From a52884a3111ae6ff52425e60e8cabc4d57fcf301 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Sat, 25 Apr 2020 22:32:57 +0200 Subject: [PATCH] Remove ingress/issuer from default k8s deployment There are too many different ways to deploy an Ingress resource and to generate SSL/TLS certificates: it's too much responsibility to make that decision for the end user. --- CHANGELOG.md | 1 + docs/k8s.rst | 10 +++++++++- tutor/commands/k8s.py | 5 ++--- tutor/templates/k8s/ingress.yml | 9 +++++++-- tutor/templates/kustomization.yml | 1 - 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 34a47a0..fba59d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥". ## Unreleased +- 💥[Improvement] Do not deploy an ingress or SSL/TLS certificate issuer ressource by default in Kubernetes - [Improvement] Fix tls certificate generation in k8s - [Improvement] Radically change the way jobs are run: we no longer "exec", but instead run a dedicated container. - [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2 diff --git a/docs/k8s.rst b/docs/k8s.rst index 3affbf2..a84bb5e 100644 --- a/docs/k8s.rst +++ b/docs/k8s.rst @@ -5,7 +5,9 @@ Kubernetes deployment With the same docker images we created for :ref:`single server deployment ` and :ref:`local development `, we can launch an Open edX platform on Kubernetes. Always in 1 click, of course :) -A word of warning: managing a Kubernetes platform is a fairly advanced endeavour. In this documentation, we assume familiarity with Kubernetes. Running an Open edX platform with Tutor on a single server or in a Kubernetes cluster are two very different things. The local Open edX install was designed such that users with no prior experience with system administration could still launch an Open edX platform. It is *not* the case for the installation method outlined here. You have been warned :) +A word of warning: managing a Kubernetes platform is a fairly advanced endeavour. In this documentation, we assume familiarity with Kubernetes. Running an Open edX platform with Tutor on a single server or in a Kubernetes cluster are two very different things. The local Open edX install was designed such that users with no prior experience with system administration could still launch an Open edX platform. It is *not* the case for the installation method outlined here. + +Consider yourself warned :) Requirements ------------ @@ -35,6 +37,12 @@ In order to access your platform, you will have to setup an Ingress controller. See the `official instructions `_ for more details. + +.. warning:: + By default, Tutor does *not* launch an Ingress resource or TLS/SSL certificate issuer for you. There are many different ways to create an Ingress resource and issue certificates in a Kubernetes cluster, and it's not the responsibility of Tutor to make this decision. However, Tutor comes with a ready-to-run configuration for an Nginx-based Ingress ressource and a `cert-manager `__ Issuer that delivers `Let's Encrypt `__ certificates. You may examine the configuration in ``$(tutor config printroot)/env/k8s/ingress.yml``. If you are happy with this configuration, you may apply it with:: + + kubectl apply -k $(tutor config printroot)/env --selector="app.kubernetes.io/component in (ingress, issuer)" + On Minikube, run:: minikube addons enable ingress diff --git a/tutor/commands/k8s.py b/tutor/commands/k8s.py index b837d19..089cb25 100644 --- a/tutor/commands/k8s.py +++ b/tutor/commands/k8s.py @@ -52,7 +52,6 @@ def start(context): "app.kubernetes.io/component=namespace", ) # Create volumes - # TODO: instead, we should use StatefulSets utils.kubectl( "apply", "--kustomize", @@ -61,13 +60,13 @@ def start(context): "--selector", "app.kubernetes.io/component=volume", ) - # Create everything else except jobs + # Create everything else except jobs, ingress and issuer utils.kubectl( "apply", "--kustomize", tutor_env.pathjoin(context.root), "--selector", - "app.kubernetes.io/component!=job", + "app.kubernetes.io/component notin (job, ingress, issuer)", ) diff --git a/tutor/templates/k8s/ingress.yml b/tutor/templates/k8s/ingress.yml index 245605a..e990f8a 100644 --- a/tutor/templates/k8s/ingress.yml +++ b/tutor/templates/k8s/ingress.yml @@ -1,10 +1,16 @@ ---{% set hosts = [LMS_HOST, "preview." + LMS_HOST, CMS_HOST] %} +# This is an nginx-based Ingress object that relies on a letsencrypt Issuer for SSL +# termination. By default, this ingress and issuer are *not* deployed to the Kubernetes +# cluster when running "quickstart". This is because there exist many different +# ingress/issuer combinations and it should not be Tutor's job to choose which one you +# should use. apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: web labels: app.kubernetes.io/name: web + app.kubernetes.io/component: ingress annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: 1000m @@ -26,8 +32,6 @@ spec: {% for host in hosts %} - {{ host }}{% endfor %} {{ patch("k8s-ingress-tls-hosts")|indent(6) }} - # TODO maybe we should not take care of generating certificates ourselves - # and here just point to a tls secret secretName: letsencrypt {%endif%} {% if ACTIVATE_HTTPS %} @@ -38,6 +42,7 @@ metadata: name: letsencrypt labels: app.kubernetes.io/name: letsencrypt + app.kubernetes.io/component: issuer spec: acme: server: https://acme-v02.api.letsencrypt.org/directory diff --git a/tutor/templates/kustomization.yml b/tutor/templates/kustomization.yml index 8a5048b..5434e04 100644 --- a/tutor/templates/kustomization.yml +++ b/tutor/templates/kustomization.yml @@ -4,7 +4,6 @@ kind: Kustomization resources: - k8s/namespace.yml - k8s/deployments.yml -# TODO maybe we should not take care of ingress stuff and let the administrator do it - k8s/ingress.yml - k8s/jobs.yml - k8s/services.yml