Skip to content

Commit

Permalink
updates for install doc
Browse files Browse the repository at this point in the history 
Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

Update observability resources to use gateway-system namespace (#969)

Signed-off-by: David Martin <davmarti@redhat.com>

add example for external api usage
  • Loading branch information
@maleck13
maleck13 committed Nov 13, 2024
1 parent 24ac317 commit 81352ae
Show file tree
Hide file tree
Showing 6 changed files with 292 additions and 14 deletions.
29 changes: 18 additions & 11 deletions config/install/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,22 @@
Install the Sail and Kuadrant Operators via OLM:


> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/olm/catalogsource.yaml` or if you are familiar with kustomize you could apply your own kustomization.
> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`.
> Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed
```
export ctx=replace-with-your-context
```

```
kubectl apply -k config/install/standard
kubectl apply -k config/install/standard --context=$ctx
```

3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:

```
kubectl get deployments -n kuadrant-system
kubectl get deployments -n kuadrant-system --context=$ctx
```

```
Expand All @@ -37,12 +43,13 @@ limitador-operator-controller-manager 1/1 1 1 83m


```
kubectl get deployments -n gateway-system
kubectl get deployments -n gateway-system --context=$ctx
```

```
NAME READY UP-TO-DATE AVAILABLE AGE
istiod 1/1 1 1 61s
sail-operator 1/1 1 1 81m
```
Expand All @@ -54,12 +61,12 @@ sail-operator 1/1 1 1 81m
To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps:

1) Depending on your choice of cloud provider:
- setup the needed `$CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory
- setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory

3) execute the configure for that cloud provider

```
kubectl apply -k config/install/configure/aws
kubectl apply -k config/install/configure/aws --context=$ctx
```

Expand All @@ -70,29 +77,29 @@ This will configure Kuadrant and Sail installing their components as well as set
Validate Kuadrant is ready via the kuadrant resource status condition

```
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx
```

At this point Kuadrant is ready to use. Below are some additonal configuration that can be applied.
At this point Kuadrant is ready to use. Below are some additional configuration that can be applied.

### External Redis

create a `redis-credential.env` in the `config/install/configure/redis-storage` dir

```
kubectl apply -k config/install/configure/redis-storage
kubectl apply -k config/install/configure/redis-storage --context=$ctx
```

This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarilly unavailable as it restarts.
This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts.

### Validate

Validate Kuadrant is in a ready state as before:

```
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx
```

Expand Down
2 changes: 1 addition & 1 deletion config/install/configure/observability/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.5.0
- github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0
- ../../../observability/openshift/
- ../../../observability/prometheus/monitors/
2 changes: 1 addition & 1 deletion config/install/standard/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ patches:
metadata:
name: kuadrant-operator-catalog
spec:
image: quay.io/kuadrant/kuadrant-operator-catalog:1.0.0-rc1 #change this to the version you want to install
image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4 #change this to the version you want to install
3 changes: 2 additions & 1 deletion config/observability/openshift/grafana/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
datasource.env
datasource.env

176 changes: 176 additions & 0 deletions doc/user-guides/external-api.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
# Using Gateway API and Kuadrant with APIs outside of the cluster


### Overview

In some cases, the application and API endpoints are exposed in a host external to the cluster where you are a running Gateway API and Kuadrant but you do not want it accessible directly via the public internet. If you want to have external traffic come into a Gateway API defined Gateway and protected by Kuadrant policies first being proxied to the existing legacy endpoints, this guide will give you some example of how to achieve this.


### What we will do
- Have an API in a private location become accessible via a public hostname
- Setup a gateway and HTTPRoute to expose this private API via our new Gateway on a (public) domain.
- proxy valid requests through to our back-end API service
- Add auth and rate limiting and TLS to our public Gateway to protect it



### Pre Requisites

- [Kuadrant and Gateway API installed (with Istio as the gateway provider)](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/)
- Existing API on separate cluster accessible via HTTP from the Gateway cluster


What we want to achieve:

```
------------------- DMZ -----------------|
|
|-------------------------------- internal network -----------------------------------|
load balancer | |
| - | | |----------k8s cluster-----------| | |----- Legacy API Location --------| |
| | | | Gateway Kuadrant | | | | |
| | | | ----- ----- | | | | |
---public traffic--my.api.com-------->| | |<--| | | | | HTTP (my.api.local) Backend | |
| | | | | | ----- | | | ----- ----- | |
| | | | ----- -----------proxy---(my.api.local)-->| | ----------> | | | |
| | | | | | | ----- ----- | |
| - | | |--------------------------------| | |----------------------------------| |
| | |
|-----------------------------------------|--------------------------------------------|
|
------------------- DMZ -----------------|
```


Note for all of the resources defined here there is a copy of them under the [examples folder](https://github.com/Kuadrant/kuadrant-operator/examples/external-api-istio.yaml)

1) Deploy a Gateway into the K8s cluster that will act as the main Ingress Gateway

Define your external API hostname and Internal API hostname

```
export EXTERNAL_HOST=my.api.com
export INTERNAL_HOST=my.api.local
```

```bash
kubectl apply -n gateway-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
istio: ingress
name: ingress
spec:
gatewayClassName: istio
listeners:
- name: ingress-tls
port: 443
hostname: '${EXTERNAL_HOST}'
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:
- name: ingress-tls #you can use TLSPolicy to provide this certificate or provide it manually
kind: Secret
EOF
```

2) Optional: Use TLSPolicy to configure TLS certificates for your listeners

[TLSPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-tls/)

3) Optional: Use DNSPolicy to bring external traffic to the external hostname

[DNSPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-dns/#create-a-dns-provider-secret)

4) Ensure the Gateway has the status of `Programmed` set to `True` meaning it is ready.

```bash
kubectl get gateway ingress -n gateway-system -o=jsonpath='{.status.conditions[?(@.type=="Programmed")].status}'
```

5) Let Istio know about the external hostname and the rules it should use when sending traffic to that destination.

Create a [`ServiceEntry`](https://istio.io/latest/docs/reference/config/networking/service-entry/)

```bash
kubectl apply -n gateway-system -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: internal-api
spec:
hosts:
- ${INTERNAL_HOST} # your internal http endpoint
location: MESH_EXTERNAL
resolution: DNS
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: TLS
EOF
```


Create a [`DestionationRule`](https://istio.io/latest/docs/reference/config/networking/destination-rule/) to configure how to handle traffic to this endpoint.

```bash
kubectl apply -n gateway-system -f - <<EOF
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: internal-api
spec:
host: ${INTERNAL_HOST}
trafficPolicy:
tls:
mode: SIMPLE
sni: ${INTERNAL_HOST}
EOF
```


6) Create a `HTTPRoute` that will route traffic for the Gateway and re-write the host

```bash
kubectl apply -n gateway-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: external-host
spec:
parentRefs:
- name: ingress
hostnames:
- ${EXTERNAL_HOST}
rules:
- backendRefs:
- name: ${INTERNAL_HOST}
kind: Hostname
group: networking.istio.io
port: 443
filters:
- type: URLRewrite
urlRewrite:
hostname: ${INTERNAL_HOST}
EOF
```

We should now be able to send requests to our external host and have the Gateway proxy requests and responses to and from the internal host.

7) (optional) Add Auth and RateLimiting to protect your public endpoint

As we are using Gateway API to define the Gateway and HTTPRoutes, we can now also apply RateLimiting and Auth to protect our public endpoints

[AuthPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/auth-for-app-devs-and-platform-engineers/)

[RateLimiting Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-rl-for-cluster-operators/)

94 changes: 94 additions & 0 deletions examples/external-api-istio.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
## Note before using this example you will need cert-manager and a clusterissuer setup
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-api
spec:
hosts:
- kuadrant.io
location: MESH_EXTERNAL
resolution: DNS
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: TLS
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: external-api
spec:
host: 'kuadrant.io'
trafficPolicy:
tls:
mode: SIMPLE
sni: kuadrant.io
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: public-api
spec:
gatewayClassName: istio
listeners:
- name: public-tls
port: 443
hostname: 'public.cb.hcpapps.net'
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:
- name: public
kind: Secret
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: public-api
spec:
parentRefs:
- name: public-api
hostnames:
- 'public.cb.hcpapps.net'
rules:
- backendRefs:
- name: kuadrant.io
kind: Hostname
group: networking.istio.io
port: 443
filters:
- type: URLRewrite
urlRewrite:
hostname: kuadrant.io
---
apiVersion: kuadrant.io/v1
kind: TLSPolicy
metadata:
name: tls
spec:
targetRef:
name: public-api
group: gateway.networking.k8s.io
kind: Gateway
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: lets-encrypt-aws
---
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
name: dns
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: public-api
providerRefs:
- name: aws-provider-credentials

0 comments on commit 81352ae

Please sign in to comment.