Skip to content

Commit

Permalink
finish initial adaptation of the zrok chart to the 0.4 spec
Browse files Browse the repository at this point in the history
  • Loading branch information
@qrkourier
qrkourier committed Jan 10, 2024
1 parent d1740fc commit c334c0d
Show file tree
Hide file tree
Showing 11 changed files with 88 additions and 159 deletions.
6 changes: 6 additions & 0 deletions charts/zrok/Chart.lock
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
dependencies:
- name: influxdb2
repository: https://helm.influxdata.com/
version: 2.1.2
digest: sha256:593ad80cdb950ba06661eb0ca162d553c53798a516106a4884b11d295564c927
generated: "2024-01-10T15:48:32.414997813-05:00"
16 changes: 16 additions & 0 deletions charts/zrok/minimal-values.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
controller:
ingress:
enabled: true
scheme: http
className: nginx
hosts: ["ctrl.zrok.192.168.49.2.sslip.io"]

frontend:
ingress:
enabled: true
scheme: http
className: nginx
hosts: ["share.zrok.192.168.49.2.sslip.io"]

ziti:
advertisedHost: ziti-controller-client.miniziti.svc.cluster.local
6 changes: 2 additions & 4 deletions charts/zrok/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,10 @@ To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}

1. Get the application URL by running these commands:
1. Test the zrok API by running these commands:
{{- if .Values.controller.ingress.enabled }}
{{- range $host := .Values.controller.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.controller.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
curl -sSf http{{ if $.Values.controller.ingress.tls }}s{{ end }}://{{ . }}/api/v1/version
{{- end }}
{{- else if contains "NodePort" .Values.controller.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "zrok.fullname" . }})
Expand Down
12 changes: 6 additions & 6 deletions charts/zrok/templates/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ spec:
{{- end }}
volumeMounts:
{{- if .Values.controller.persistence.enabled }}
- name: database
- name: persistence
mountPath: {{ .Values.controller.persistence.mount_dir }}
{{- end }}
# not yet used, but here for when it's possible to configure explicit trust of the Ziti Mgmt API's server cert
Expand Down Expand Up @@ -63,7 +63,7 @@ spec:
mountPath: /usr/local/bin/bootstrap-ziti.bash
subPath: bootstrap-ziti.bash
readOnly: true
- name: database
- name: persistence
mountPath: {{ .Values.controller.persistence.mount_dir }}
readOnly: false
# not yet used, but here for when it's possible to configure explicit trust of the Ziti Mgmt API's server cert
Expand Down Expand Up @@ -94,8 +94,8 @@ spec:
- name: zrok-config
mountPath: /etc/zrok
readOnly: true
- name: database
mountPath: /var/lib/zrok
- name: persistence
mountPath: {{ .Values.controller.persistence.mount_dir }}
readOnly: false
ports:
- name: http
Expand Down Expand Up @@ -146,7 +146,7 @@ spec:
- key: {{ .Values.ziti.ca_cert_file }}
path: {{ .Values.ziti.ca_cert_file }}}
{{- if .Values.controller.persistence.enabled }}
- name: database
- name: persistence
persistentVolumeClaim:
claimName: {{ include "zrok.fullname" . }}-database
claimName: {{ include "zrok.fullname" . }}-persistence
{{- end }}
10 changes: 4 additions & 6 deletions charts/zrok/templates/controller-ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,12 @@ spec:
{{- end }}
rules:
{{- range .Values.controller.ingress.hosts }}
- host: {{ .host | quote }}
- host: {{ . | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
- path: /
{{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: ImplementationSpecific
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
Expand All @@ -56,6 +55,5 @@ spec:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
147 changes: 24 additions & 123 deletions charts/zrok/templates/controller-secrets-configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# this manifest contains the secrets and configmaps used by the zrok controller
# both are in one file to allow for generating the secrets with sprig functions

# $influxAdminToken must be defined even if not used because Helm evaluates all vars in the template irrespective of
# their enclosing conditional statement
{{- $influxAdminToken := randAlphaNum 32 | b64enc }}

---
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -35,6 +40,7 @@ data:
admin-password: {{ .Values.ziti.password | b64enc | quote }}

---
{{- if .Values.influxdb2.adminUser.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -53,7 +59,7 @@ data:
# set the secret values..
admin-token: {{ $influxAdminToken | quote }}
admin-password: {{ $influxAdminPassword | quote }}

{{- end }}
---
apiVersion: v1
kind: ConfigMap
Expand Down Expand Up @@ -85,124 +91,12 @@ data:
# granted permission to create secrets in this namespace by SA managed by this chart
kubectl -n {{ .Release.Namespace }} create secret generic \
{{ include "zrok.fullname" . }}-frontend-identity \
--from-file=frontend.json="${HOME}/.zrok/identities/frontend.json"
--from-file=public.json="${HOME}/.zrok/identities/public.json"
# while true;do sleep 1;done
ctrl.yaml: |-
{{- if eq (.Values.controller.specVersion|toString) "2" }}
# _____ __ ___ | | __
# |_ / '__/ _ \| |/ /
# / /| | | (_) | <
# /___|_| \___/|_|\_\
# controller configuration
#
# The `v` field determines the configuration version. When software is released that changes the structure of the
# configuration, the software will expect this field to be incremented. This protects you against invalid configuration
# versions.
#
v: 2
admin:
# The `secrets` array contains a list of strings that represent valid `ZROK_ADMIN_TOKEN` values to be used for
# administration of the `zrok` controller.
#
# Change this for your installation.
#
secrets:
- {{ $zrokAdminToken | b64dec | quote }}
# if `tou_link` is present, the frontend will display the "Terms of Use" link on the login and registration forms
#
tou_link: '<a href="https://google.com" target="_">Terms and Conditions</a>'
# The `endpoint` section determines where the HTTP listener that serves the API and web console will be bound.
#
endpoint:
host: 0.0.0.0
port: {{ .Values.controller.service.containerPort }}
# Outbound email configuration.
#
{{- if .Values.controller.email.host }}
email:
{{- .Values.controller.email | toYaml | nindent 12 }}
# Configure the generated URL for the registration email. The registration token will be appended to this URL.
#
registration:
registration_url_template: {{ .Values.controller.ingress.scheme }}://{{ (index .Values.controller.ingress.hosts 0).host }}/register
token_strategy: store
# Configure the generated URL for password resets. The reset token will be appended to this URL.
#
reset_password:
reset_url_template: {{ .Values.controller.ingress.scheme }}://{{ (index .Values.controller.ingress.hosts 0).host }}/resetPassword
{{- end }}
# InfluxDB configuration. InfluxDB is used to support sparkline displays in the web console.
#
{{- if .Values.controller.metrics.enabled }}
influx:
{{- if .Values.influxdb2.enabled }}
# use the InfluxDB instance deployed by the subchart.
url: {{ printf "http://%s.%s.svc:%s" (include "influxdb2.fullname" .Subcharts.influxdb2) .Release.Namespace .Values.influxdb2.service.port | quote }}
{{- else }}
# otherwise, use the InfluxDB instance specified by the `influxdb2.service.url`
url: {{ .Values.influxdb2.service.url | quote }}
{{- end }}
bucket: zrok
org: zrok
token: {{ $influxAdminToken | b64dec | quote }}
{{- end }}
# Instance-wide limits for per-user limits. `-1` represents unlimited. Each user can have the `limitless` flag set on
# their record in the `accounts` table in the database, to allow the user to ignore the instance-wide limits.
#
limits:
environments: -1
shares: -1
# Background maintenance job configuration. The `registration` job purges registration requests created through the
# `zrok invite` tool. The `reset_password` job purges password reset requests.
#
maintenance:
registration:
expiration_timeout: 24h
check_frequency: 1h
batch_limit: 500
reset_password:
expiration_timeout: 15m
check_frequency: 15m
batch_limit: 500
# The name of the service used to report metrics from the frontends (`zrok access public`) to the zrok controller
# fleet.
#
metrics:
service_name: metrics
# Configure the controller database. Supports either PostgreSQL or sqlite3.
#
# sqlite3 only supports a single controller instance. To run multiple controllers, you must use PostgreSQL.
#
#store:
# path: "host=127.0.0.1 user=zrok password=zrok dbname=zrok"
# type: "postgres"
#
store:
path: {{ .Values.controller.persistence.mount_dir }}/zrok.sqlite3
type: sqlite3
# Ziti configuration.
#
ziti:
api_endpoint: https://{{ .Values.ziti.advertisedHost }}:{{ .Values.ziti.advertisedPort }}
username: {{ .Values.ziti.username | quote }}
password: {{ .Values.ziti.password | quote }}
{{- end }}
{{- if eq (.Values.controller.specVersion|toString) "3" }}
# _____ __ ___ | | __
# |_ / '__/ _ \| |/ /
Expand All @@ -224,7 +118,7 @@ data:
# Change this for your installation.
#
secrets:
- {{ $zrokAdminToken | b64dec | quote }}
- {{ $zrokAdminToken | b64dec | quote }}
# if `tou_link` is present, the frontend will display the "Terms of Use" link on the login and registration forms
#
# tou_link: '<a href="https://google.com" target="_">Terms and Conditions</a>'
Expand All @@ -249,26 +143,31 @@ data:
host: 0.0.0.0
port: {{ .Values.controller.service.containerPort }}
{{- if .Values.controller.email.host }}
# Outbound email configuration.
#
{{- if .Values.controller.email.host }}
email:
{{- .Values.controller.email | toYaml | nindent 12 }}
# Configure the generated URL for the registration email. The registration token will be appended to this URL.
#
registration:
registration_url_template: {{ .Values.controller.ingress.scheme }}://{{ (index .Values.controller.ingress.hosts 0).host }}/register
# Set `token_strategy` to `store` to require an invite token
#
token_strategy: store
# Configure the generated URL for password resets. The reset token will be appended to this URL.
#
reset_password:
reset_url_template: {{ .Values.controller.ingress.scheme }}://{{ (index .Values.controller.ingress.hosts 0).host }}/resetPassword
{{- end }}
# Set `token_strategy` to `store` to require an invite token
#
invites:
invites_open: {{ .Values.controller.invites.open }}
{{- if .Values.controller.invites.token_required }}
token_strategy: store
{{- end }}
# Service instance limits configuration.
#
# See `docs/guides/metrics-and-limits/configuring-limits.md` for details.
Expand All @@ -289,6 +188,8 @@ data:
check_frequency: 15m
batch_limit: 500
{{- if .Values.controller.metrics.enabled }}
# Metrics configuration for the zrok controller.
#
metrics:
Expand All @@ -311,9 +212,9 @@ data:
path: {{ .Values.controller.metrics.fileSource.path | quote }}
{{- end }}
#
# The `influx` section configures access to the InfluxDB instance used to store `zrok` metrics.
# The `influx` section configures access to the InfluxDB instance used to store `zrok` metrics, you may
# provide the influx instance by installing the subchart or by providing the `influxdb2.service.url` value.
#
{{- if .Values.controller.metrics.enabled }}
influx:
{{- if .Values.influxdb2.enabled }}
# use the InfluxDB instance deployed by the subchart.
Expand All @@ -325,7 +226,7 @@ data:
bucket: zrok
org: zrok
token: {{ $influxAdminToken | b64dec | quote }}
{{- end }}
{{- end }}
# Configure the controller database. Supports either PostgreSQL or sqlite3.
#
Expand Down
10 changes: 5 additions & 5 deletions charts/zrok/templates/frontend-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,15 @@ data:
# find Ziti ID of frontend
FRONTEND_ID=$(
ziti edge list identities 'name="frontend"' --csv \
| awk -F, '$2~/frontend/ {print $1;}'
ziti edge list identities 'name="public"' --csv \
| awk -F, '$2~/public/ {print $1;}'
)
until [[ -n "$FRONTEND_ID" ]]; do
echo "DEBUG: waiting for frontend identity to be created"
sleep 3
FRONTEND_ID=$(
ziti edge list identities 'name="frontend"' --csv \
| awk -F, '$2~/frontend/ {print $1;}'
ziti edge list identities 'name="public"' --csv \
| awk -F, '$2~/public/ {print $1;}'
)
done
echo "DEBUG: FRONTEND_ID=$FRONTEND_ID"
Expand All @@ -56,7 +56,7 @@ data:
# / /| | | (_) | <
# /___|_| \___/|_|\_\
# frontend configuration
v: {{ .Values.frontend.specVersion }}
host_match: {{ .Values.dnsZone | quote }}
address: 0.0.0.0:{{ .Values.frontend.service.containerPort }}
Expand Down
12 changes: 10 additions & 2 deletions charts/zrok/templates/frontend-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,9 @@ spec:
- name: frontend-identity
mountPath: {{ .Values.frontend.homeDir }}/.zrok/identities
readOnly: true
- name: persistence
mountPath: /var/lib/zrok
readOnly: false
ports:
- name: http
containerPort: {{ .Values.frontend.service.containerPort }}
Expand Down Expand Up @@ -152,6 +155,11 @@ spec:
secretName: {{ include "zrok.fullname" . }}-frontend-identity
defaultMode: 0444
items:
- key: frontend.json
path: frontend.json
- key: public.json
path: public.json
{{- if .Values.controller.persistence.enabled }}
- name: persistence
persistentVolumeClaim:
claimName: {{ include "zrok.fullname" . }}-persistence
{{- end }}

Loading

0 comments on commit c334c0d

Please sign in to comment.