-
Notifications
You must be signed in to change notification settings - Fork 136
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #572 from larssb/patch-1
Example for overlaying on an Ingress Object.
- Loading branch information
Showing
4 changed files
with
177 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| This example shows how to use `ytt` overlaying in regards to accomplish the modification of X Kubernetes Ingress object. | ||
|
|
||
| Specifically the `apiVersion` is bumped to **networking.k8s.io/v1** from **networking.k8s.io/v1beta1**. This is done in order to get the Falco installation Helm post-rendered into a state that matches the version of the `networking` API on a specific `Kubernetes` version. | ||
| As a consequence of that we're required to `ytt overlay` **backend** and **paths** on the **Kubernetes Ingress Object**. In order for these to match the `apiVersion` that is overlayed to. | ||
|
|
||
| All of this stems from the Falco Helm chart having issues with the version tag that K3s uses. It's e.g `v1.22.3+k3s2`. This results in the **Falco** chart using the **v1beta1** of the **networking** API instead of the newest versio of the **networking** API that we want. | ||
|
|
||
| The cmdline used: | ||
|
|
||
| ```text | ||
| ytt -f "./config.yaml" -f "./schema.yml" --data-value cluster="my-cluster" \ | ||
| | helm upgrade --atomic --install "HELM_INSTALL_NAME" "HELM_CHART_NAME" --version "HELM_VERSION" --create-namespace --namespace "KUBERNETES_NAMESPACE" --values - \ | ||
| --post-renderer "./ytt-helm-postrender/ytt-overlay-on-helm-post-renderer.sh" | ||
| ``` | ||
|
|
||
| Here's what's going on: | ||
|
|
||
| - The cmd uses ytt's data values schema to perform type-checking | ||
| - it uses those values as input to a helm chart | ||
| - and finally it uses ytt to patch the result of the helm templates | ||
|
|
||
| > N.B. the Falco chart can, if enabled, request two **Kubernetes Ingress Objects** to be created. This is done in this example and therefore we need to overlay on both. Specificall notice the difference on the `overlay.subset()` call, filtering on `{"metadata": {"name": ....` (together with the `overlay.subset({"kind": "Ingress"})` matcher). | ||
| _The `--post-renderer` script being called is simply an extra call to `ytt` and the `schema.yaml` and `network-api-fix.yaml` files specifically. So that `ytt` renders these two files against the `Helm` generated output ( the input to `ytt` ). | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| #@ load("@ytt:data", "data") | ||
| --- | ||
| ebpf: | ||
| enabled: #@ data.values.ebpf.enabled | ||
| auditLog: | ||
| enabled: #@ data.values.auditLog.enabled | ||
| falcosidekick: | ||
| enabled: #@ data.values.falcosidekick.enabled | ||
| fullfqdn: #@ data.values.falcosidekick.fullfqdn | ||
| config: | ||
| teams: | ||
| webhookurl: #@ data.values.falcosidekick.config.teams.webhookurl | ||
| ingress: | ||
| enabled: #@ data.values.falcosidekick.ingress.enabled | ||
| annotations: #@ data.values.falcosidekick.ingress.annotations | ||
| hosts: | ||
| - host: #@ data.values.clusters[data.values.cluster].falcosidekick.ingress.host | ||
| paths: #@ data.values.falcosidekick.ingress.paths | ||
| webui: | ||
| enabled: #@ data.values.falcosidekick.webui.enabled | ||
| darkmode: #@ data.values.falcosidekick.webui.darkmode | ||
| ingress: | ||
| enabled: #@ data.values.falcosidekick.webui.ingress.enabled | ||
| annotations: #@ data.values.falcosidekick.webui.ingress.annotations | ||
| hosts: | ||
| - host: #@ data.values.clusters[data.values.cluster].falcosidekick.webui.ingress.host | ||
| paths: ["/ui", "/events", "/healthz", "/ws"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| #! START OF COMMENT SECTION | ||
| #! ------------------------ | ||
| #! We're overlaying the apiVersion used by falco charts | ||
| #! We need to do so because we're rolling at least | ||
| #! v1.22+ of Kubernetes ( as of 211230 ) | ||
| #! And this > https://github.com/falcosecurity/charts/blob/d2c6b91ff7339a5108abe23208212eb53b535463/falcosidekick/templates/_helpers.tpl#L38 | ||
| #! does not seem to work with the version value that the K3s distribution | ||
| #! uses. For more background see > https://github.com/falcosecurity/charts/issues/288 | ||
| #! | ||
| #! "Bumping" the apiVersion is the first step of | ||
| #! getting the Falco chart installed like we want it | ||
| #! on K3s backend flavored clusters. | ||
| #! We want to be on the latest version of the networking.k8s... API | ||
| #! ---------------------- | ||
| #! END OF COMMENT SECTION | ||
|
|
||
| #@ load("@ytt:data", "data") | ||
| #@ load("@ytt:overlay", "overlay") | ||
|
|
||
| #@overlay/match by=overlay.subset({"apiVersion":"networking.k8s.io/v1beta1"}),expects="1+" | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
|
|
||
| #! START OF COMMENT SECTION | ||
| #! ------------------------ | ||
| #! As we overlay the apiVersion used | ||
| #! we need to reflect that change as well | ||
| #! So in the below we're ytt overlaying on | ||
| #! the backend of the [INGRESS FOR THE FALCO WEB UI] | ||
| #! ---------------------- | ||
| #! END OF COMMENT SECTION | ||
| #@ kindIngressMatcher = overlay.subset({"kind": "Ingress"}) | ||
| #@ falcosideKickUiMatcher = overlay.subset({"metadata": {"name": "falco-falcosidekick-ui"}}) | ||
| #@overlay/match by=overlay.and_op(kindIngressMatcher, falcosideKickUiMatcher), expects=1 | ||
| --- | ||
| spec: | ||
| rules: | ||
| #@overlay/match by=lambda i,l,r: "host" in l | ||
| - host: #@ data.values.clusters[data.values.cluster].falcosidekick.webui.ingress.host | ||
| http: | ||
| paths: | ||
| #@overlay/match by=overlay.all, expects="1+" | ||
| #@overlay/match-child-defaults missing_ok=True | ||
| - #! the value for the `path` key comes in via the `paths` Array | ||
| #! defined in the config.yaml file | ||
| pathType: "ImpleOmentationSpecific" | ||
| #@overlay/replace | ||
| backend: | ||
| service: | ||
| name: falco-falcosidekick-ui | ||
| port: | ||
| name: http | ||
|
|
||
| #! START OF COMMENT SECTION | ||
| #! ------------------------ | ||
| #! As we overlay the apiVersion used | ||
| #! we need to reflect that change as well | ||
| #! So in the below we're ytt overlaying on | ||
| #! the backend: parf of the [THE ROOT INGRESS FOR FALCO] | ||
| #! ---------------------- | ||
| #! END OF COMMENT SECTION | ||
| #@ kindIngressMatcher = overlay.subset({"kind": "Ingress"}) | ||
| #@ falcosideKickMatcher = overlay.subset({"metadata": {"name": "falco-falcosidekick"}}) | ||
| #@overlay/match by=overlay.and_op(kindIngressMatcher, falcosideKickMatcher), expects=1 | ||
| --- | ||
| spec: | ||
| rules: | ||
| #@overlay/match by=lambda i,l,r: "host" in l | ||
| - host: #@ data.values.clusters[data.values.cluster].falcosidekick.ingress.host | ||
| http: | ||
| paths: | ||
| #@overlay/match by=overlay.all, expects="1+" | ||
| #@overlay/match-child-defaults missing_ok=True | ||
| #@overlay/replace | ||
| - backend: | ||
| service: | ||
| name: falco-falcosidekick | ||
| port: | ||
| name: http | ||
| pathType: "ImplementationSpecific" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| #@data/values-schema | ||
| --- | ||
| #! | ||
| #! Cluster scope values | ||
| #! | ||
| cluster: "" | ||
|
|
||
| clusters: | ||
| my-cluster: | ||
| falcosidekick: | ||
| ingress: | ||
| host: falcosidekick.my-cluster.local | ||
| webui: | ||
| ingress: | ||
| host: falcosidekick-ui.my-cluster.local | ||
|
|
||
| #! | ||
| #! Global scope values | ||
| #! | ||
| ebpf: | ||
| enabled: true | ||
| auditLog: | ||
| enabled: true | ||
| falcosidekick: | ||
| enabled: true | ||
| fullfqdn: false | ||
| config: | ||
| teams: | ||
| webhookurl: "....." | ||
| ingress: | ||
| #@schema/type any=True | ||
| annotations: | ||
| kubernetes.io/ingress.class: haproxy | ||
| enabled: true | ||
| paths: [""] | ||
| webui: | ||
| enabled: true | ||
| darkmode: true | ||
| ingress: | ||
| #@schema/type any=True | ||
| annotations: | ||
| kubernetes.io/ingress.class: haproxy | ||
| enabled: true | ||
| paths: [""] |