Skip to content

Commit

Permalink
chore(*) split ingress to a separate template
Browse files Browse the repository at this point in the history 
Signed-off-by: Nikolay Nikolaev <[email protected]>
  • Loading branch information
Nikolay Nikolaev committed Jan 20, 2021
1 parent 7579123 commit e9e5ff3
Show file tree
Hide file tree
Showing 3 changed files with 207 additions and 111 deletions.
25 changes: 23 additions & 2 deletions examples/ecs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ aws cloudformation deploy \

### Remote

Setting up a remote `kuma-cp` is a two step process. First, deploy the kuma-cp itself:
Setting up a remote `kuma-cp` is a three step process. First, deploy the kuma-cp itself:

```bash
aws cloudformation deploy \
Expand All @@ -59,14 +59,33 @@ aws cloudformation deploy \
```


## OPTIONAL: Configure `kumactl` to access the API
#### OPTIONAL: Configure `kumactl` to access the API
Find the public IP address fo the remote or standalone `kuma-cp` and use it in the command below.

```bash
export PUBLIC_IP=<ip address>
kumactl config control-planes add --name=ecs --address=http://$PUBLIC_IP:5681 --overwrite
```

### Install the Zone Ingress

For cross-zone communication Kuma needs the Ingress DP deployed. As every dataplane (see details in the `workload` chapter below) it needs a dataplane token generated

```shell
ssh root@<kuma-cp-remote-ip> "wget --header='Content-Type: application/json' --post-data='{\"mesh\": \"default\", \"type\": \"ingress\"}' -qO- http://localhost:5681/tokens"
```

Then simply deploy the ingress itself:

```shell
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ingress \
--template-file remote-ingress.yaml \
--parameter-overrides \
DPToken="<DP_TOKEN_VALUE>"
```

### Install the Kuma DNS

The services within the Kuma mesh are exposed through their names (as defined in the `kuma.io/service` tag) in the `.mesh` DNS zone. In the default workload example that would be `httpbin.mesh`.
Expand Down Expand Up @@ -104,6 +123,7 @@ on port `5682` as well as client ceritificate setup for authentication. The full
[User to control plane communication](https://kuma.io/docs/1.0.5/documentation/security/#user-to-control-plane-communication)

#### Standalone

```bash
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
Expand All @@ -115,6 +135,7 @@ aws cloudformation deploy \
```

#### Remote

```bash
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
Expand Down
109 changes: 0 additions & 109 deletions examples/ecs/kuma-cp-remote.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,6 @@ Parameters:
Type: String
Default: "kong-docker-kuma-docker.bintray.io/kuma-cp:1.0.5"
Description: The name of the kuma-cp docker image
IngressImage:
Type: String
Default: "kong-docker-kuma-docker.bintray.io/kuma-dp:1.0.5"
Description: The name of the kuma-dp docker image
Zone:
Type: String
Default: "zone-1"
Expand All @@ -25,9 +21,6 @@ Parameters:
Type: String
Default: '10.0.0.0/8'
Description: The CIDR used to restrict the kuma-cp ports access
IngressPort:
Type: String
Default: 10001
# The certificates are generated for SAN `controlplane.kuma.io` using:
# kumactl generate tls-certificate --type=server --cp-hostname zone-1-controlplane.kuma.io
# change these accordingly if another DNS name is needed.
Expand Down Expand Up @@ -284,105 +277,3 @@ Resources:
awslogs-group: !Ref AWS::StackName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: kuma-cp


############################
# Ingress DP configuration #
############################

IngressDPSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to Kuma Ingress DP
VpcId:
Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'VPCId' ] ]

IngressDPTcp:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: For Ingress DP
GroupId: !Ref IngressDPSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: !Ref IngressPort
ToPort: !Ref IngressPort

ServiceIngressDP:
Type: AWS::ECS::Service
Properties:
LaunchType: FARGATE
Cluster:
Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'ClusterName' ] ]
DesiredCount: 1
TaskDefinition: !Ref 'TaskDefinitionIngressDP'
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'PublicSubnet' ] ]
SecurityGroups: [ !Ref 'IngressDPSecurityGroup' ]

TaskDefinitionIngressDP:
Type: AWS::ECS::TaskDefinition
Properties:
Family: kuma-dp-ingress
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn: !Ref KumaECSTaskIamRole
ExecutionRoleArn: !Ref 'KumaECSTaskExecutionRole'
Cpu: 256
Memory: 512
ContainerDefinitions:
- Name: kuma-dp
Image: !Ref IngressImage
PortMappings:
- ContainerPort: !Ref IngressPort
Protocol: tcp
Essential: true
User: '5678'
Environment:
- Name: KUMA_DATAPLANE_RUNTIME_TOKEN
# generated with "wget --header='Content-Type: application/json' --post-data='{\"mesh\": \"default\", \"type\": \"ingress\"}' -qO- http://localhost:5681/tokens"
Value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoiIiwiTWVzaCI6ImRlZmF1bHQiLCJUYWdzIjp7fSwiVHlwZSI6ImluZ3Jlc3MifQ.62MCnX4pCJztiLsqDSOopKxCDbxGstFrGZ1jboPOcoA
- Name: KUMA_DATAPLANE_RUNTIME_RESOURCE
Value: |
---
type: Dataplane
name: dp-ingress
mesh: default
networking:
address: "{{ address }}"
ingress:
publicAddress: "{{ publicAddress }}"
publicPort: "{{ publicPort }}"
inbound:
- port: {{ port }}
tags:
kuma.io/service: ingress
kuma.io/protocol: tcp
EntryPoint: [ "sh", "-c" ]
Command:
- !Join
- " "
- - "kuma-dp"
- "run"
- "--cp-address"
- !Join [ "", [ "https://", !Join [ "-", [ !Ref Zone, "controlplane" ] ], ".kuma.io:5678" ] ]
- "--dataplane-var"
- "address=`hostname -i`"
- "--dataplane-var"
- !Join [ "=", [ "port", !Ref IngressPort ] ]
- "--dataplane-var"
- "publicAddress=`hostname -i`" # this might be an LB public IP
- "--dataplane-var"
- !Join [ "=", [ "publicPort", !Ref IngressPort ] ]
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref AWS::StackName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: kuma-dp
184 changes: 184 additions & 0 deletions examples/ecs/remote-ingress.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: Kuma Control Plane on ECS
Parameters:
VPCStackName:
Type: String
Default: kuma-vpc
Description: The name of the parent Fargate networking stack that you created. Necessary
to locate and reference resources created by that stack.
Image:
Type: String
Default: "kong-docker-kuma-docker.bintray.io/kuma-dp:1.0.5"
Description: The name of the kuma-dp docker image
IngressPort:
Type: String
Default: 10001
DesiredCount:
Type: String
Default: 1
Description: The desired replica count of the workload
CPAddress:
Type: String
Default: "https://zone-1-controlplane.kuma.io:5678"
Description: The kuma-cp address
DPTemplate:
Type: String
Default: |
---
type: Dataplane
name: dp-ingress
mesh: default
networking:
address: "{{ address }}"
ingress:
publicAddress: "{{ publicAddress }}"
publicPort: "{{ publicPort }}"
inbound:
- port: {{ port }}
tags:
kuma.io/service: ingress
kuma.io/protocol: tcp
DPMesh:
Type: String
Default: "default"
Description: The Mesh of the dataplane
DPToken:
# generated with "wget --header='Content-Type: application/json' --post-data='{\"mesh\": \"default\", \"type\": \"ingress\"}' -qO- http://localhost:5681/tokens"
Type: String
Default: ""
Description: The dataplane token generated from kuma-cp
AllowedCidr:
Type: String
Default: '10.0.0.0/8'
Description: The CIDR used to restrict the kuma-cp ports access
Resources:

###################################
# Service Discovery configuration #
###################################

IngressTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ ecs-tasks.amazonaws.com ]
Action: [ 'sts:AssumeRole' ]
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

IngressTaskIamRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchFullAccess
- arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
- arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess


LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Ref AWS::StackName
RetentionInDays: 7 # days

############################
# Ingress DP configuration #
############################

IngressDPSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to Kuma Ingress DP
VpcId:
Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'VPCId' ] ]

IngressDPTcp:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: For Ingress DP
GroupId: !Ref IngressDPSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: !Ref IngressPort
ToPort: !Ref IngressPort

ServiceIngressDP:
Type: AWS::ECS::Service
Properties:
LaunchType: FARGATE
Cluster:
Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'ClusterName' ] ]
DesiredCount: 1
TaskDefinition: !Ref 'TaskDefinitionIngressDP'
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- Fn::ImportValue:
!Join [ ':', [ !Ref 'VPCStackName', 'PublicSubnet' ] ]
SecurityGroups: [ !Ref 'IngressDPSecurityGroup' ]

TaskDefinitionIngressDP:
Type: AWS::ECS::TaskDefinition
Properties:
Family: kuma-dp-ingress
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn: !Ref IngressTaskIamRole
ExecutionRoleArn: !Ref 'IngressTaskExecutionRole'
Cpu: 256
Memory: 512
ContainerDefinitions:
- Name: kuma-dp
Image: !Ref Image
PortMappings:
- ContainerPort: !Ref IngressPort
Protocol: tcp
Essential: true
User: '5678'
Environment:
- Name: KUMA_DATAPLANE_RUNTIME_TOKEN
Value: !Ref DPToken
- Name: KUMA_DATAPLANE_RUNTIME_RESOURCE
Value: !Ref DPTemplate
EntryPoint: [ "sh", "-c" ]
Command:
- !Join
- " "
- - "kuma-dp"
- "run"
- "--cp-address"
- !Ref CPAddress
- "--dataplane-var"
- "dpname=`hostname -s`"
- "--dataplane-var"
- "address=`hostname -i`"
- "--dataplane-var"
- !Join [ "=", [ "port", !Ref IngressPort ] ]
- "--dataplane-var"
- "publicAddress=`hostname -i`" # this might be an LB public IP
- "--dataplane-var"
- !Join [ "=", [ "publicPort", !Ref IngressPort ] ]
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref AWS::StackName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: kuma-dp

0 comments on commit e9e5ff3

Please sign in to comment.