Skip to content

Commit

Permalink
Merge pull request #157 from dystewart/external
Browse files Browse the repository at this point in the history
Configure ingressController to use routeSelector and configure external ingress service
  • Loading branch information
larsks authored Nov 22, 2022
2 parents 3d92d3e + 3bb77c2 commit 61a0dfc
Show file tree
Hide file tree
Showing 11 changed files with 168 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-apps-ingress-certificate
namespace: openshift-ingress-operator
spec:
secretStoreRef:
name: nerc-secret-store
kind: SecretStore
target:
name: external-apps-ingress-certificate
template:
type: kubernetes.io/tls
dataFrom:
- extract:
key: nerc/nerc-ocp-prod/openshift-ingress/external-apps-ingress-certificate
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: external-apps-ingress-controller
name: external-apps
namespace: openshift-ingress-operator
spec:
# The "domain" setting does not automatically apply to routes as you might
# expect; see https://github.com/OCP-on-NERC/operations/issues/41 for
# details.
domain: apps.shift.nerc.mghpcc.org
defaultCertificate:
name: external-apps-ingress-certificate
Expand All @@ -15,6 +18,6 @@ spec:
nodeSelector:
matchLabels:
nerc.mghpcc.org/external-ingress: 'true'
namespaceSelector:
routeSelector:
matchLabels:
type: external
nerc.mghpcc.org/external-ingress: 'true'
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
nerg.mghpcc.org/feature: external-ingress

resources:
- ingresscontrollers/external-apps.yaml
- externalsecrets/external-apps-ingress-certificate.yaml
- post-sync-hook
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: batch/v1
kind: Job
metadata:
name: patch-external-ingress-service
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: patcher
containers:
- name: patcher
# This is 4.10.42
image: quay.io/openshift/origin-cli:4.10
command:
- bash
- /scripts/apply-patches.sh
- /patches
volumeMounts:
- name: patch-scripts
mountPath: /scripts
- name: patches
mountPath: /patches

volumes:
- name: patch-scripts
configMap:
name: patch-scripts

- name: patches
configMap:
name: patches
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openshift-ingress

commonLabels:
app: patch-external-ingress-service

resources:
- job.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml

configMapGenerator:
- name: patch-scripts
files:
- scripts/apply-patches.sh

- name: patches
files:
- patches/router-external-apps.patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Service
metadata:
annotations:
metallb.universe.tf/address-pool: public
name: router-external-apps
spec:
loadBalancerIP: 199.94.61.6
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: patcher-allow-patching
rules:
- apiGroups:
- ''
resources:
- services
verbs:
- patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: patcher-allow-patching
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: patcher-allow-patching
subjects:
- kind: ServiceAccount
name: patcher
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/bin/bash

PATCH_DIR="$1"

shopt -s nullglob

mapfile -t patches < <(printf "%s\n" \
"$PATCH_DIR"/*.patch.yaml \
"$PATCH_DIR"/*.jsonpatch.yaml \
"$PATCH_DIR"/*.jsonmerge.yaml | sort)

for patch in "${patches[@]}"; do

# For strategic merge patches it's possible to infer the target of the patch
# from the patch itself, but other patch types -- such as JSONPatch patches
# -- require us to provide an explicit target.
#
# The following code replaces the patch type in the filename with "target"
# (so that "something.patch.yaml" becomes "something.target.yaml"), and
# if the resulting filename exists it will be used to determine the
# target of the patch.
targetname=$(awk -vOFS=. -F. '{$(NF-1) = "target"; print}' <<<"$patch")

if [[ -f "$targetname" ]]; then
target=$targetname
else
target=$patch
fi

case $patch in
*.patch.yaml)
patch_type=strategic;;
*.jsonpatch.yaml)
patch_type=json;;
*.mergepatch.yaml)
patch_type=merge;;

*) echo "ERROR: $patch: unknown patch type" >&2
continue
;;
esac

echo "Applying $patch"
if ! kubectl patch -f "$target" --patch-file "$patch" --type "$patch_type"; then
echo "ERROR: $patch: failed to apply" >&2
fi
done
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: patcher
2 changes: 1 addition & 1 deletion cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ resources:
- ../../bundles/metallb
- ../../bundles/xdmod-reader
- feature/odf
- feature/external-ingress
- ../../base/core/namespaces/openshift-gitops
- ingresscontrollers/external-apps-ingress-controller.yaml
- externalsecrets
- apiserver/cluster.yaml
- secretstores
Expand Down

0 comments on commit 61a0dfc

Please sign in to comment.