Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network observer chart #1855

Merged
merged 8 commits into from
Jan 21, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,8 @@ jobs:
command: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- run: make generate-skupper-deployment-cluster-scoped
- run: make generate-skupper-deployment-namespace-scoped
- run: make generate-network-observer-generic
- run: make generate-network-observer-openshift
- run: mkdir skupper-setup
- run: cp ./*.yaml skupper-setup
- run:
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,4 @@ manifest.json
oci-archives/
skupper-setup-cluster-scope.yaml
skupper-setup-namespace-scope.yaml
skupper-network-observer-*.yaml
20 changes: 20 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,26 @@ generate-skupper-deployment-namespace-scoped:
generate-bundle:
./scripts/generate-bundle.sh

generate-network-observer-generic:
helm template skupper-network-observer ./charts/network-observer/ \
--set skipManagementLabels=true > skupper-network-observer-generic.yaml

generate-network-observer-openshift:
helm template skupper-network-observer \
./charts/network-observer/ \
--set skipManagementLabels=true \
--set tls.skupperIssued=false \
--set tls.openshiftIssued=true \
--set route.enabled=true \
--set prometheus.securityContext=null \
> skupper-network-observer-openshift.yaml

generate-network-observer-devel:
helm template skupper-network-observer ./charts/network-observer/ \
--set auth.strategy=none \
--set extraArgs={"-cors-allow-all"} \
--set skipManagementLabels=true > skupper-network-observer-devel.yaml

clean:
rm -rf skupper controller kube-adaptor \
network-observer generate-doc \
Expand Down
23 changes: 23 additions & 0 deletions charts/network-observer/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions charts/network-observer/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: network-observer
description: A Helm chart for the Skupper Network Observer
type: application
version: 0.1.0-devel
appVersion: "v2-dev"
105 changes: 105 additions & 0 deletions charts/network-observer/README.md
fgiorgetti marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# Skupper Network Observer

The skupper network observer is an application that attaches to the skupper
network in order to expose skupper network telemetry. When installed alongside
a skupper site it will collect operational data from ALL sites in the network
and expose them via the API and metrics that back the [Skupper
Console](https://github.com/skupperproject/skupper-console) web application.

This chart bootstraps a skupper network observer deployment on a
[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh)
package manager.

## Prerequisites

- A Skupper Version 2 Site running in the same Kuberentes Namesapce the network
observer is to be installed in.
- The Skupper Controller running and managing the Site.

## Usage

To deploy the Skupper Network Observer to a namsapce using Helm

```
helm install skupper-network-observer .
```

Without Helm, the Skupper Network Observer can be installed using one of the manifests generated from the chart published alongside a Skupper release.

```
make generate-network-observer-generic # runs helm template
kubectl apply -f ./skupper-network-observer-generic.yaml
```

## Configuration

By default, deploys the network-observer with skupper-issued TLS certificates,
HTTP Basic authentication (username and password are `skupper`) and no ingress.

### Ingress

By default the network-observer does not include an ingress. As a convenience,
the chart contains options that can help expose the service externally.

* Configure an ingress by setting `ingress.enabled=true` and setting appropriate
values under `ingress`.

Example values.yaml using the nginx ingress nginx controller with a
user-provided TLS certificate
```
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
hosts:
- host: skupper-net-01.mycluster.local
paths:
- path: /
pathType: Prefix
tls:
- secretName: skupper-net-01-tls
hosts:
- skupper-net-01.mycluster.local
```

* Configure an openshift route by setting `route.enabled=true`.

* Expose the service as type LoadBalancer `service.type=LoadBalancer`.

### TLS

TLS is mandatory for this deployment. It can be configured as user provided, provided
by openshift or by the skupper controller.

To use an existing TLS secret, overwrite `tls.secretName`.

To use an openshift generated service certificate, set
`tls.openshiftIssued=true` and `tls.skupperIssued=false`. An annotation will be
added to the service that should prompt openshift to provision a TLS secret.

### Authorization

The network observer pod contains a reverse proxy that handles authorization
and TLS termination for the read only application that binds only to localhost.
When authorization strategy is "basic", nginx is configured as the proxy, and
can be configured with user-provided htpasswd file contents or a secret name.
When authorization strategy is "openshift" an oauth2 proxy is used instead, and
is configured to use the cluster identity provider for authorization. Openshift
auth only works with ingress type Route.

c-kruse marked this conversation as resolved.
Show resolved Hide resolved
To set a secure basic auth credentials run:
```
# Use htpasswd to generate a new password file
htpasswd -B -c passwords \
my-username;

# Add a new secret with that password file
kubectl create secret generic my-custom-auth \
--from-file=htpasswd=passwords;

# Point the chart at the new secret
helm install ... \
--set auth.basic.create=false \
--set auth.basic.secretName=my-custom-auth
```
48 changes: 48 additions & 0 deletions charts/network-observer/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
You have installed the skupper network observer!

Accessing the console:
{{- if .Values.ingress.enabled }}
The {{ include "network-observer.fullname" . }} service is exposed through an
Ingress and should be availalble external to the cluster at the following
locations.
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if .Values.route.enabled }}
The service is exposed through the {{ include "network-observer.fullname" . }} Route.
export ROUTE_HOST=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.host}" route {{ include "network-observer.fullname" . }})
echo "https://$ROUTE_HOST"
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "network-observer.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "network-observer.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "network-observer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
The network-observer application is exposed as a service inside of your
cluster. To access the application externally you must either enable an
ingress of some sort or use port forwarding to access the service
temporarily.
Expose the application at https://127.0.0.1:8443 with the command:
kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "network-observer.fullname" . }} 8443:{{ .Values.service.port }}
{{- end }}

{{- if eq "basic" .Values.auth.strategy }}

Basic Authentication is enabled.

Users are configured in the {{ include "network-observer.basicAuthSecretName" . }} secret.
By default this chart includes placeholder credentials username="skupper" password="skupper".
This secret should be replaced to include user-provided credentials.

{{- else if eq "openshift" .Values.auth.strategy }}

Openshift Authentication is enabled.
Users should be able to authenticate with the openshift cluster to access the console application.

{{- end }}
68 changes: 68 additions & 0 deletions charts/network-observer/templates/_deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@

{{- define "network-observer.proxyVolumeMounts" -}}
{{- $authStrategies := list "basic" "openshift" "none" }}
{{- if not (has .Values.auth.strategy $authStrategies) }}
{{- fail (printf "auth.strategy must be one of %s" $authStrategies) }}
{{- end }}
{{- if not (eq .Values.auth.strategy "openshift") }}
- name: nginx-config
configMap:
defaultMode: 420
name: {{ include "network-observer.nginxConfigMapName" . }}
{{- if eq .Values.auth.strategy "basic" }}
- name: nginx-htpasswd
secret:
defaultMode: 420
secretName: {{ include "network-observer.basicAuthSecretName" . }}
{{- end }}
{{- end }}
{{- end -}}

{{- define "network-observer.nginxProxySpec" -}}
image: "{{ .Values.nginx.repository }}:{{ .Values.nginx.tag }}"
imagePullPolicy: {{ .Values.nginx.pullPolicy }}
{{- with .Values.nginx.securityContext }}
securityContext:
{{- toYaml . | nindent 2 }}
{{- end }}
ports:
- name: https
containerPort: 8443
protocol: TCP
volumeMounts:
- mountPath: /etc/certificates/
name: {{ include "network-observer.tlsSecretName" . }}
- mountPath: /etc/nginx/nginx.conf
name: nginx-config
subPath: nginx.conf
{{- if eq .Values.auth.strategy "basic" }}
- mountPath: /etc/nginx/.htpasswd
name: nginx-htpasswd
subPath: htpasswd
{{- end }}
{{- end -}}

{{- define "network-observer.openshiftOauthProxySpec" -}}
image: "{{ .Values.openshiftOauthProxy.repository }}:{{ .Values.openshiftOauthProxy.tag }}"
imagePullPolicy: {{ .Values.openshiftOauthProxy.pullPolicy }}
{{- with .Values.openshiftOauthProxy.securityContext }}
securityContext:
{{- toYaml . | nindent 2 }}
{{- end }}
args:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account={{ (include "network-observer.serviceAccountName" .) }}
- --upstream=http://127.0.0.1:8080
- -tls-cert=/etc/certificates/tls.crt
- -tls-key=/etc/certificates/tls.key
- --cookie-secret={{ (randAlphaNum 32 | nospace) }}
ports:
- name: https
containerPort: 8443
protocol: TCP
volumeMounts:
- mountPath: /etc/certificates/
name: {{ include "network-observer.tlsSecretName" . }}
{{- end -}}

88 changes: 88 additions & 0 deletions charts/network-observer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "network-observer.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "network-observer.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "network-observer.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "network-observer.labels" -}}
{{ include "network-observer.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- if not .Values.skipManagementLabels }}
helm.sh/chart: {{ include "network-observer.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
app.kubernetes.io/part-of: skupper-network-observer
{{- end }}

{{/*
Selector labels
*/}}
{{- define "network-observer.selectorLabels" -}}
app.kubernetes.io/name: {{ include "network-observer.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "network-observer.serviceAccountName" -}}
{{- if eq .Values.auth.strategy "openshift" -}}
{{- .Values.auth.openshift.serviceAccount.nameOverride | default (include "network-observer.fullname" .) }}
{{- end }}
{{- end }}

{{/*
Create the Skupper Certificate Name
*/}}
{{- define "network-observer.clientCertificateName" -}}
{{- .Values.router.certificate.nameOverride | default (printf "%s-client" (include "network-observer.fullname" .)) }}
{{- end }}

{{/*
Create the TLS Secret Name
*/}}
{{- define "network-observer.tlsSecretName" -}}
{{- .Values.tls.secretName | default (printf "%s-tls" (include "network-observer.fullname" .)) }}
{{- end }}

{{/*
Create the nginx configmap name
*/}}
{{- define "network-observer.nginxConfigMapName" -}}
{{- (printf "%s-nginx" (include "network-observer.fullname" .)) }}
{{- end }}

{{- define "network-observer.basicAuthSecretName" -}}
{{- .Values.auth.basic.secretName | default (printf "%s-auth" (include "network-observer.fullname" .)) }}
{{- end }}
11 changes: 11 additions & 0 deletions charts/network-observer/templates/basic_auth_secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- if and (eq .Values.auth.strategy "basic") .Values.auth.basic.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "network-observer.basicAuthSecretName" . }}
labels:
{{- include "network-observer.labels" . | nindent 4 }}
stringData:
htpasswd: |-
{{- .Values.auth.basic.htpasswd | nindent 4}}
{{- end }}
Loading