Remove ingress/issuer from default k8s deployment

There are too many different ways to deploy an Ingress resource and to
generate SSL/TLS certificates: it's too much responsibility to make that
decision for the end user.

CHANGELOG.md

@@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
 
+- 💥[Improvement] Do not deploy an ingress or SSL/TLS certificate issuer ressource by default in Kubernetes
 - [Improvement] Fix tls certificate generation in k8s
 - [Improvement] Radically change the way jobs are run: we no longer "exec", but instead run a dedicated container.
 - [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2

docs/k8s.rst

@@ -5,7 +5,9 @@ Kubernetes deployment
 
 With the same docker images we created for :ref:`single server deployment <local>` and :ref:`local development <development>`, we can launch an Open edX platform on Kubernetes. Always in 1 click, of course :)
 
-A word of warning: managing a Kubernetes platform is a fairly advanced endeavour. In this documentation, we assume familiarity with Kubernetes. Running an Open edX platform with Tutor on a single server or in a Kubernetes cluster are two very different things. The local Open edX install was designed such that users with no prior experience with system administration could still launch an Open edX platform. It is *not* the case for the installation method outlined here. You have been warned :)
+A word of warning: managing a Kubernetes platform is a fairly advanced endeavour. In this documentation, we assume familiarity with Kubernetes. Running an Open edX platform with Tutor on a single server or in a Kubernetes cluster are two very different things. The local Open edX install was designed such that users with no prior experience with system administration could still launch an Open edX platform. It is *not* the case for the installation method outlined here.
+
+Consider yourself warned :)
 
 Requirements
 ------------
@@ -35,6 +37,12 @@ In order to access your platform, you will have to setup an Ingress controller.
 
 See the `official instructions <https://kubernetes.github.io/ingress-nginx/deploy/>`_ for more details.
 
+
+.. warning::
+    By default, Tutor does *not* launch an Ingress resource or TLS/SSL certificate issuer for you. There are many different ways to create an Ingress resource and issue certificates in a Kubernetes cluster, and it's not the responsibility of Tutor to make this decision. However, Tutor comes with a ready-to-run configuration for an Nginx-based Ingress ressource and a `cert-manager <https://cert-manager.io/docs/>`__ Issuer that delivers `Let's Encrypt <https://letsencrypt.org/>`__ certificates. You may examine the configuration in ``$(tutor config printroot)/env/k8s/ingress.yml``. If you are happy with this configuration, you may apply it with::
+        
+        kubectl apply -k $(tutor config printroot)/env --selector="app.kubernetes.io/component in (ingress, issuer)"
+
 On Minikube, run::
   
     minikube addons enable ingress

tutor/commands/k8s.py

@@ -52,7 +52,6 @@ def start(context):
         "app.kubernetes.io/component=namespace",
     )
     # Create volumes
-    # TODO: instead, we should use StatefulSets
     utils.kubectl(
         "apply",
         "--kustomize",
@@ -61,13 +60,13 @@ def start(context):
         "--selector",
         "app.kubernetes.io/component=volume",
     )
-    # Create everything else except jobs
+    # Create everything else except jobs, ingress and issuer
     utils.kubectl(
         "apply",
         "--kustomize",
         tutor_env.pathjoin(context.root),
         "--selector",
-        "app.kubernetes.io/component!=job",
+        "app.kubernetes.io/component notin (job, ingress, issuer)",
     )
 
 

tutor/templates/k8s/ingress.yml

@@ -1,10 +1,16 @@
 ---{% set hosts = [LMS_HOST, "preview." + LMS_HOST, CMS_HOST] %}
+# This is an nginx-based Ingress object that relies on a letsencrypt Issuer for SSL
+# termination. By default, this ingress and issuer are *not* deployed to the Kubernetes
+# cluster when running "quickstart". This is because there exist many different
+# ingress/issuer combinations and it should not be Tutor's job to choose which one you
+# should use.
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
   name: web
   labels:
     app.kubernetes.io/name: web
+    app.kubernetes.io/component: ingress
   annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/proxy-body-size: 1000m
@@ -26,8 +32,6 @@ spec:
       {% for host in hosts %}
       - {{ host }}{% endfor %}
       {{ patch("k8s-ingress-tls-hosts")|indent(6) }}
-    # TODO maybe we should not take care of generating certificates ourselves
-    # and here just point to a tls secret
     secretName: letsencrypt
   {%endif%}
 {% if ACTIVATE_HTTPS %}
@@ -38,6 +42,7 @@ metadata:
   name: letsencrypt
   labels:
     app.kubernetes.io/name: letsencrypt
+    app.kubernetes.io/component: issuer
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory

tutor/templates/kustomization.yml

@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
 - k8s/namespace.yml
 - k8s/deployments.yml
-# TODO maybe we should not take care of ingress stuff and let the administrator do it
 - k8s/ingress.yml
 - k8s/jobs.yml
 - k8s/services.yml