From 13b1017dc3358dd1c23d1ef182fb93035aac8831 Mon Sep 17 00:00:00 2001 From: Beppe Vanrolleghem Date: Tue, 10 Mar 2020 12:22:21 +0100 Subject: [PATCH] help --- consul-helm-config-values.yaml | 863 +++++++++++++++++++++++++++++++ consul/server-check-service.hcl | 6 + consul/server-check-splitter.hcl | 14 + deploy.yaml | 120 ++--- helm-consul-values.yaml | 27 + pipeline-run.yaml | 16 + pipeline.yaml | 243 +++++++++ 7 files changed, 1231 insertions(+), 58 deletions(-) create mode 100644 consul-helm-config-values.yaml create mode 100644 consul/server-check-service.hcl create mode 100644 consul/server-check-splitter.hcl create mode 100644 helm-consul-values.yaml create mode 100644 pipeline-run.yaml create mode 100644 pipeline.yaml diff --git a/consul-helm-config-values.yaml b/consul-helm-config-values.yaml new file mode 100644 index 0000000..b9152d5 --- /dev/null +++ b/consul-helm-config-values.yaml @@ -0,0 +1,863 @@ +# Available parameters and their default values for the Consul chart. + +# global holds values that affect multiple components of the chart. +global: + # enabled is the master enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + # Each component can override this default via its component-specific + # "enabled" config. + # If false, no components will be installed by default and per-component + # opt-in is required, such as by setting `server.enabled` to true. + enabled: true + + # name sets the prefix used for all resources in the helm chart. + # If not set, the prefix will be "-consul". + name: null + + # domain is the domain Consul will answer DNS queries for + # (see https://www.consul.io/docs/agent/options.html#_domain) and the domain + # services synced from Consul into Kubernetes will have, + # e.g. `service-name.service.consul`. + domain: consul + + # image is the name (and tag) of the Consul Docker image for clients and + # servers. This can be overridden per component. + # This should be pinned to a specific version tag, otherwise you may + # inadvertently upgrade your Consul version. + # + # Examples: + # # Consul 1.5.0 + # image: "consul:1.5.0" + # # Consul Enterprise 1.5.0 + # image: "hashicorp/consul-enterprise:1.5.0-ent" + image: "consul:1.7.1" + + # imageK8S is the name (and tag) of the consul-k8s Docker image that + # is used for functionality such as catalog sync. This can be overridden + # per component. + # Note: support for the catalog sync's liveness and readiness probes was added + # to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to + # remove these checks to make the sync work. + # If using bootstrapACLs then must be >= 0.10.1. + # If using connect inject then must be >= 0.10.1. + # If using Consul Enterprise namespaces, must be >= 0.12. + imageK8S: "hashicorp/consul-k8s:0.12.0" + + # datacenter is the name of the datacenter that the agents should register + # as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value + # currently: https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # enablePodSecurityPolicies controls whether pod + # security policies are created for the Consul components created by this + # chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # gossipEncryption configures which Kubernetes secret to retrieve Consul's + # gossip encryption key from (see https://www.consul.io/docs/agent/options.html#_encrypt). + # If secretName or secretKey are not set, gossip encryption will not be enabled. + # The secret must be in the same namespace that Consul is installed into. + # + # The secret can be created by running: + # kubectl create secret generic consul-gossip-encryption-key \ + # --from-literal=key=$(consul keygen). + # + # In this case, secretName would be "consul-gossip-encryption-key" and + # secretKey would be "key". + gossipEncryption: + # secretName is the name of the Kubernetes secret that holds the gossip + # encryption key. The secret must be in the same namespace that Consul is installed into. + secretName: "" + # secretKey is the key within the Kubernetes secret that holds the gossip + # encryption key. + secretKey: "" + + # bootstrapACLs will automatically create and assign ACL tokens within + # the Consul cluster. This requires servers to be running inside Kubernetes. + # Additionally requires Consul >= 1.4 and consul-k8s >= 0.10.1. + bootstrapACLs: false + + # Enables TLS encryption across the cluster to verify authenticity of the + # servers and clients that connect. Note: It is HIGHLY recommended that you also + # enable Gossip encryption. + # See https://learn.hashicorp.com/consul/security-networking/agent-encryption + # + # Note: this relies on functionality introduced with Consul 1.4.1. Make sure + # your global.image value is at least version 1.4.1. + tls: + enabled: false + + # serverAdditionalDNSSANs is a list of additional DNS names to + # set as Subject Alternative Names (SANs) in the server certificate. + # This is useful when you need to access the Consul server(s) externally, + # for example, if you're using the UI. + serverAdditionalDNSSANs: [] + + # serverAdditionalIPSANs is a list of additional IP addresses to + # set as Subject Alternative Names (SANs) in the server certificate. + # This is useful when you need to access Consul server(s) externally, + # for example, if you're using the UI. + serverAdditionalIPSANs: [] + + # If verify is true, 'verify_outgoing', 'verify_server_hostname', and + # 'verify_incoming_rpc' will be set to true for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Note: remember to switch it back to true once the rollout is complete. + # Please see this guide for more details: + # https://learn.hashicorp.com/consul/security-networking/certificates + verify: true + + # If httpsOnly is true, Consul will disable the HTTP port on both + # clients and servers and only accept HTTPS connections. + httpsOnly: true + + # caCert is a Kubernetes secret containing the certificate + # of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, + # you could use the following command to create the secret in Kubernetes: + # + # kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + caCert: + secretName: null + secretKey: null + + # caKey is a Kubernetes secret containing the private key + # of the CA to use for TLS communications within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, + # you could use the following command to create the secret in Kubernetes: + # + # kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. In the future, we may support bringing your own server + # certificates. + caKey: + secretName: null + secretKey: null + + # [Enterprise Only] enableConsulNamespaces indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would like to + # make use of configuration beyond registering everything into the `default` Consul + # namespace. Requires consul-k8s v0.12+. + # Additional configuration options are found in the `consulNamespaces` section + # of both the catalog sync and connect injector. + enableConsulNamespaces: false + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + enabled: "-" + image: null + replicas: 3 + bootstrapExpect: 3 # Should <= replicas count + + # enterpriseLicense refers to a Kubernetes secret that you have created that + # contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image + # or if you plan to introduce the license key via another route, then set + # these fields to null. + enterpriseLicense: + secretName: null + secretKey: null + + # storage and storageClass are the settings for configuring stateful + # storage for the server pods. storage should be set to the disk size of + # the attached volume. storageClass is the class of storage which defaults + # to null (the Kube cluster will pick the default). + storage: 10Gi + storageClass: null + + # connect will enable Connect on all the servers, initializing a CA + # for Connect-related connections. Other customizations can be done + # via the extraConfig setting. + connect: true + + # Resource requests, limits, etc. for the server cluster placement. This + # should map directly to the value of the resources field for a PodSpec, + # formatted as a multi-line string. By default no direct resource request + # is made. + resources: null + + # updatePartition is used to control a careful rolling update of Consul + # servers. This should be done particularly when changing the version + # of Consul. Please refer to the documentation for more information. + updatePartition: 0 + + # disruptionBudget enables the creation of a PodDisruptionBudget to + # prevent voluntary degrading of the Consul server cluster. + disruptionBudget: + enabled: true + + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. + maxUnavailable: null + + # extraConfig is a raw string of extra configuration to set with the + # server. This should be JSON. + extraConfig: | + {} + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Consul in the path `/consul/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # load: false # if true, will add to `-config-dir` to load by Consul + + # Affinity Settings + # Commenting out or setting as empty the affinity variable, will allow + # deployment to single node services such as Minikube + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration Settings for server pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: "" + + # nodeSelector labels for server pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # used to assign priority to server pods + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # Extra annotations to attach to the server pods + # This should be a multi-line string mapping directly to the a map of + # the annotations to apply to the server pods + annotations: null + + # extraEnvVars is a list of extra environment variables to set with the stateful set. These could be + # used to include proxy settings required for cloud auto-join feature, + # in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure + # custom consul parameters. + extraEnvironmentVars: {} + # http_proxy: http://localhost:3128, + # https_proxy: http://localhost:3128, + # no_proxy: internal.domain.com + +# Client, when enabled, configures Consul clients to run on every node +# within the Kube cluster. The current deployment model follows a traditional +# DC where a single agent is deployed per node. +client: + enabled: "-" + image: null + join: null + + # dataDirectoryHostPath is an absolute path to a directory on the host machine + # to use as the Consul client data directory. + # If set to the empty string or null, the Consul agent will store its data + # in the Pod's local filesystem (which will be lost if the Pod is deleted). + # Security Warning: If setting this, Pod Security Policies *must* be enabled on your cluster + # and in this Helm chart (via the global.enablePodSecurityPolicies setting) + # to prevent other Pods from mounting the same host path and gaining + # access to all of Consul's data. Consul's data is not encrypted at rest. + dataDirectoryHostPath: null + + # If true, Consul's gRPC port will be exposed (see https://www.consul.io/docs/agent/options.html#grpc_port). + # This should be set to true if connectInject or meshGateway is enabled. + grpc: true + + # exposeGossipPorts exposes the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly + # routable and the Consul servers are outside of the k8s cluster. This + # also changes the clients' advertised IP to the hostIP rather than podIP. + exposeGossipPorts: false + + # Resource requests, limits, etc. for the client cluster placement. This + # should map directly to the value of the resources field for a PodSpec, + # formatted as a multi-line string. By default no direct resource request + # is made. + resources: null + + # extraConfig is a raw string of extra configuration to set with the + # client. This should be JSON. + extraConfig: | + {} + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Consul in the path `/consul/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # load: false # if true, will add to `-config-dir` to load by Consul + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # tolerations: | + # - operator: "Exists" + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # Example: + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + affinity: {} + + # used to assign priority to client pods + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # Extra annotations to attach to the client pods + # This should be a multi-line string mapping directly to the a map of + # the annotations to apply to the client pods + annotations: null + + # extraEnvVars is a list of extra environment variables to set with the pod. These could be + # used to include proxy settings required for cloud auto-join feature, + # in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure + # custom consul parameters. + extraEnvironmentVars: {} + # http_proxy: http://localhost:3128, + # https_proxy: http://localhost:3128, + # no_proxy: internal.domain.com + + # dnsPolicy to use. + dnsPolicy: null + + # updateStrategy for the DaemonSet. + # See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy. + # This should be a multi-line string mapping directly to the updateStrategy + # Example: + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + updateStrategy: null + + # snapshotAgent contains settings for setting up and running snapshot agents + # within the Consul clusters. They are required to be co-located with Consul + # clients, so will inherit the clients' nodeSelector, tolerations and affinity. + # This is an Enterprise feature only. + snapshotAgent: + enabled: false + + # replicas determines how many snapshot agent pods are created + replicas: 2 + + # configSecret references a Kubernetes secret that should be manually created to + # contain the entire config to be used on the snapshot agent. This is the preferred + # method of configuration since there are usually storage credentials present. + # Snapshot agent config details: + # https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options- + # To create a secret: + # https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-using-kubectl-create-secret + configSecret: + secretName: null + secretKey: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + enabled: "-" + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + annotations: null + +ui: + # True if you want to enable the Consul UI. The UI will run only + # on the server nodes. This makes UI access via the service below (if + # enabled) predictable rather than "any node" if you're running Consul + # clients as well. + enabled: "-" + + # True if you want to create a Service entry for the Consul UI. + # + # serviceType can be used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) to access the UI. + service: + enabled: true + type: null + # This should be a multi-line string mapping directly to the a map of + # the annotations to apply to the UI service + annotations: null + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + additionalSpec: null + +# syncCatalog will run the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + image: null + default: true # true will sync by default, otherwise requires annotation + + # toConsul and toK8S control whether syncing is enabled to Consul or K8S + # as a destination. If both of these are disabled, the sync will do nothing. + toConsul: true + toK8S: true + + # k8sPrefix is the service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + k8sPrefix: null + + # k8sAllowNamespaces is a list of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use ["*"] to automatically allow all k8s namespaces. + # + # For example, ["namespace1", "namespace2"] will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to []. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # Requires consul-k8s v0.12+ + k8sAllowNamespaces: ["*"] + + # k8sDenyNamespaces is a list of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # Requires consul-k8s v0.12+. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be synced. + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # consulDestinationNamespace is the name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # mirroringK8S causes k8s services to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + mirroringK8S: false + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # addK8SNamespaceSuffix appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # consulPrefix is the service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + consulPrefix: null + + # k8sTag is an optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + k8sTag: null + + # syncClusterIPServices syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + # nodePortSyncType configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # aclSyncToken refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are enabled on the Consul cluster. + aclSyncToken: + secretName: null + secretKey: null + + # nodeSelector labels for syncCatalog pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # Log verbosity level. One of "trace", "debug", "info", "warn", or "error". + logLevel: info + + # Override the default interval to perform syncing operations creating Consul services. + consulWriteInterval: null + +# ConnectInject will enable the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + # Requires consul-k8s >= 0.10.1. + enabled: false + image: null # image for consul-k8s that contains the injector + default: false # true will inject by default, otherwise requires annotation + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + imageConsul: null + + # The Docker image for envoy to use as the proxy sidecar when performing + # Connect injection. If using Consul 1.7+, the envoy version must be 1.13+. + # If not set, the image used depends on the consul-k8s version. For + # consul-k8s 0.12.0 the default is envoyproxy/envoy-alpine:v1.13.0. + imageEnvoy: null + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. This should be set to a multiline string. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + namespaceSelector: null + + # k8sAllowNamespaces is a list of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use ["*"] to automatically allow all k8s namespaces. + # + # For example, ["namespace1", "namespace2"] will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Connect sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to []. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # Requires consul-k8s v0.12+ + k8sAllowNamespaces: ["*"] + + # k8sDenyNamespaces is a list of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # Requires consul-k8s v0.12+. + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # consulDestinationNamespace is the name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # mirroringK8S causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + mirroringK8S: false + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # The certs section configures how the webhook TLS certs are configured. + # These are the TLS certs for the Kube apiserver communicating to the + # webhook. By default, the injector will generate and manage its own certs, + # but this requires the ability for the injector to update its own + # MutatingWebhookConfiguration. In a production environment, custom certs + # should probably be used. Configure the values below to enable this. + certs: + # secretName is the name of the secret that has the TLS certificate and + # private key to serve the injector webhook. If this is null, then the + # injector will default to its automatic management mode that will assign + # a service account to the injector to generate its own certificates. + secretName: null + + # caBundle is a base64-encoded PEM-encoded certificate bundle for the + # CA that signed the TLS certificate that the webhook serves. This must + # be set if secretName is non-null. + caBundle: "" + + # certName and keyName are the names of the files within the secret for + # the TLS cert and private key, respectively. These have reasonable + # defaults but can be customized if necessary. + certName: tls.crt + keyName: tls.key + + # nodeSelector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # aclBindingRuleSelector accepts a query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules + # and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes + # for more details. + # Requires Consul >= v1.5 and consul-k8s >= v0.8.0. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If not using global.bootstrapACLs and instead manually setting up an auth + # method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # aclInjectToken refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise only] and ACLs + # are enabled on the Consul cluster and you are not setting `global.bootstrapACLs` + # to `true`. This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + secretName: null + secretKey: null + + # Requires Consul >= v1.5 and consul-k8s >= v0.8.1. + centralConfig: + # enabled controls whether central config is enabled on all servers and clients. + # See https://www.consul.io/docs/agent/options.html#enable_central_service_config. + # If changing this after installation, servers and clients must be restarted + # for the change to take effect. + enabled: true + + # defaultProtocol allows you to specify a convenience default protocol if + # most of your services are of the same protocol type. The individual annotation + # on any given pod will override this value. + # Valid values are "http", "http2", "grpc" and "tcp". + defaultProtocol: null + + # proxyDefaults is a raw json string that will be written as the value of + # the "config" key of the global proxy-defaults config entry. + # See: https://www.consul.io/docs/agent/config-entries/proxy-defaults.html + # NOTE: Changes to this value after the chart is first installed have *no* + # effect. In order to change the proxy-defaults config after installation, + # you must use the Consul API. + proxyDefaults: | + {} + +# Mesh Gateways enable Consul Connect to work across Consul datacenters. +meshGateway: + # If mesh gateways are enabled, a Deployment will be created that runs + # gateways and Consul Connect will be configured to use gateways. + # See https://www.consul.io/docs/connect/mesh_gateway.html + # Requirements: consul >= 1.6.0 and consul-k8s >= 0.9.0 if using global.bootstrapACLs. + enabled: false + + # Globally configure which mode the gateway should run in. + # Can be set to either "remote", "local", "none" or empty string or null. + # See https://consul.io/docs/connect/mesh_gateway.html#modes-of-operation for + # a description of each mode. + # If set to anything other than "" or null, connectInject.centralConfig.enabled + # should be set to true so that the global config will actually be used. + # If set to the empty string, no global default will be set and the gateway mode + # will need to be set individually for each service. + globalMode: local + + # Number of replicas for the Deployment. + replicas: 2 + + # What gets registered as wan address for the gateway. + wanAddress: + # Port that gets registered. + port: 443 + + # If true, each Gateway Pod will advertise its NodeIP + # (as provided by the Kubernetes downward API) as the wan address. + # This is useful if the node IPs are routable from other DCs. + # useNodeName and host must be false and "" respectively. + useNodeIP: true + + # If true, each Gateway Pod will advertise its NodeName + # (as provided by the Kubernetes downward API) as the wan address. + # This is useful if the node names are DNS entries that are + # routable from other DCs. + # meshGateway.wanAddress.port will be used as the port for the wan address. + # useNodeIP and host must be false and "" respectively. + useNodeName: false + + # If set, each gateway Pod will use this host as its wan address. + # Users must ensure that this address routes to the Gateway pods, + # for example via a DNS entry that routes to the Service fronting the Deployment. + # meshGateway.wanAddress.port will be used as the port for the wan address. + # useNodeIP and useNodeName must be false. + host: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Whether to create a Service or not. + enabled: false + + # Type of service, ex. LoadBalancer, ClusterIP. + type: ClusterIP + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optional nodePort of the service. Can be used in conjunction with + # type: NodePort. + nodePort: null + + # Optional YAML string for additional annotations. + annotations: null + + # Optional YAML string that will be appended to the Service spec. + additionalSpec: null + + # Envoy image to use. For Consul v1.7+, Envoy version 1.13+ is required. + imageEnvoy: envoyproxy/envoy:v1.13.0 + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + dnsPolicy: null + + # Override the default 'mesh-gateway' service name registered in Consul. + # Cannot be used if bootstrapACLs is true since the ACL token generated + # is only for the name 'mesh-gateway'. + consulServiceName: "" + + # Port that the gateway will run on inside the container. + containerPort: 443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + hostPort: null + + # If there are no connect-enabled services running, then the gateway + # will fail health checks. You may disable health checks as a temporary + # workaround. + enableHealthChecks: true + + resources: | + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "256Mi" + cpu: "500m" + + # By default, we set an anti affinity so that two gateway pods won't be + # on the same node. NOTE: Gateways require that Consul client agents are + # also running on the nodes alongside each gateway Pod. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + topologyKey: kubernetes.io/hostname + + # Optional YAML string to specify tolerations. + tolerations: null + + # Optional YAML string to specify a nodeSelector config. + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Optional YAML string for additional annotations. + annotations: null + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + diff --git a/consul/server-check-service.hcl b/consul/server-check-service.hcl new file mode 100644 index 0000000..05c481b --- /dev/null +++ b/consul/server-check-service.hcl @@ -0,0 +1,6 @@ + +{ + "service": { + "name": "server-check" + } +} \ No newline at end of file diff --git a/consul/server-check-splitter.hcl b/consul/server-check-splitter.hcl new file mode 100644 index 0000000..e1a1458 --- /dev/null +++ b/consul/server-check-splitter.hcl @@ -0,0 +1,14 @@ + + +kind = "service-splitter" +name = "server-check" +splits = [ + { + weight = 50 + service = "server-b" + }, + { + weight = 50 + service = "server-b-test" + }, +] \ No newline at end of file diff --git a/deploy.yaml b/deploy.yaml index 447b95f..ce3802a 100644 --- a/deploy.yaml +++ b/deploy.yaml @@ -26,10 +26,12 @@ spec: server: "http" app: "project-1" expose: "true" + annotations: + "consul.hashicorp.com/connect-inject": "true" spec: containers: - name: front-end - image: beppev/server-a:master + image: beppev/server-a-consul:master imagePullPolicy: "Always" ports: - containerPort: 5000 @@ -56,10 +58,12 @@ spec: app: "project-1" version: v1 backend: "true" + annotations: + "consul.hashicorp.com/connect-inject": "true" spec: containers: - name: front-end - image: beppev/server-b:master + image: beppev/server-b-consul:master imagePullPolicy: "Always" ports: - containerPort: 6000 @@ -91,7 +95,7 @@ spec: spec: containers: - name: front-end - image: beppev/server-b:experimental + image: beppev/server-b-consul:experimental imagePullPolicy: "Always" ports: - containerPort: 6000 @@ -121,63 +125,63 @@ spec: spec: containers: - name: front-end - image: beppev/server-d:master + image: beppev/server-d-consul:master ports: - containerPort: 6000 ---- -apiVersion: v1 -kind: Service -metadata: - name: expose-service - # namespace: consul-project-1 - annotations: - "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled - labels: - app: "project-1" -spec: - selector: - expose: "true" - ports: - - name: http - protocol: TCP - port: 5000 - targetPort: 5000 - nodePort: 30036 - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - name: server-check - # namespace: consul-project-1 - annotations: - "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled - labels: - app: "project-1" -spec: - selector: - backend: "true" - ports: - - name: http - protocol: TCP - port: 6000 ---- -apiVersion: v1 -kind: Service -metadata: - name: mirror-service - # namespace: consul-project-1 - annotations: - "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled - labels: - app: "project-1" -spec: - selector: - mirror: "true" - ports: - - name: http - protocol: TCP - port: 6000 +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: expose-service +# # namespace: consul-project-1 +# annotations: +# "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled +# labels: +# app: "project-1" +# spec: +# selector: +# expose: "true" +# ports: +# - name: http +# protocol: TCP +# port: 5000 +# targetPort: 5000 +# nodePort: 30036 +# type: NodePort +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: server-check +# # namespace: consul-project-1 +# annotations: +# "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled +# labels: +# app: "project-1" +# spec: +# selector: +# backend: "true" +# ports: +# - name: http +# protocol: TCP +# port: 6000 +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: mirror-service +# # namespace: consul-project-1 +# annotations: +# "consul.hashicorp.com/connect-inject": "true" #dit is hoe consul injection handled +# labels: +# app: "project-1" +# spec: +# selector: +# mirror: "true" +# ports: +# - name: http +# protocol: TCP +# port: 6000 --- # kind: service-splitter # name: server-check diff --git a/helm-consul-values.yaml b/helm-consul-values.yaml new file mode 100644 index 0000000..4191114 --- /dev/null +++ b/helm-consul-values.yaml @@ -0,0 +1,27 @@ +# Choose an optional name for the datacenter +global: + datacenter: minikube + +# Enable the Consul Web UI via a NodePort +ui: + service: + type: 'NodePort' + +# Enable Connect for secure communication between nodes +connectInject: + enabled: true + k8sAllowNamespaces: ["*"] + k8sDenyNamespaces: [] + +client: + enabled: true + +# Use only one Consul server for local development +server: + service: + type: 'NodePort' + replicas: 1 + bootstrapExpect: 1 + disruptionBudget: + enabled: true + maxUnavailable: 0 diff --git a/pipeline-run.yaml b/pipeline-run.yaml new file mode 100644 index 0000000..ff6fcb6 --- /dev/null +++ b/pipeline-run.yaml @@ -0,0 +1,16 @@ +apiVersion: tekton.dev/v1alpha1 +kind: PipelineRun +metadata: + name: application-pipeline-run + namespace: tekton-pipeline-istio-project-1 +spec: + serviceAccountName: service-acc + pipelineRef: + name: application-pipeline + resources: + - name: git-master + resourceRef: + name: git-master + - name: git-experimental + resourceRef: + name: git-experimental \ No newline at end of file diff --git a/pipeline.yaml b/pipeline.yaml new file mode 100644 index 0000000..a7eeef0 --- /dev/null +++ b/pipeline.yaml @@ -0,0 +1,243 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-pipeline-istio-project-1 + labels: + istio-injection: enabled #zorgt voor auto sidecar injection +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-acc + namespace: tekton-pipeline-istio-project-1 +secrets: + - name: regcred +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: allow-creation +rules: + - apiGroups: + - "" + - "apps" + - "deploy" + - "networking.istio.io" + resources: + - pods + - serviceaccounts + - namespaces + - services + - deployments + - deployments.apps + - destinationrules + - gateways + - virtualservices + verbs: + - list + - watch + - get + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: allow-creation-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: allow-creation +subjects: + - kind: ServiceAccount + name: service-acc + namespace: tekton-pipeline-istio-project-1 +--- +apiVersion: tekton.dev/v1alpha1 +kind: PipelineResource +metadata: + name: git-master + namespace: tekton-pipeline-istio-project-1 +spec: + type: git + params: + - name: revision + value: consul + - name: url + value: git://github.com/beppevanrolleghem/cicdTest +--- +apiVersion: tekton.dev/v1alpha1 +kind: PipelineResource +metadata: + name: git-experimental + namespace: tekton-pipeline-istio-project-1 +spec: + type: git + params: + - name: revision + value: consul-experimental + - name: url + value: git://github.com/beppevanrolleghem/cicdTest +--- +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + name: build-and-push + namespace: tekton-pipeline-istio-project-1 +spec: + inputs: + resources: + - name: git-source + type: git + params: + - name: context + description: The path to the build context, used by Kaniko - within the workspace + default: . + - name: image-name + description: dockerhub url + - name: version + description: image-version (for instance latest or beta) + steps: + - name: build-and-push + image: gcr.io/kaniko-project/executor + env: + - name: "DOCKER_CONFIG" + value: "/tekton/home/.docker/" + command: + - /kaniko/executor + args: + - "--dockerfile=$(inputs.resources.git-source.path)/$(inputs.params.context)/dockerfile" + - "--destination=beppev/$(inputs.params.image-name):$(inputs.params.version)" + - "--context=$(inputs.resources.git-source.path)/$(inputs.params.context)/" +--- +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + name: destroy-application + namespace: tekton-pipeline-istio-project-1 +spec: + inputs: + resources: + - name: git-source + type: git + steps: + - name: delete-old-deployment + image: lachlanevenson/k8s-kubectl + command: ["kubectl"] + args: + - "delete" + - "--ignore-not-found" + - "-f" + - "$(inputs.resources.git-source.path)/deploy.yaml" +--- +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + name: deploy-application + namespace: tekton-pipeline-istio-project-1 +spec: + inputs: + resources: + - name: git-source + type: git + steps: + - name: deploy-new-app + image: lachlanevenson/k8s-kubectl + command: ["kubectl"] + args: + - "apply" + - "-f" + - "$(inputs.resources.git-source.path)/deploy.yaml" +--- +apiVersion: tekton.dev/v1alpha1 +kind: Pipeline +metadata: + name: application-pipeline + namespace: tekton-pipeline-istio-project-1 +spec: + resources: + - name: git-master + type: git + - name: git-experimental + type: git + tasks: + # - name: destroy-application #@TODO make it so that the delete can be skipped if error + # taskRef: + # name: destroy-application + # resources: + # inputs: + # - name: git-source + # resource: git-master + - name: build-and-push-a + taskRef: + name: build-and-push + params: + - name: context + value: "serverA" + - name: image-name + value: "server-a-consul" + - name: version + value: "master" + resources: + inputs: + - name: git-source + resource: git-master + - name: build-and-push-b-stable + taskRef: + name: build-and-push + params: + - name: context + value: "serverB" + - name: image-name + value: "server-b-consul" + - name: version + value: "master" + resources: + inputs: + - name: git-source + resource: git-master + - name: build-and-push-b-experimental + taskRef: + name: build-and-push + params: + - name: context + value: "serverB" + - name: image-name + value: "server-b-consul" + - name: version + value: "experimental" + resources: + inputs: + - name: git-source + resource: git-experimental + - name: build-and-push-d + taskRef: + name: build-and-push + params: + - name: context + value: "serverD" + - name: image-name + value: "server-d-consul" + - name: version + value: "master" + resources: + inputs: + - name: git-source + resource: git-master + - name: deploy-application #@TODO make it so that the delete can be skipped if error + taskRef: + name: deploy-application + runAfter: + - build-and-push-d + - build-and-push-b-experimental + - build-and-push-a + - build-and-push-b-stable + #- destroy-application + resources: + inputs: + - name: git-source + resource: git-master +# DO NOT FORGET TO SET REGCREDS FOR DOCKER \ No newline at end of file