From 9707fc227d25389c6fbb48b2486a96d7c5ba6c82 Mon Sep 17 00:00:00 2001 From: eseiker Date: Wed, 16 Oct 2024 18:00:17 +0900 Subject: [PATCH] use namespaced traefik gateway each per planet --- 9c-dev/argocd/bootstrap.yaml | 3 - 9c-internal/argocd/bootstrap.yaml | 16 --- .../multiplanetary/network/9c-network.yaml | 1 + .../multiplanetary/network/heimdall.yaml | 2 + 9c-main/argocd/bootstrap.yaml | 6 - .../all-in-one/templates/gateway-route.yaml | 62 +++++++++- charts/all-in-one/values.yaml | 7 +- .../templates/aws-gateway-api-controller.yaml | 39 ------ .../bootstrap/templates/traefik-gateway.yaml | 114 ------------------ common/bootstrap/values.yaml | 11 -- .../gateway-api-controller/kustomization.yaml | 6 - 11 files changed, 69 insertions(+), 198 deletions(-) delete mode 100644 common/bootstrap/templates/aws-gateway-api-controller.yaml delete mode 100644 common/bootstrap/templates/traefik-gateway.yaml delete mode 100644 common/tools/gateway-api-controller/kustomization.yaml diff --git a/9c-dev/argocd/bootstrap.yaml b/9c-dev/argocd/bootstrap.yaml index 2648f89f3..d113648c2 100644 --- a/9c-dev/argocd/bootstrap.yaml +++ b/9c-dev/argocd/bootstrap.yaml @@ -91,9 +91,6 @@ spec: nodeGroup: general-r7g_xl_2c pyroscope: enabled: true - gatewayApi: - enabled: true - roleArn: "arn:aws:iam::319679068466:role/eks-9c-dev-v2-gateway-api-controller" destination: server: https://kubernetes.default.svc diff --git a/9c-internal/argocd/bootstrap.yaml b/9c-internal/argocd/bootstrap.yaml index 4608ec9a8..18fa9d92e 100644 --- a/9c-internal/argocd/bootstrap.yaml +++ b/9c-internal/argocd/bootstrap.yaml @@ -114,22 +114,6 @@ spec: pyroscope: enabled: true nodeGroup: 9c-internal-spot_2c - traefik: - enabled: true - awsLoadBalancerSubnets: public-us-east-2c-9c-internal - awsLoadBalancerSslCert: >- - arn:aws:acm:us-east-2:319679068466:certificate/e19257bd-f1fb-41a6-ae84-bbdf6b98a62f - planets: - - odin - - heimdall - ports: - grpc: 31238 - netmq: - protocol: TCP - external: 31234 - internal: - odin: 31234 - heimdall: 31235 destination: server: https://kubernetes.default.svc diff --git a/9c-internal/multiplanetary/network/9c-network.yaml b/9c-internal/multiplanetary/network/9c-network.yaml index b48cd7da1..4c892feec 100644 --- a/9c-internal/multiplanetary/network/9c-network.yaml +++ b/9c-internal/multiplanetary/network/9c-network.yaml @@ -30,6 +30,7 @@ ingress: gateway: enabled: true + hostname: gateway-internal-odin.planetarium.network services: - hostname: 9c-internal-rpc.nine-chronicles.com backendRefs: diff --git a/9c-internal/multiplanetary/network/heimdall.yaml b/9c-internal/multiplanetary/network/heimdall.yaml index baa8cd070..14d7d26a7 100644 --- a/9c-internal/multiplanetary/network/heimdall.yaml +++ b/9c-internal/multiplanetary/network/heimdall.yaml @@ -32,10 +32,12 @@ ingress: gateway: enabled: true + hostname: gateway-internal-heimdall.planetarium.network services: - hostname: heimdall-internal-rpc.nine-chronicles.com backendRefs: - name: remote-headless-1 + - name: validator-5 routes: - name: remote-headless-graphql - name: remote-headless-grpc diff --git a/9c-main/argocd/bootstrap.yaml b/9c-main/argocd/bootstrap.yaml index d4e3f26d4..924d12ca4 100644 --- a/9c-main/argocd/bootstrap.yaml +++ b/9c-main/argocd/bootstrap.yaml @@ -164,12 +164,6 @@ spec: enabled: true replicaCount: 2 nodeGroup: 9c-main-spot_2c - traefik: - enabled: true - awsLoadBalancerSubnets: public-us-east-2c-9c-main - awsLoadBalancerSslCert: >- - arn:aws:acm:us-east-2:319679068466:certificate/e19257bd-f1fb-41a6-ae84-bbdf6b98a62f - datadog: enabled: true tolerations: diff --git a/charts/all-in-one/templates/gateway-route.yaml b/charts/all-in-one/templates/gateway-route.yaml index fec258ba4..f9cb64ae8 100644 --- a/charts/all-in-one/templates/gateway-route.yaml +++ b/charts/all-in-one/templates/gateway-route.yaml @@ -1,4 +1,61 @@ {{- if $.Values.gateway.enabled }} +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-{{ $.Release.Name }} + namespace: argocd +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: {{ $.Release.Name }} + source: + repoURL: https://github.com/traefik/traefik-helm-chart/ + path: traefik + targetRevision: b8725498c2445da8ecc06f156ca69ddc1a56cce4 + helm: + values: | + image: + tag: v3.2.0-rc2 + globalArguments: [] + rbac: + namespaced: true + providers: + kubernetesGateway: + enabled: true + experimentalChannel: true + kubernetesCRD: + enabled: false + kubernetesIngress: + enabled: false + ingressClass: + enabled: false + service: + annotations: + {{- toYaml $.Values.global.service.annotations | nindent 4 }} + {{- with $.Values.gateway.hostname }} + external-dns.alpha.kubernetes.io/hostname: {{ . }} + external-dns.alpha.kubernetes.io/ttl: '60' + {{- end }} + ports: + websecure: + targetPort: web + {{- range $name, $config := $.Values.gateway.ports }} + {{ $name }}: + port: {{ $config.port | quote }} + protocol: {{ $config.portProtocol | default TCP }} + {{- end }} + gateway: + listeners: + web: + port: 8000 + protocol: HTTP + {{- range $name, $config := $.Values.gateway.ports }} + {{ $name }}: + port: {{ $config.port | quote }} + protocol: {{ $config.gatewayProtocol | default HTTP }} +--- {{- range $service := $.Values.gateway.services }} {{- range $route := $service.routes | default (list dict) }} {{- $obj := merge $route $service }} @@ -10,8 +67,8 @@ metadata: namespace: {{ $.Release.Name }} spec: parentRefs: - - name: traefik-gateway - namespace: traefik + - name: traefik + namespace: {{ $.Release.Name }} sectionName: {{ $obj.sectionName | default "web" }} {{- if not (eq $obj.kind "TCPRoute") }} hostnames: @@ -28,4 +85,5 @@ spec: --- {{- end }} {{- end }} +--- {{- end }} diff --git a/charts/all-in-one/values.yaml b/charts/all-in-one/values.yaml index 6f79f6363..c551ec4fc 100644 --- a/charts/all-in-one/values.yaml +++ b/charts/all-in-one/values.yaml @@ -73,7 +73,12 @@ ingress: gateway: enabled: false - gatewayClassName: traefik + ports: + netmq: + port: 31234 + gatewayProtocol: TCP + grpc: + port: 31238 seed: count: 1 diff --git a/common/bootstrap/templates/aws-gateway-api-controller.yaml b/common/bootstrap/templates/aws-gateway-api-controller.yaml deleted file mode 100644 index fd5e40e56..000000000 --- a/common/bootstrap/templates/aws-gateway-api-controller.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.gatewayApi.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: aws-gateway-api-controller - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/planetarium/9c-infra - targetRevision: main - path: common/tools/gateway-api-controller - kustomize: - patches: - - target: - kind: ServiceAccount - name: gateway-api-controller - patch: |- - - op: add - path: /metadata/annotations - value: - eks.amazonaws.com/role-arn: {{ .Values.gatewayApi.roleArn | quote }} - - target: - version: v1 - kind: Deployment - name: gateway-api-controller - patch: |- - - op: add - path: /spec/template/spec/containers/1/env/- - value: - name: DEFAULT_SERVICE_NETWORK - value: {{ .Values.clusterName }}-default - - - destination: - server: 'https://kubernetes.default.svc' - namespace: aws-application-networking-system - syncPolicy: {} -{{- end }} diff --git a/common/bootstrap/templates/traefik-gateway.yaml b/common/bootstrap/templates/traefik-gateway.yaml deleted file mode 100644 index 2f052a76a..000000000 --- a/common/bootstrap/templates/traefik-gateway.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- if .Values.traefik.enabled }} -apiVersion: v1 -kind: Namespace -metadata: - name: traefik ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik - namespace: argocd -spec: - project: default - destination: - server: https://kubernetes.default.svc - namespace: traefik - source: - repoURL: https://github.com/traefik/traefik-helm-chart/ - path: traefik - targetRevision: v32.1.0 - helm: - values: | - image: - tag: v3.2.0-rc2 - globalArguments: [] - providers: - kubernetesCRD: - enabled: false - kubernetesIngress: - enabled: false - kubernetesGateway: - enabled: true - experimentalChannel: true - ingressClass: - enabled: false - gateway: - enabled: false - ports: - websecure: - targetPort: {{ .Values.traefik.ports.web.internal }} - expose: - default: true - {{- range $planet := .Values.traefik.planets }} - {{ $planet }}: true - {{- end }} - {{- range $service, $_portConfig := .Values.traefik.ports }} - {{- $portConfig := kindIs "map" $_portConfig | ternary $_portConfig (dict "external" $_portConfig "internal" $_portConfig) }} - {{- if kindIs "map" $portConfig.internal }} - {{- range $planet, $port := $portConfig.internal }} - {{ $service }}-{{ $planet }}: - exposedPort: {{ $portConfig.external }} - port: {{ $port }} - expose: - {{ $planet }}: true - {{- end }} - {{- else }} - {{ $service }}: - exposedPort: {{ $portConfig.external }} - port: {{ $portConfig.internal }} - expose: - default: true - {{- range $planet := $.Values.traefik.planets }} - {{ $planet }}: true - {{- end }} - {{- end }} - {{- end }} - service: - annotations: &service-annotations - service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing - service.beta.kubernetes.io/aws-load-balancer-type: external - {{- with .Values.traefik.awsLoadBalancerSslCert }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ . }} - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" - {{- end }} - {{- with .Values.traefik.awsLoadBalancerSubnets }} - service.beta.kubernetes.io/aws-load-balancer-subnets: {{ . }} - {{- end }} - additionalServices: - {{- range $planet := .Values.traefik.planets }} - {{ $planet }}: - annotations: - <<: *service-annotations - {{- end }} ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: traefik-gateway - namespace: traefik -spec: - gatewayClassName: traefik - listeners: - {{- range $service, $_portConfig := .Values.traefik.ports }} - {{- $portConfig := kindIs "map" $_portConfig | ternary $_portConfig (dict "external" $_portConfig "internal" $_portConfig) }} - {{- if kindIs "map" $portConfig.internal }} - {{- range $planet, $port := $portConfig.internal }} - - name: {{ $service }}-{{ $planet }} - port: {{ $port }} - protocol: {{ $portConfig.protocol | default "HTTP" }} - allowedRoutes: - namespaces: - from: All - {{- end }} - {{- else }} - - name: {{ $service }} - port: {{ $portConfig.internal }} - protocol: {{ $portConfig.protocol | default "HTTP" }} - allowedRoutes: - namespaces: - from: All - {{- end }} - {{- end }} ---- -{{- end }} diff --git a/common/bootstrap/values.yaml b/common/bootstrap/values.yaml index 79000a5ea..c727dc606 100644 --- a/common/bootstrap/values.yaml +++ b/common/bootstrap/values.yaml @@ -56,17 +56,6 @@ pyroscope: replicaCount: 2 nodeGroup: "" -gatewayApi: - enabled: false - roleArn: "" - -traefik: - enabled: false - ports: - web: - external: 80 - internal: 8000 - datadog: enabled: false nodeGroup: "" diff --git a/common/tools/gateway-api-controller/kustomization.yaml b/common/tools/gateway-api-controller/kustomization.yaml deleted file mode 100644 index c893d32cf..000000000 --- a/common/tools/gateway-api-controller/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: aws-application-networking-system -resources: - - https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-v1.0.6.yaml - - https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/gatewayclass.yaml