k8s-infra: routing, TLS (rebased) #9329
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Guy Daich <guy.daich@sap.com> Adapt OS infra to use external server exposer Signed-off-by: Guy Daich <guy.daich@sap.com> reuse k8s ServersConverter in OS infra begin tls for path-based k8s infra Signed-off-by: Guy Daich <guy.daich@sap.com> continue k8s tls support Signed-off-by: Guy Daich <guy.daich@sap.com> Add single-host strategy, cert-manager support Signed-off-by: Guy Daich <guy.daich@sap.com> fix charts, add single-host strategy, add TLS test Signed-off-by: Guy Daich <guy.daich@sap.com> TLS: changed cert-manager certficiate issuer to be ClusterIssuer Signed-off-by: Eyal Barlev <perspectivus@gmail.com> add resolved values.yaml Signed-off-by: Guy Daich <guy.daich@sap.com> Adapt to k8s Multiuser * Add sample values files * Fix merge issues Signed-off-by: Guy Daich <guy.daich@sap.com> Cleanup OpenShift Infra * rename TLS default value in che.env * remove openshift server exposer (consolidated with k8s) Signed-off-by: Guy Daich <guy.daich@sap.com> remove uintended automation changes Signed-off-by: Guy Daich <guy.daich@sap.com> cloud deployment helm changes Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
guydc
requested review from
garagatyi,
l0rd,
riuvshin,
skabashnyuk and
sleshchenko
as code owners
benoitf
added
status/code-review
|
Can one of the admins verify this patch? |
2 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
I have tested the PR and can confirm #8694 is fixed. No more wrong redirects. Thanks @guydaichs |
|
@eivantsov multi-host should work. it's on by default. |
sleshchenko
approved these changes
Apr 6, 2018
| CHE_INFRA_KUBERNETES_SERVER__STRATEGY: {{ .Values.global.serverStrategy }} | ||
|
|
||
|
|
||
|
|
| che.infra.openshift.tls_enabled=false | ||
| # Creates Ingresses with Transport Layer Security (TLS) enabled | ||
| # In OpenShift infrastructure, Routes will be TLS-enabled | ||
| che.infra.kubernetes.tls_enabled=false |
There was a problem hiding this comment.
Please move new Kubernetes properties above to Kubernetes section.
| che.infra.kubernetes.tls_enabled=false | ||
|
|
||
| # Name of a secret that should be used when creating workspace ingresses with TLS | ||
| che.infra.kubernetes.tls_secret= |
There was a problem hiding this comment.
Please add a note that it is ignored by OpenShift infrastructure, isn't it?
dockerfiles/init/manifests/che.env
Outdated
| @@ -506,6 +507,10 @@ CHE_SINGLE_PORT=false | |||
| # OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. | |||
| #CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON=NULL | |||
|
|
|||
| # Creates Ingresses with Transport Layer Security (TLS) enabled | |||
| # In OpenShift infrastructure, Routes will be TLS-enabled | |||
| CHE_INFRA_KUBERNETES_TLS_ENABLED=false | |||
There was a problem hiding this comment.
Maybe it makes sense to add CHE_INFRA_KUBERNETES_TLS__SECRET here.
| if (externalServerExposerStrategy != null) { | ||
| this.externalServerExposerStrategy = externalServerExposerStrategy; | ||
| } else { | ||
| throw new IllegalArgumentException( |
There was a problem hiding this comment.
Maybe it would be better to throw org.eclipse.che.inject.ConfigurationException here
skabashnyuk
approved these changes
Apr 6, 2018
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
slemeur
removed
the
kind/epic
garagatyi
approved these changes
Apr 6, 2018
|
@guydaichs |
riuvshin
approved these changes
Apr 6, 2018
|
@guydaichs cool contribution to the project! Congrats! |
benoitf
removed
the
status/code-review
dmytro-ndp
pushed a commit
that referenced
this pull request
Apr 11, 2018
Introduce an External Server Exposer Strategy, responsible for exposing service ports associated with external servers, making them accessible from outside the cluster. Move server exposure to shared k8s infra level: - multi-host: unique hostname for each component, like Che Openshift infrastructure. - single-host: single hostname for all components. Can be used in conjunction with TLS. - default-host: default ingress hostname. Can be used for local development without dynamic DNS (based on ingress IP). Add basic TLS support. Signed-off-by: Guy Daich <guy.daich@sap.com>
sleshchenko
reviewed
Jun 22, 2018
| @@ -1,7 +1,9 @@ | |||
| {{- define "cheHost" }} | |||
| {{- if .Values.global.isHostBased }} | |||
| {{- printf "master.%s" .Values.global.cheDomain }} | |||
| {{- if eq .Values.global.serverStrategy "default-host" }} | |||
There was a problem hiding this comment.
@guydaichs Looks like after your changes readme.md is outdated. I mean the following line
If you must use an ip address (e.g. your corporate policy prevents you from using nip.io), you would also have to set isHostBased to false.
Could you please review readme.md and update information about servers strategies there?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Guy Daich guy.daich@sap.com
What does this PR do?
Replaces stale PR: #8822 . All previous commits are squashed.
Introduce an External Server Exposer Strategy, responsible for exposing service ports associated with external servers, making them accessible from outside the cluster.
Move server exposure to shared k8s infra level:
Provide three options for exposing external (and secondary) servers in k8s infra:
Add basic TLS support:
Add Ingress TLS provisioning.
Update Docs:
Multiuser:
Test PR
Follow instructions to set up minikube, helm, tiller, cert-manager.
Follow specific instructions for single/multi-user, default-host installation on minikube.
Routing strategies tested locally on minikube & minishift.
What issues does this PR fix or reference?
This PR fixes #8694.
This PR is part of kubernetes infrastructure epic #5908.
Release Notes
Docs PR
Currently, documented only in the Che Kubernetes Helm deployment instructions.