deployment: move Contour deployment to Kustomize

Move the example deployment to Kustomize. This requires the `kustomize`
tool, since the version of Kustomize vendored in `kubectl apply -k`
is too old to support.

The YAML documents in the example deployment are broken into 4 components
located in `config/components` - types, contour, envoy and certgen. These
are all included in the default deployments, but operators have the
option of creating deployments that dont't include all the components.
The `types-v1` component contains the Contour CRDs suitable for Kubernetes
1.16 or later.

Deployments to various Kubernetes infrastructure are in the `deployment`
directory. The base deployment pulls in all the components and sets the
namespace to `projectcontour`. The `kind` deployment updates the Envoy
Daemonset to use a `NodePort` service, and the `aws` deployment enables
TCP load balancing with PROXY protocol support. No special options are
needed for `gke` as far as I know, but it is included for completeness.

The traditional quickstart YAML is now located at `config/quickstary.yaml`
and is just a rendering of the base deployment. The netlify redirect can't
be updated until after a release because it points to a release branch.

This updates projectcontour#855, projectcontour#1190, projectcontour#2088, projectcontour#2544.

Signed-off-by: James Peach <jpeach@vmware.com>

.travis.yml

@@ -38,7 +38,7 @@ jobs:
     - $HOME/bin/kind create cluster --wait 2m
     - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:master
     - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:latest
-    - $HOME/bin/kubectl apply -f examples/render/contour.yaml
+    - $HOME/bin/kustomize build config/deployments/kind | $HOME/bin/kubectl apply -f -
     - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=contour deployments --for=condition=Available
     - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=envoy pods --for=condition=Ready
     - $HOME/bin/kind delete cluster

examples/contour/README.md → config/README.md

@@ -1,13 +1,23 @@
 # Contour Installation
 
-This is an installation guide to configure Contour in a Deployment separate from Envoy which allows for easier scaling of each component.
+This directory contains Contour configuration suitable for use by itself, or with [kustomize](https://kustomize.io).
 
-This configuration has several advantages:
 
-1. Envoy runs as a daemonset which allows for distributed scaling across workers in the cluster
-2. Communication between Contour and Envoy is secured by mutually-checked self-signed certificates.
+## Components
 
-## Moving parts
+The [components](./components) directory contains the collaborating components
+of a Contour installation.
+
+1. [types](./types) contains the CRD types for the Contour API. If you have
+   Kuberenetes 1.6 or later, [types-v1](./types-v1) contains the same API types
+2. [contour](./contour) contains a deployment of the Contour service. This
+   service will be a xDS management server for an Envoy cluster.
+3. [envoy](./envoy) deploys an Envoy cluster as a Daemonset.
+4. [certgen](./certgen) deploys a Contour generation Job to generate TLS
+   certificates that will be used for the xDS session between Contour and
+   Envoy.
+
+Installing these components creates the following moving parts:
 
 - Contour is run as Deployment and Envoy as a Daemonset
 - Envoy runs on host networking
@@ -19,28 +29,32 @@ This configuration has several advantages:
 
 For detailed instructions on how to configure the required certs manually, see the [step-by-step TLS HOWTO](https://projectcontour.io/docs/master/grpc-tls-howto).
 
-## Deploy Contour
+## Deployments
 
-Either:
+The [deployments](./deployments) directory contains pre-configured
+deployments for a number of Kubernetes targets. These are largely
+similar. They all install all the Contour components into the
+`projectcontour` namespace and use `contour certgen` to create the xDS
+session certificates.
 
-1. Run `kubectl apply -f https://projectcontour.io/quickstart/contour.yaml`
+The [quickstart YAML](./quickstart.yaml) is the rendered result of the
+[base deployment](./deployments/base).
 
-or:
-Clone or fork the repository, then run:
+## Deploy Contour
+
+Either:
 
 ```bash
-kubectl apply -f examples/contour
+kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
 ```
 
-This will:
+or:
 
-- set up RBAC and Contour's CRDs (CRDs include IngressRoute, TLSCertificateDelegation, HTTPProxy)
-  * IngressRoute is deprecated and will be removed in a furture release.
-  * Users should start transitioning to HTTPProxy to ensure no disruptions in the future.
-- run a Kubernetes Job that will generate one-year validity certs and put them into `projectcontour`
-- Install Contour and Envoy in a Deployment and Daemonset respectively.
+Clone or fork the repository, and run:
 
-**NOTE**: The current configuration exposes the `/stats` path from the Envoy Admin UI so that Prometheus can scrape for metrics.
+```bash
+kustomize build config/deployments/base | kubectl apply -f -
+```
 
 ## Test
 

config/components/certgen/job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: contour-certgen
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      labels:
+        app: "contour-certgen"
+    spec:
+      containers:
+      - name: contour
+        image: projectcontour/contour
+        imagePullPolicy: Always
+        command:
+        - contour
+        - certgen
+        - --incluster
+        - --kube
+        - --namespace=$(CONTOUR_NAMESPACE)
+        env:
+        - name: CONTOUR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      restartPolicy: Never
+      serviceAccountName: contour-certgen
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1

config/components/certgen/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- job.yaml
+- rbac.yaml
+- serviceaccount.yaml
+
+# This version is set to latest because Job specs are immutable;
+# if we change this on each version, you can no longer upgrade
+# just by applying the deployment YAML.
+#
+# See #2423, #2395, #2150, and #2030 for earlier questions about this.
+images:
+- name: projectcontour/contour
+  newName: docker.io/projectcontour/contour
+  newTag: master

config/components/certgen/rbac.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: contour
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: contour-certgen
+subjects:
+- kind: ServiceAccount
+  name: contour-certgen
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: contour-certgen
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - watch
+  - create
+  - get
+  - put
+  - post
+  - patch

config/components/certgen/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: contour-certgen

config/components/contour/configs/contour.yaml

@@ -0,0 +1,56 @@
+# Whether contour should expect to be running inside a k8s cluster.
+# incluster: true
+
+# Path to kubeconfig (if not running inside a k8s cluster).
+# kubeconfig: /path/to/.kube/config
+
+# Client request timeout to be passed to Envoy
+# as the connection manager request_timeout.
+# Defaults to 0, which Envoy interprets as disabled.
+# Note that this is the timeout for the whole request,
+# not an idle timeout.
+# request-timeout: 0s
+
+# Whether to disable the HTTPProxy  permitInsecure field.
+disablePermitInsecure: false
+
+tls:
+#   minimum TLS version that Contour will negotiate
+#   minimum-protocol-version: "1.1"
+
+# The following config shows the defaults for the leader election.
+# leaderelection:
+#   configmap-name: leader-elect
+#   configmap-namespace: projectcontour
+
+# Logging options
+accesslog-format: envoy
+
+# To enable JSON logging in Envoy
+# accesslog-format: json
+# The default fields that will be logged are specified below.
+# To customize this list, just add or remove entries.
+# The canonical list is available at
+# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
+# json-fields:
+#   - "@timestamp"
+#   - "authority"
+#   - "bytes_received"
+#   - "bytes_sent"
+#   - "downstream_local_address"
+#   - "downstream_remote_address"
+#   - "duration"
+#   - "method"
+#   - "path"
+#   - "protocol"
+#   - "request_id"
+#   - "requested_server_name"
+#   - "response_code"
+#   - "response_flags"
+#   - "uber_trace_id"
+#   - "upstream_cluster"
+#   - "upstream_host"
+#   - "upstream_local_address"
+#   - "upstream_service_time"
+#   - "user_agent"
+#   - "x_forwarded_for"

examples/contour/02-rbac.yaml → config/components/contour/contour-rbac.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@@ -10,8 +9,9 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: contour
-  namespace: projectcontour
+
 ---
+
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
@@ -58,7 +58,7 @@ rules:
   - get
   - list
   - watch
-  - patch 
+  - patch
   - post
   - update
 - apiGroups: ["contour.heptio.com"]
@@ -88,42 +88,3 @@ rules:
   - put
   - post
   - patch
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: contour-leaderelection
-  namespace: projectcontour
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: contour-leaderelection
-  namespace: projectcontour
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: contour-leaderelection
-subjects:
-- kind: ServiceAccount
-  name: contour
-  namespace: projectcontour

examples/contour/03-contour.yaml → config/components/contour/deployment.yaml

@@ -1,11 +1,9 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: contour
   name: contour
-  namespace: projectcontour
 spec:
   replicas: 2
   strategy:

config/components/contour/election-rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: contour-leaderelection
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - update
+  - patch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: contour-leaderelection
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: contour-leaderelection
+subjects:
+- kind: ServiceAccount
+  name: contour

config/components/contour/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- serviceaccount.yaml
+- contour-rbac.yaml
+- election-rbac.yaml
+- deployment.yaml
+- service.yaml
+
+configMapGenerator:
+- name: contour
+  files:
+  - configs/contour.yaml
+
+images:
+- name: projectcontour/contour
+  newName: docker.io/projectcontour/contour
+  newTag: master

examples/contour/02-service-contour.yaml → config/components/contour/service.yaml

@@ -1,9 +1,7 @@
----
 apiVersion: v1
 kind: Service
 metadata:
   name: contour
-  namespace: projectcontour
 spec:
   ports:
   - port: 8001

config/components/contour/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: contour
+  namespace: projectcontour