6e65d0f0 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/deployment.yaml @@ -0,0 +1,260 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if .Values.deployment.enabled -}} + {{- if gt (int .Values.deployment.replicas) 1 -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "You can not enabled acme if you set more than one traefik replica") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.deployment.replicas }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + strategy: + type: RollingUpdate + rollingUpdate: + {{- with .Values.rollingUpdate }} + {{- toYaml . | nindent 6 }} + {{- end }} + template: + metadata: + annotations: + {{- with .Values.deployment.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "traefik.serviceAccountName" . }} + terminationGracePeriodSeconds: 60 + hostNetwork: {{ .Values.hostNetwork }} + {{- with .Values.deployment.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.deployment.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} + containers: + - image: {{ .Values.image.name }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ template "traefik.fullname" . }} + resources: + {{- with .Values.resources }} + {{- toYaml . | nindent 10 }} + {{- end }} + readinessProbe: + httpGet: + path: /ping + port: {{ .Values.ports.traefik.port }} + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: {{ .Values.ports.traefik.port }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + ports: + {{- range $name, $config := .Values.ports }} + {{- if $config }} + - name: {{ $name | quote }} + containerPort: {{ $config.port }} + {{- if $config.hostPort }} + hostPort: {{ $config.hostPort }} + {{- end }} + {{- if $config.hostIP }} + hostIP: {{ $config.hostIP }} + {{- end }} + protocol: {{ default "TCP" $config.protocol | quote }} + {{- end }} + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.path }} + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: tmp + mountPath: /tmp + {{- range .Values.volumes }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: true + {{- end }} + args: + {{- with .Values.globalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- range $name, $config := .Values.ports }} + {{- if $config }} + - "--entryPoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}" + {{- end }} + {{- end }} + - "--api.dashboard=true" + - "--ping=true" + {{- if .Values.providers.kubernetesCRD.enabled }} + - "--providers.kubernetescrd" + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress" + {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }} + - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}" + {{- end }} + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} + - "--providers.kubernetescrd.namespaces={{ .Release.Namespace }}" + - "--providers.kubernetesingress.namespaces={{ .Release.Namespace }}" + {{- end }} + {{- range $entrypoint, $config := $.Values.ports }} + {{- if $config.redirectTo }} + {{- $toPort := index $.Values.ports $config.redirectTo }} + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}" + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- end }} + {{- end }} + {{- with .Values.logs }} + {{- if .general.format }} + - "--log.format={{ .general.format }}" + {{- end }} + {{- if ne .general.level "ERROR" }} + - "--log.level={{ .general.level | upper }}" + {{- end }} + {{- if .access.enabled }} + - "--accesslog=true" + {{- if .access.format }} + - "--accesslog.format={{ .access.format }}" + {{- end }} + {{- if .access.bufferingsize }} + - "--accesslog.bufferingsize={{ .access.bufferingsize }}" + {{- end }} + {{- if .access.filters }} + {{- if .access.filters.statuscodes }} + - "--accesslog.filters.statuscodes={{ .access.filters.statuscodes }}" + {{- end }} + {{- if .access.filters.retryattempts }} + - "--accesslog.filters.retryattempts" + {{- end }} + {{- if .access.filters.minduration }} + - "--accesslog.filters.minduration={{ .access.filters.minduration }}" + {{- end }} + {{- end }} + - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.general.names }} + - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.headers.names }} + - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.additionalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.env }} + env: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} + {{- toYaml .Values.deployment.additionalContainers | nindent 6 }} + {{- end }} + volumes: + - name: data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + emptyDir: {} + {{- range .Values.volumes }} + - name: {{ .name }} + {{- if eq .type "secret" }} + secret: + secretName: {{ .name }} + {{- else if eq .type "configMap" }} + configMap: + name: {{ .name }} + {{- end }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/hpa.yaml b/helm-charts/submarine/charts/traefik/templates/hpa.yaml new file mode 100644 index 0000000000..9ecdd16f2e --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/hpa.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "traefik.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} diff --git a/helm-charts/submarine/charts/traefik/templates/pod-disruption-budget.yaml b/helm-charts/submarine/charts/traefik/templates/pod-disruption-budget.yaml new file mode 100644 index 0000000000..aa460e91a7 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/pod-disruption-budget.yaml @@ -0,0 +1,39 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable | int }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable | int }} + {{- end }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/pvc.yaml b/helm-charts/submarine/charts/traefik/templates/pvc.yaml new file mode 100644 index 0000000000..0993ea1019 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/pvc.yaml @@ -0,0 +1,42 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "traefik.fullname" . }} + annotations: + {{- with .Values.persistence.annotations }} + {{ toYaml . | indent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} +{{- end -}} + diff --git a/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role-binding.yaml b/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role-binding.yaml new file mode 100644 index 0000000000..d1c5c958b5 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role-binding.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }} +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "traefik.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "traefik.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role.yaml b/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role.yaml new file mode 100644 index 0000000000..191c9ec883 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/rbac/cluster-role.yaml @@ -0,0 +1,66 @@ +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) -}} +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - tlsoptions + - tlsstores + - traefikservices + verbs: + - get + - list + - watch +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/rbac/role-binding.yaml b/helm-charts/submarine/charts/traefik/templates/rbac/role-binding.yaml new file mode 100644 index 0000000000..d3d6996a73 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/rbac/role-binding.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "traefik.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "traefik.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/rbac/role.yaml b/helm-charts/submarine/charts/traefik/templates/rbac/role.yaml new file mode 100644 index 0000000000..c0775f4092 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/rbac/role.yaml @@ -0,0 +1,66 @@ +{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - tlsoptions + - tlsstores + - traefikservices + verbs: + - get + - list + - watch +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/rbac/service-account.yaml b/helm-charts/submarine/charts/traefik/templates/rbac/service-account.yaml new file mode 100644 index 0000000000..1df7115927 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/rbac/service-account.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.serviceAccount.name -}} +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ include "traefik.serviceAccountName" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/templates/service.yaml b/helm-charts/submarine/charts/traefik/templates/service.yaml new file mode 100644 index 0000000000..40972e457a --- /dev/null +++ b/helm-charts/submarine/charts/traefik/templates/service.yaml @@ -0,0 +1,126 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- if .Values.service.enabled -}} + +{{ $tcpPorts := dict }} +{{ $udpPorts := dict }} +{{- range $name, $config := .Values.ports }} + {{- if eq (toString $config.protocol) "UDP" }} + {{ $_ := set $udpPorts $name $config }} + {{- else }} + {{ $_ := set $tcpPorts $name $config }} + {{- end }} +{{- end }} + +apiVersion: v1 +kind: List +items: +{{- if $tcpPorts }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + {{- with .Values.service.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- $type := default "LoadBalancer" .Values.service.type }} + type: {{ $type }} + {{- with .Values.service.spec }} + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + {{- range $name, $config := $tcpPorts }} + {{- if $config.expose }} + - port: {{ default $config.port $config.exposedPort }} + name: {{ $name }} + targetPort: {{ $name | quote }} + protocol: {{ default "TCP" $config.protocol | quote }} + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- if eq $type "LoadBalancer" }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- end -}} + {{- with .Values.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 6 }} + {{- end -}} +{{- end }} + +{{- if $udpPorts }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ template "traefik.fullname" . }}-udp + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + {{- with .Values.service.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- $type := default "LoadBalancer" .Values.service.type }} + type: {{ $type }} + {{- with .Values.service.spec }} + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + {{- range $name, $config := $udpPorts }} + {{- if $config.expose }} + - port: {{ default $config.port $config.exposedPort }} + name: {{ $name }} + targetPort: {{ $name | quote }} + protocol: {{ default "UDP" $config.protocol | quote }} + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- if eq $type "LoadBalancer" }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- end -}} + {{- with .Values.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 6 }} + {{- end -}} +{{- end }} +{{- end -}} diff --git a/helm-charts/submarine/charts/traefik/values.yaml b/helm-charts/submarine/charts/traefik/values.yaml new file mode 100644 index 0000000000..17d164b169 --- /dev/null +++ b/helm-charts/submarine/charts/traefik/values.yaml @@ -0,0 +1,336 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Default values for Traefik +image: + name: traefik + tag: 2.2.8 + pullPolicy: IfNotPresent + +# +# Configure the deployment +# +deployment: + enabled: true + # Number of pods of the deployment + replicas: 1 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/containous/traefik/issues/6972 + # - name: volume-permissions + # image: busybox:1.31.1 + # command: ["sh", "-c", "chmod -Rv 600 /data/*"] + # volumeMounts: + # - name: data + # mountPath: /data + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + +# Pod disruption budget +podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # minAvailable: 0 + +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: false + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + +rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + + +# +# Configure providers +# +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: true + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + +# +# Add volumes to the traefik pod. +# This can be used to mount a cert pair or a configmap that holds a config.toml file. +# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--providers.file.filename=/config/dynamic.toml" +volumes: [] +# - name: public-cert +# mountPath: "/certs" +# type: secret +# - name: configs +# mountPath: "/config" +# type: configMap + +# Logs +# https://docs.traefik.io/observability/logs/ +logs: + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + # By default, logs are written using the Common Log Format (CLF). + # To write logs in JSON, use json in the format option. + # If the given format is unsupported, the default (CLF) is used instead. + # format: json + # To write the logs in an asynchronous fashion, specify a bufferingSize option. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + # Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + # Fields + # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + # Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + # Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +# +# Configure Traefik static configuration +# Additional arguments to be passed at Traefik's binary +# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# Environment variables to be passed to Traefik's binary +env: [] +# - name: SOME_VAR +# value: some-var-value +# - name: SOME_VAR_FROM_CONFIG_MAP +# valueFrom: +# configMapRef: +# name: configmap-name +# key: config-key +# - name: SOME_SECRET +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key + +envFrom: [] +# - configMapRef: +# name: config-map-name +# - secretRef: +# name: secret-name + +# Configure ports +ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl proxy` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + +# Options for the main traefik service, where the entrypoints traffic comes +# from. +service: + enabled: true + type: NodePort + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} + # Additional entries here will be added to the service spec. Cannot contains + # type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + +## Create HorizontalPodAutoscaler object. +## +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +# Enable persistence using Persistent Volume Claims +# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--certificatesresolvers.le.acme.storage=/data/acme.json" +# It will persist TLS certificates. +persistence: + enabled: false +# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + +# If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +# The service account the pods will use to interact with the Kubernetes API +serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" +affinity: {} +# # This example pod anti-affinity forces the scheduler to put traefik pods +# # on nodes where no other traefik pods are scheduled. +# # It should be used when hostNetwork: true to prevent port conflicts +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchExpressions: +# - key: app +# operator: In +# values: +# - {{ template "traefik.name" . }} +# topologyKey: failure-domain.beta.kubernetes.io/zone +nodeSelector: {} +tolerations: [] + +# Pods can have priority. +# Priority indicates the importance of a Pod relative to other Pods. +priorityClassName: "" + +# Set the container security context +# To run the container with ports below 1024 this will need to be adjust to run as root +securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +podSecurityContext: + fsGroup: 65532 diff --git a/helm-charts/submarine/templates/submarine-ingress.yaml b/helm-charts/submarine/templates/submarine-ingress.yaml new file mode 100644 index 0000000000..6bddae3899 --- /dev/null +++ b/helm-charts/submarine/templates/submarine-ingress.yaml @@ -0,0 +1,16 @@ +{{ if .Values.submarine.traefik.enabled }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ .Values.submarine.server.name}}-ingress + namespace: {{ .Release.namespace }} + +spec: + rules: + - http: + paths: + - path: / + backend: + serviceName: {{ .Values.submarine.server.name }} + servicePort: {{ .Values.submarine.server.servicePort }} +{{ end }} diff --git a/helm-charts/submarine/values.yaml b/helm-charts/submarine/values.yaml index f67e4506db..fb63dd4dc9 100644 --- a/helm-charts/submarine/values.yaml +++ b/helm-charts/submarine/values.yaml @@ -29,4 +29,5 @@ submarine: image: apache/submarine:database-0.5.0-SNAPSHOT servicePort: 3306 mysqlRootPassword: password - + traefik: + enabled: true