deployment: move Contour deployment to Kustomize

Move the example deployment to Kustomize. This breaks the YAML documents
in the example deployment into 4 components located in `config/components`
- types, contour, envoy and certgen. These are all included in the default
deployments, but operators have the option of creating deployments that
dont't include all the components.

Deployments to various Kubernetes infrastructure are in the `deployment`
directory. The base deployment pulls in all the components and sets the
namespace to `projectcontour`. The `kind` deployment updates the Envoy
Daemonset to use a `NodePort` service, and the `aws` deployment enables
TCP load balancing with PROXY protocol support. No special options are
needed for `gke` as far as I know, but it is included for completeness.

The traditional quickstart YAML is now located at `config/quickstary.yaml`
and is just a rendering of the base deployment. The netlify redirect can't
be updated until after a release because it points to a release branch.

This updates projectcontour#855, projectcontour#1190, projectcontour#2088, projectcontour#2544.

Signed-off-by: James Peach <jpeach@vmware.com>

.travis.yml

@@ -38,7 +38,7 @@ jobs:
     - $HOME/bin/kind create cluster --wait 2m
     - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:master
     - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:latest
-    - $HOME/bin/kubectl apply -f examples/render/contour.yaml
+    - $HOME/bin/kustomize build config/deployments/kind | $HOME/bin/kubectl apply -f -
     - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=contour deployments --for=condition=Available
     - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=envoy pods --for=condition=Ready
     - $HOME/bin/kind delete cluster

examples/contour/README.md → config/README.md

@@ -1,13 +1,23 @@
 # Contour Installation
 
-This is an installation guide to configure Contour in a Deployment separate from Envoy which allows for easier scaling of each component.
+This directory contains Contour configuration suitable for use by itself, or with [kustomize](https://kustomize.io).
 
-This configuration has several advantages:
 
-1. Envoy runs as a daemonset which allows for distributed scaling across workers in the cluster
-2. Communication between Contour and Envoy is secured by mutually-checked self-signed certificates.
+## Components
 
-## Moving parts
+The [components](./components) directory contains the collaborating components
+of a Contour installation.
+
+1. [types](./types) contains the CRD types for the Contour API. If you have
+   Kuberenetes 1.6 or later, [types-v1](./types-v1) contains the same API types
+2. [contour](./contour) contains a deployment of the Contour service. This
+   service will be a xDS management server for an Envoy cluster.
+3. [envoy](./envoy) deploys an Envoy cluster as a Daemonset.
+4. [certgen](./certgen) deploys a Contour generation Job to generate TLS
+   certificates that will be used for the xDS session between Contour and
+   Envoy.
+
+Installing these components creates the following moving parts:
 
 - Contour is run as Deployment and Envoy as a Daemonset
 - Envoy runs on host networking
@@ -19,28 +29,32 @@ This configuration has several advantages:
 
 For detailed instructions on how to configure the required certs manually, see the [step-by-step TLS HOWTO](https://projectcontour.io/docs/master/grpc-tls-howto).
 
-## Deploy Contour
+## Deployments
 
-Either:
+The [deployments](./deployments) directory contains pre-configured
+deployments for a number of Kubernetes targets. These are largely
+similar. They all install all the Contour components into the
+`projectcontour` namespace and use `contour certgen` to create the xDS
+session certificates.
 
-1. Run `kubectl apply -f https://projectcontour.io/quickstart/contour.yaml`
+The [quickstart YAML](./quickstart.yaml) is the rendered result of the
+[base deployment](./deployments/base).
 
-or:
-Clone or fork the repository, then run:
+## Deploy Contour
+
+Either:
 
 ```bash
-kubectl apply -f examples/contour
+kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
 ```
 
-This will:
+or:
 
-- set up RBAC and Contour's CRDs (CRDs include IngressRoute, TLSCertificateDelegation, HTTPProxy)
-  * IngressRoute is deprecated and will be removed in a furture release.
-  * Users should start transitioning to HTTPProxy to ensure no disruptions in the future.
-- run a Kubernetes Job that will generate one-year validity certs and put them into `projectcontour`
-- Install Contour and Envoy in a Deployment and Daemonset respectively.
+Clone or fork the repository, and run:
 
-**NOTE**: The current configuration exposes the `/stats` path from the Envoy Admin UI so that Prometheus can scrape for metrics.
+```bash
+kustomize build config/deployments/base | kubectl apply -f -
+```
 
 ## Test
 

config/components/certgen/job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: contour-certgen
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      labels:
+        app: "contour-certgen"
+    spec:
+      containers:
+      - name: contour
+        image: projectcontour/contour
+        imagePullPolicy: Always
+        command:
+        - contour
+        - certgen
+        - --incluster
+        - --kube
+        - --namespace=$(CONTOUR_NAMESPACE)
+        env:
+        - name: CONTOUR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      restartPolicy: Never
+      serviceAccountName: contour-certgen
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1

config/components/certgen/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- job.yaml
+- rbac.yaml
+- serviceaccount.yaml
+
+# This version is set to latest because Job specs are immutable;
+# if we change this on each version, you can no longer upgrade
+# just by applying the deployment YAML.
+#
+# See #2423, #2395, #2150, and #2030 for earlier questions about this.
+images:
+- name: projectcontour/contour
+  newName: docker.io/projectcontour/contour
+  newTag: master

config/components/certgen/rbac.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: contour
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: contour-certgen
+subjects:
+- kind: ServiceAccount
+  name: contour-certgen
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: contour-certgen
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - watch
+  - create
+  - get
+  - put
+  - post
+  - patch

config/components/certgen/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: contour-certgen

config/components/contour/configs/contour.yaml

@@ -0,0 +1,56 @@
+# Whether contour should expect to be running inside a k8s cluster.
+# incluster: true
+
+# Path to kubeconfig (if not running inside a k8s cluster).
+# kubeconfig: /path/to/.kube/config
+
+# Client request timeout to be passed to Envoy
+# as the connection manager request_timeout.
+# Defaults to 0, which Envoy interprets as disabled.
+# Note that this is the timeout for the whole request,
+# not an idle timeout.
+# request-timeout: 0s
+
+# Whether to disable the HTTPProxy  permitInsecure field.
+disablePermitInsecure: false
+
+tls:
+#   minimum TLS version that Contour will negotiate
+#   minimum-protocol-version: "1.1"
+
+# The following config shows the defaults for the leader election.
+# leaderelection:
+#   configmap-name: leader-elect
+#   configmap-namespace: projectcontour
+
+# Logging options
+accesslog-format: envoy
+
+# To enable JSON logging in Envoy
+# accesslog-format: json
+# The default fields that will be logged are specified below.
+# To customize this list, just add or remove entries.
+# The canonical list is available at
+# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
+# json-fields:
+#   - "@timestamp"
+#   - "authority"
+#   - "bytes_received"
+#   - "bytes_sent"
+#   - "downstream_local_address"
+#   - "downstream_remote_address"
+#   - "duration"
+#   - "method"
+#   - "path"
+#   - "protocol"
+#   - "request_id"
+#   - "requested_server_name"
+#   - "response_code"
+#   - "response_flags"
+#   - "uber_trace_id"
+#   - "upstream_cluster"
+#   - "upstream_host"
+#   - "upstream_local_address"
+#   - "upstream_service_time"
+#   - "user_agent"
+#   - "x_forwarded_for"

examples/contour/02-rbac.yaml → config/components/contour/contour-rbac.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@@ -10,8 +9,9 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: contour
-  namespace: projectcontour
+
 ---
+
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
@@ -58,7 +58,7 @@ rules:
   - get
   - list
   - watch
-  - patch 
+  - patch
   - post
   - update
 - apiGroups: ["contour.heptio.com"]
@@ -88,42 +88,3 @@ rules:
   - put
   - post
   - patch
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: contour-leaderelection
-  namespace: projectcontour
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: contour-leaderelection
-  namespace: projectcontour
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: contour-leaderelection
-subjects:
-- kind: ServiceAccount
-  name: contour
-  namespace: projectcontour

examples/contour/03-contour.yaml → config/components/contour/deployment.yaml

@@ -1,11 +1,9 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: contour
   name: contour
-  namespace: projectcontour
 spec:
   replicas: 2
   strategy:

config/components/contour/election-rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: contour-leaderelection
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - update
+  - patch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: contour-leaderelection
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: contour-leaderelection
+subjects:
+- kind: ServiceAccount
+  name: contour

config/components/contour/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- serviceaccount.yaml
+- contour-rbac.yaml
+- election-rbac.yaml
+- deployment.yaml
+- service.yaml
+
+configMapGenerator:
+- name: contour
+  files:
+  - configs/contour.yaml
+
+images:
+- name: projectcontour/contour
+  newName: docker.io/projectcontour/contour
+  newTag: master

examples/contour/02-service-contour.yaml → config/components/contour/service.yaml

@@ -1,9 +1,7 @@
----
 apiVersion: v1
 kind: Service
 metadata:
   name: contour
-  namespace: projectcontour
 spec:
   ports:
   - port: 8001

config/components/contour/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: contour
+  namespace: projectcontour