moving to helm-gateway chart

Author: jimangel

Makefile

@@ -1,2 +1,5 @@
+
+# lint the clusters list for duplicate values
 lint:
+    # specifically the "name" "friendlyName" and "subdomain" keys (with support for appending more fields) in ./clusters/*.yaml
 	./scripts/lint_cluster_yaml.py "./clusters/*.yaml" name friendlyName subdomain

README.md

@@ -2,13 +2,15 @@
 
 TODO:
 
-- add a makefile to lint cluster values for duplicates (cluster name / server / etc)
+- add charts to remote git-ignore for future deletion
+- update namespace for `gateway` on GKE to "work" (or mirror istio setup? Maybe rewire istio for more standard approach...)
+- move httproutes to respective workloads
 - improve workload selection / declaration + helm values (https://github.com/argoproj/argo-cd/issues/11982 - allow selector + nested helm workload values )
 - add gatekeeper locks to workload definitions
 - create secrets rotation / creation tooling
 - update external secrets to use helm values (simplify setup): https://external-secrets.io/v0.7.0/api/secretstore/
 - Document the service accounts used in GCP / dns a bit better (gcloud iam service-accounts create cloudydemo-dns01-solver + GCP GSM)
-- Move any/all CRDs to a [separate ApplicationSet](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#install-a-crd-declaration-before-using-the-resource)
+- Move any/all CRDs to a <0 sync wave (if needed, create 2 sources)
 - Warn and fix any gotemplates with no value (using defaults)
 - Use sync waves at the Application and ApplicationSet level to order (like Gateway after Istio)
 - Move certmanager secret to git (`kubectl -n cert-manager create secret generic clouddns-dns01-solver-svc-acct --from-file=$HOME/key.json`)
@@ -23,6 +25,7 @@ TODO:
 - add linting to check for matching selectors before applying
 - move `environments` config for appset into "config" directory and update kube-prometheus-stack
 - create a centralized override yaml for version upgrades (like argocd not changed in 2 places)
+- rename or append 01, 02 to high priority workloads / sync wave (like argoCD -> secrets -> istio -> gateway -> certs etc)
 
 ## Workload breakdown
 

clusters/argocd-us-tx-local-gpu-box.yaml

@@ -20,9 +20,9 @@ workloads:
   echo-server: deployed
   gateway-api-crds: deployed
   # like ingress, this is the north south ingress "Gateway API" gateway
-  gateway-api-istio-ingress: deployed
+  gateway-north-south: deployed
   certmanager: deployed
-  istio: deployed
+  oss-istio: deployed
   metrics-server: deployed
   external-secrets-operator: deployed
   gatekeeper: deployed

workloads/gateway-api-istio-ingress/applicationset/gateway-api-istio-ingress.yaml

@@ -1,13 +1,16 @@
 The central point of traffic ingress / egress
 
-TODO: chunk out domain naming better (automatic per cluster, with cert manager, etc)
+## Test
 
-## I think not needed with k8s gateway api
+```
+kustomize build workloads/gateway-north-south/config/overlays/baremetal --enable-helm
 
-k8s gateway api creates the resource and stuff...
+or
 
-This directory contains all gateway related objects (today for Istio)
+kubectl kustomize workloads/gateway-north-south/config/overlays/baremetal --enable-helm
+```
 
+## DELETE BELOW:
 
 ```
 # from: https://istio.io/latest/docs/setup/additional-setup/getting-started/

workloads/gateway-api-istio-ingress/config/base/kustomization.yaml

@@ -0,0 +1,78 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: gateway-north-south
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - git:
+      files:
+      - path: clusters/*.yaml
+      repoURL: "https://github.com/jimangel/cd.git"
+      revision: HEAD
+    selector:
+      matchLabels:
+        workloads.gateway-north-south: "deployed"
+  template:
+    metadata:
+      name: 'gateway-north-south-{{ if eq .cluster.name "in-cluster" }}local{{ else }}{{ .cluster.friendlyName }}{{ end }}'
+      labels:
+        workloadType: networking
+        environment: "{{ .themes.environment }}"
+        provider: "{{ .themes.provider }}"
+        # how is this workload deployed in argocd?
+        syncType: "kustomize-nested-helm-remote"
+        # for quick ref
+        cluster: "{{ .cluster.friendlyName }}"
+      finalizers:
+      - "resources-finalizer.argocd.argoproj.io"
+    spec:
+      project: default
+      sources:
+      - chart: out-of-pocket-cloudlab/helm-charts/unofficial-gateway-api
+        repoURL: us-central1-docker.pkg.dev
+        targetRevision: 0.1.1
+        helm:
+          values: |
+            gateway:
+              enabled: true
+              class: "istio"
+              annotations: {}
+              addresses:
+              - type: Hostname
+                value: "north-south-gateway.istio-gateway.svc.cluster.local"
+              listeners:
+              - name: http
+                protocol: HTTP
+                port: 80
+                hostname: '*.gpu-local.cloudydemo.com'
+                allowedRoutes:
+                  kinds:
+                    - kind: HTTPRoute
+                  namespaces:
+                    from: All
+              - name: https
+                protocol: HTTPS
+                port: 443
+                hostname: '*.gpu-local.cloudydemo.com'
+                tls:
+                  mode: Terminate
+                  certificateRefs:
+                  - name: gateway-http-https-wildcard-cert
+                allowedRoutes:
+                  kinds:
+                  - kind: HTTPRoute
+                  namespaces:
+                    from: All
+      destination:
+        name: '{{ .cluster.name }}'
+        namespace: 'istio-gateway'
+      syncPolicy:
+        automated: {}
+        managedNamespaceMetadata:
+          # kubectl label namespace default istio-injection=enabled
+          labels:
+            istio-injection: enabled
+        syncOptions:
+          - CreateNamespace=true

workloads/gateway-api-istio-ingress/config/overlays/baremetal/argocd-http-routes.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: gateway

workloads/gateway-api-istio-ingress/README.md workloads/gateway-north-south/README.md

@@ -1,5 +1,11 @@
 namespace: istio-gateway
 
+helmCharts:
+- name: gateway
+  version: 1.19.2
+  repo: https://istio-release.storage.googleapis.com/charts
+  releaseName: north-south-gateway
+
 resources:
 - ../../base
 - gateway.yaml

workloads/gateway-north-south/applicationset/gateway-north-south.yaml

@@ -39,7 +39,7 @@ kubectl -n istio-system kustomize --enable-helm .
 ## Run locally
 
 ```
-kustomize build --enable-helm workloads/istio/config/kustomized-helm/
+kustomize build --enable-helm workloads/oss-istio/config/overlays/staging
 
 
       ignoreDifferences:

workloads/gateway-north-south/config/base/kustomization.yaml

@@ -16,7 +16,7 @@ spec:
       revision: HEAD
     selector:
       matchLabels:
-        workloads.istio: "deployed"
+        workloads.oss-istio: "deployed"
   template:
     metadata:
       name: 'istiod-{{ if eq .cluster.name "in-cluster" }}local{{ else }}{{ .cluster.friendlyName }}{{ end }}'
@@ -35,7 +35,7 @@ spec:
       # using a kustomized helm chart to include env var for gateway api
       - repoURL: https://github.com/jimangel/cd.git
         targetRevision: HEAD
-        path: workloads/istio/config/overlays/{{ .themes.environment }}
+        path: workloads/oss-istio/config/overlays/{{ .themes.environment }}
         kustomize:
           patches:
           - target:

workloads/gateway-api-istio-ingress/config/overlays/baremetal/gateway.yaml workloads/gateway-north-south/config/overlays/baremetal/gateway.yaml

@@ -0,0 +1,2 @@
+resources:
+- ../../base