Service Protection components installation guide

Update docs/how-to/service-protection-setup.md Co-authored-by: Craig Brookes <maleck13@users.noreply.github.com>
Kuadrant · Sep 7, 2023 · 980774e · 980774e
1 parent aacb31c
commit 980774e
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 28 deletions.
diff --git a/config/kuadrant/redis/limitador/kustomization.yaml b/config/kuadrant/redis/limitador/kustomization.yaml
@@ -6,4 +6,4 @@ secretGenerator:
     literals:
       -  URL=redis://172.31.0.3:30611
     options:
-      disableNameSuffixHash: true   
+      disableNameSuffixHash: true
diff --git a/docs/how-to/kuadrant-hub-install.md b/docs/how-to/kuadrant-hub-install.md
@@ -163,4 +163,4 @@ clusterissuer.cert-manager.io/mgc-ca condition met
 
 Now that you have MGC installed and configured in your hub cluster, you can now continue with any of these follow-on guides:
 
-- Installing the Kuadrant data-plane pieces [TODO: link to this]
+- Installing the [Kuadrant Service Protection components](./service-protection-setup.md)
diff --git a/docs/how-to/ratelimiting-shared-redis.md b/docs/how-to/ratelimiting-shared-redis.md
@@ -5,8 +5,8 @@ The following document is going to show you how to deploy Redis as storage for L
 
 ## Requirements
 * Kind
-* Kuadrant operator [Walkthrough to install Kuadrant can be found here](https://github.com/Kuadrant/multicluster-gateway-controller/docs/how-to's/kuadrant-addon-walkthrough.md)
-* Gateways setup [Walkthrough to setup gateways in you clusters can be found here](https://github.com/Kuadrant/multicluster-gateway-controller/docs/how-to's/ocm-control-plane-walkthrough.md)
+* Kuadrant operator [Walkthrough to install Kuadrant can be found here](https://github.com/Kuadrant/multicluster-gateway-controller/docs/how-to/kuadrant-addon-walkthrough.md)
+* Gateways setup [Walkthrough to setup gateways in you clusters can be found here](https://github.com/Kuadrant/multicluster-gateway-controller/docs/how-to/ocm-control-plane-walkthrough.md)
 
 
  ## Installation and Setup
@@ -27,40 +27,41 @@ Open three windows, which we'll refer to throughout this walkthrough as:
     ``` bash
     kubectl get nodes -o wide
     ```
-1. If needs be, update the URL located in `config/kuadrant/redis/limitador` to include the ip address from above step.
+1. If needs be, update the URL located in `config/kuadrant/redis/limitador/kustomization.yaml` to include the internal IP address from above step.
 1. In the clusters that have Kuadrant operator installed i.e. `T1 & T3` run the following to configure limitador to use Redis as storage rather than local cluster storage:
     ```bash
-    kustomize build config/kuadrant/limitador/ | kubectl apply -f -
+    kustomize build config/kuadrant/redis/limitador/ | kubectl apply -f -
     ```
 ## Configuring Rate Limit Policies
 1. In `T1 & T3 both spoke clusters` run the following command to create a Rate Limit Policy for the HTTP route created in the walkthrough linked above called `Open Cluster Management and Multi-Cluster gateways`. The policy is limiting the route to have 8 successful requests in 10 seconds, these values can be changed to whatever you want.
 
-    ```bash
-    kubectl apply -f - <<EOF
-    apiVersion: kuadrant.io/v1beta1
-    kind: RateLimitPolicy
-    metadata:
-    name: echo-rlp
-    spec:
-    targetRef:
-        group: gateway.networking.k8s.io
-        kind: HTTPRoute
-        name: prod-web
-    rateLimits:
-        - configurations:
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1beta1
+kind: RateLimitPolicy
+metadata:
+  name: echo-rlp
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: prod-web
+  rateLimits:
+    - configurations:
         - actions:
             - generic_key:
                 descriptor_key: "limited"
                 descriptor_value: "1"
-        - rules:
-        - hosts: [ "replace.this" ]
-        limits:
-            - conditions:
-                - 'limited == "1"'
-            maxValue: 8
-            seconds: 10
-    EOF
-    ```
+      rules:
+        - hosts: [ "$MGC_SUB_DOMAIN" ]
+      limits:
+        - conditions:
+            - 'limited == "1"'
+          maxValue: 8
+          seconds: 10
+EOF
+```
+
 1.  In `T1 and T3` test the RLP you can run the following command:
     ```bash
     while true; do curl -k -s -o /dev/null -w "%{http_code}\n"  replace.this.with.host && sleep 1; done

diff --git a/docs/how-to/service-protection-setup.md b/docs/how-to/service-protection-setup.md
@@ -0,0 +1,91 @@
+# Installing Kuadrant Service Protection into an existing OCM Managed Cluster
+
+## Introduction
+This walkthrough will show you how to install and setup the Kuadrant Operator into an [OCM](https://open-cluster-management.io/) [Managed Cluster](https://open-cluster-management.io/concepts/managedcluster/).
+
+## Prerequisites
+* Access to an Open Cluster Management (>= v0.11.0) Managed Cluster, which has already been bootstrapped and registered with a hub cluster
+  * We have [a guide](./kuadrant-hub-install.md) which covers this in detail
+  * Also see:
+    * https://open-cluster-management.io/getting-started/quick-start/
+    * https://open-cluster-management.io/concepts/managedcluster/
+* OLM will need to be installed into the ManagedCluster where you want to run the Kuadrant Service Protection components
+  * See https://olm.operatorframework.io/docs/getting-started/
+* Kuadrant uses Istio as a Gateway API provider - this will need to be installed into the data plane clusters
+  * We recommend installing Istio 1.17.0, including Gateway API v0.6.2
+  * ```bash
+    # On the Hub cluster:
+    kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
+    { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.2" | kubectl apply -f -; }
+    ```
+  * See also: https://istio.io/v1.17/blog/2022/getting-started-gtwapi/
+
+
+Alternatively, if you'd like to quickly get started locally, without having to worry to much about the pre-requisites, take a look our [Quickstart Guide](./ocm-control-plane-walkthrough.md). It will get you setup with Kind, OLM, OCM & Kuadrant in a few short steps.
+
+
+## Install the Kuadrant OCM Add-On
+
+
+**Note:** if you've run our [Quickstart Guide](./ocm-control-plane-walkthrough.md), you'll be set to run this command as-is.
+
+To install the Kuadrant Service Protection components into a `ManagedCluster`, target your OCM hub cluster with `kubectl` and run:
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: addon.open-cluster-management.io/v1alpha1
+kind: ManagedClusterAddOn
+metadata:
+ name: kuadrant-addon
+ namespace: kind-mgc-workload-1
+spec:
+ installNamespace: open-cluster-management-agent-addon
+EOF
+```
+
+The above command will install the `ManagedClusterAddOn` resource needed to install the Kuadrant addon into the `kind-mgc-workload-1` namespace, and install the Kuadrant data-plane components into the `open-cluster-management-agent-addon` namespace. 
+
+The Kuadrant addon will install:
+
+* the Kuadrant Operator
+* Limitador (and its associated operator)
+* Authorino  (and its associated operator)
+
+For more details, see the Kuadrant components installed by the (kuadrant-operator)[https://github.com/Kuadrant/kuadrant-operator#kuadrant-components]
+
+### Existing Istio installations and changing the default Istio Operator name
+In the case where you have an existing Istio installation to a cluster you may encounter an issue where the Kuadrant Operator expects Istio's Operator to be named `istiocontrolplane`.
+
+The `istioctl` command saves the IstioOperator CR that was used to install Istio in a copy of the CR named `installed-state`.
+
+To let the Kuadrant operator use this existing installation, set the following:
+
+`kubectl annotate managedclusteraddon kuadrant-addon "addon.open-cluster-management.io/values"='{"IstioOperator":"installed-state"}' -n <managed spoke cluster>`
+
+This will propogate down and update the Kuadrant Operator, used by the Kuadrant OCM Addon.
+
+## Verify the Kuadrant addon installation
+
+To verify the Kuadrant OCM addon has installed currently, run:
+
+```bash
+kubectl wait --timeout=5m -n kuadrant-system deployment/authorino-operator deployment/kuadrant-operator-controller-manager deployment/limitador-operator-controller-manager --for=condition=Available
+```
+
+You should see the namespace `kuadrant-system`, and the following pods come up:
+* authorino-*value*
+* authorino-operator-*value*
+* kuadrant-operator-controller-manager-*value*
+* limitador-*value*
+* limitador-operator-controller-manager-*value*
+
+# Further Reading
+With the Kuadrant data plane components installed, here is some further reading material to help you utilise Authorino and Limitador:
+
+[Getting started with Authorino](https://docs.kuadrant.io/authorino/)
+[Getting started With Limitador](https://docs.kuadrant.io/limitador-operator/)
+
+
+
+
+