Skip to content

Commit

Permalink
[stable/ambassador] Major upgrades to Ambassador Pro (helm#16904)
Browse files Browse the repository at this point in the history 
* Upgrade Ambassador Pro to 0.7.0

- Ambassador Pro 0.7.0 introduces Ambassador certified builds that
  require
  - A license key
  - Use an image from the quay.io/datawire/ambassador_pro repository
- templates/deployment.yaml has been formatted in a backwards compatible
  way so all Ambassador Pro images before 0.7.0 will still use
Ambassador OSS repo.

Signed-off-by: Noah Krause <krausenoah@gmail.com>

* Store license key in k8s secret by default

Signed-off-by: Noah Krause <krausenoah@gmail.com>

* Add deprecation warning for using prom exporter

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>

* Major upgrades to Ambassador Pro installation

- Introduces the performance tuned and certified build of open source Ambassador, Ambassador core
- The license key is now stored and read from a Kubernetes secret by default
- Added `.Values.pro.licenseKey.secret.enabled` `.Values.pro.licenseKey.secret.create` fields to allow multiple releases in the same namespace to use the same license key secret.
- Introduces the ability to configure resource limits for both Ambassador Pro and it's redis instance
- Introduces the ability to configure additional `AuthService` options (see [AuthService documentation](https://www.getambassador.io/reference/services/auth-service/))
- The ambassador-pro-auth `AuthService` and ambassador-pro-ratelimit `RateLimitService` and now created as CRDs when `.Values.crds.enabled: true`
- Fixed misnamed selector for redis instance that failed in an edge case

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>

* Expose annotations for redis deploy

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>

* Minor updated to changelog and readme

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>

* Whitespace cleanup

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>

* Fix type error

Signed-off-by: Noah Krause <noahkrause@Noahs-MacBook-Pro.local>
  • Loading branch information
@iNoahNothing
iNoahNothing authored and Ram Sri committed Sep 30, 2019
1 parent 7c8b550 commit ba4a95b
Show file tree
Hide file tree
Showing 9 changed files with 264 additions and 58 deletions.
16 changes: 16 additions & 0 deletions stable/ambassador/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,22 @@
This file documents all notable changes to Ambassador Helm Chart. The release
numbering uses [semantic versioning](http://semver.org).

## v4.0.0

### Breaking Changes

- Introduces the performance tuned and certified build of open source Ambassador, Ambassador core
- The license key is now stored and read from a Kubernetes secret by default
- Added `.Values.pro.licenseKey.secret.enabled` `.Values.pro.licenseKey.secret.create` fields to allow multiple releases in the same namespace to use the same license key secret.

### Minor Changes

- Introduces the ability to configure resource limits for both Ambassador Pro and it's redis instance
- Introduces the ability to configure additional `AuthService` options (see [AuthService documentation](https://www.getambassador.io/reference/services/auth-service/))
- The ambassador-pro-auth `AuthService` and ambassador-pro-ratelimit `RateLimitService` and now created as CRDs when `.Values.crds.enabled: true`
- Fixed misnamed selector for redis instance that failed in an edge case
- Exposes annotations for redis deployment and service

## v3.0.0

### Breaking Changes
Expand Down
2 changes: 1 addition & 1 deletion stable/ambassador/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
appVersion: 0.78.0
description: A Helm chart for Datawire Ambassador
name: ambassador
version: 3.3.4
version: 4.0.0
icon: https://www.getambassador.io/images/logo.png
home: https://www.getambassador.io/
sources:
Expand Down
69 changes: 62 additions & 7 deletions stable/ambassador/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,6 @@ The following tables lists the configurable parameters of the Ambassador chart a
| `deploymentAnnotations` | Additional annotations for ambassador DaemonSet/Deployment | `{}` |
| `podLabels` | Additional labels for ambassador pods | |
| `priorityClassName` | The name of the priorityClass for the ambassador DaemonSet/Deployment | `""` |
| `prometheusExporter.enabled` | Prometheus exporter side-car enabled | `false` |
| `prometheusExporter.pullPolicy` | Image pull policy | `IfNotPresent` |
| `prometheusExporter.repository` | Prometheus exporter image | `prom/statsd-exporter` |
| `prometheusExporter.tag` | Prometheus exporter image | `v0.8.1` |
| `prometheusExporter.resources` | CPU/memory resource requests/limits | `{}` |
| `rbac.create` | If `true`, create and use RBAC resources | `true` |
| `rbac.podSecurityPolicies` | pod security polices to bind to | |
| `replicaCount` | Number of Ambassador replicas | `3` |
Expand All @@ -93,17 +88,30 @@ The following tables lists the configurable parameters of the Ambassador chart a
| `volumes` | Volumes for the ambassador service | `[]` |
| `pro.enabled` | Installs the Ambassador Pro container as a sidecar to Ambassador | `false` |
| `pro.image.repository` | Ambassador Pro image | `quay.io/datawire/ambassador_pro` |
| `pro.image.tag` | Ambassador Pro image tag | `amb-sidecar-0.6.0` |
| `pro.image.tag` | Ambassador Pro image tag | `0.7.0` |
| `pro.ports.auth` | Ambassador Pro authentication port | `8500` |
| `pro.ports.ratelimit` | Ambassador Pro ratelimit port | `8500` |
| `pro.logLevel` | Log level for Ambassador Pro | `"info"` |
| `pro.licenseKey.value` | License key for Ambassador Pro | "" |
| `pro.licenseKey.secret` | Stores the license key as a base64-encoded string in a Kubernetes secret | `false` |
| `pro.licenseKey.secret.enabled` | Reads the license key as a base64-encoded string in a Kubernetes secret | `true` |
| `pro.licenseKey.secret.create` | Stores the license key as a base64-encoded string in a Kubernetes secret | `true` |
| `pro.env` | Set additional environment variables for Ambassador Pro. (See below) | `{}` |
| `pro.resources` | Set resource requests and limits from Ambassador Pro | `{}` |
| `pro.authService.enabled` | Enables the Ambassador Pro authentication service | `true` |
| `pro.authService.optional_configurations` | Exposes [additional configuration options](https://www.getambassador.io/reference/services/auth-service/) for the `AuthService` | `""` |
| `pro.rateLimit.enabled` | Enables the Ambassador Pro rate limit service | `true` |
| `pro.rateLimit.redis.annotations.deployment` | Annotations for the redis deployment | `{}` |
| `pro.rateLimit.redis.annotations.service` | Annotations for the redis service | `{}` |
| `pro.rateLimit.redis.resources` | Set resource requests and limits for the rate limit service's redis instance | `{}` |
| `autoscaling.enabled` | If true, creates Horizontal Pod Autoscaler | `false` |
| `autoscaling.minReplica` | If autoscaling enabled, this field sets minimum replica count | `2` |
| `autoscaling.maxReplica` | If autoscaling enabled, this field sets maximum replica count | `5` |
| `autoscaling.metrics` | If autoscaling enabled, configure hpa metrics | |
| `prometheusExporter.enabled` | DEPRECATED: Prometheus exporter side-car enabled | `false` |
| `prometheusExporter.pullPolicy` | DEPRECATED: Image pull policy | `IfNotPresent` |
| `prometheusExporter.repository` | DEPRECATED: Prometheus exporter image | `prom/statsd-exporter` |
| `prometheusExporter.tag` | DEPRECATED: Prometheus exporter image | `v0.8.1` |
| `prometheusExporter.resources` | DEPRECATED: CPU/memory resource requests/limits | `{}` |

**NOTE:** Make sure the configured `service.http.targetPort` and `service.https.targetPort` ports match your [Ambassador Module's](https://www.getambassador.io/reference/modules/#the-ambassador-module) `service_port` and `redirect_cleartext_from` configurations.

Expand All @@ -113,6 +121,12 @@ Ambassador configuration is done through annotations on Kubernetes services or C

If you intend to use `service.annotations`, remember to include the `getambassador.io/config` annotation key as above.

### Prometheus Metrics

Using the Prometheus Exporter has been deprecated and is no longer recommended.

Please see Ambassador's [monitoring with Prometheus](https://www.getambassador.io/user-guide/monitoring/) docs for more information on using the `/metrics` endpoint for metrics collection.

### Ambassador Pro

Setting `pro.enabled: true` will install Ambassador Pro as a sidecar to Ambassador with the required CRDs and redis instance.
Expand Down Expand Up @@ -163,6 +177,47 @@ $ helm upgrade --install --wait my-release -f values.yaml stable/ambassador

# Upgrading

## To 4.0.0

The 4.0.0 chart contains a number of changes to the way Ambassador Pro is installed.

- Introduces the performance tuned and certified build of open source Ambassador, Ambassador core
- The license key is now stored and read from a Kubernetes secret by default
- Added `.Values.pro.licenseKey.secret.enabled` `.Values.pro.licenseKey.secret.create` fields to allow multiple releases in the same namespace to use the same license key secret.
- Introduces the ability to configure resource limits for both Ambassador Pro and it's redis instance
- Introduces the ability to configure additional `AuthService` options (see [AuthService documentation](https://www.getambassador.io/reference/services/auth-service/))
- The ambassador-pro-auth `AuthService` and ambassador-pro-ratelimit `RateLimitService` and now created as CRDs when `.Values.crds.enabled: true`
- Fixed misnamed selector for redis instance that failed in an edge case
- Exposes annotations for redis deployment and service

### Breaking changes

The value of `.Values.pro.image.tag` has been shortened to assume `amb-sidecar` (and `amb-core` for Ambassador core)
`values.yaml`
```diff
<3.0.0>
image:
repository: quay.io/datawire/ambassador_pro
- tag: amb-sidecar-0.6.0

<4.0.0+>
image:
repository: quay.io/datawire/ambassador_pro
+ tag: 0.7.0
```

Method for creating a Kubernetes secret to hold the license key has been changed

`values.yaml`
```diff
<3.0.0>
- secret: false
<4.0.0>
+ secret:
+ enabled: true
+ create: true
```

## To 3.0.0

### Service Ports
Expand Down
2 changes: 1 addition & 1 deletion stable/ambassador/templates/ambassador-pro-license-key-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.pro.licenseKey.secret -}}
{{- if and .Values.pro.enabled .Values.pro.licenseKey.secret.create -}}
apiVersion: v1
kind: Secret
metadata:
Expand Down
14 changes: 10 additions & 4 deletions stable/ambassador/templates/ambassador-pro-redis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@ kind: Service
metadata:
name: {{ include "ambassador.fullname" . }}-pro-redis
labels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}-pro-redis
app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-pro-redis
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- toYaml .Values.pro.rateLimit.redis.annotations.service | nindent 4}}
spec:
type: ClusterIP
ports:
Expand All @@ -23,25 +25,29 @@ kind: Deployment
metadata:
name: {{ include "ambassador.fullname" . }}-pro-redis
labels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}-pro-redis
app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-pro-redis
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- toYaml .Values.pro.rateLimit.redis.annotations.deployment | nindent 4}}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}-pro-redis
app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-pro-redis
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}-pro-redis
app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-pro-redis
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
containers:
- name: redis
image: redis:5.0.1
restartPolicy: Always
resources:
{{- toYaml .Values.pro.rateLimit.redis.resources | nindent 8 }}
{{- end -}}
61 changes: 54 additions & 7 deletions stable/ambassador/templates/ambassador-pro-service.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,46 @@
{{- if .Values.pro.enabled -}}
{{- if .Values.pro.enabled }}
{{- if .Values.crds.enabled }}
{{- if .Values.pro.authService.enabled }}
---
apiVersion: getambassador.io/v1
kind: AuthService
metadata:
name: ambassador-pro-auth
spec:
proto: grpc
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
auth_service: 127.0.0.1:{{ .Values.pro.ports.auth }}
{{- if .Values.pro.authService.optional_configurations }}
{{- toYaml .Values.pro.authService.optional_configurations | nindent 2}}
{{- end }}
---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
name: callback-mapping
spec:
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
prefix: /callback
service: NoTaReAlSeRvIcE
{{- end -}}
{{- if .Values.pro.rateLimit.enabled }}
---
apiVersion: getambassador.io/v1
kind: RateLimitService
metadata:
name: ambassador-pro-ratelimit
spec:
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
service: 127.0.0.1:{{ .Values.pro.ports.ratelimit }}
{{- end }}
{{- else }}
---
apiVersion: v1
kind: Service
metadata:
Expand All @@ -12,36 +54,41 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
getambassador.io/config: |
{{- if .Values.pro.authService.enabled }}
---
apiVersion: ambassador/v1
kind: AuthService
name: ambassador-pro-auth
proto: grpc
auth_service: 127.0.0.1:{{ .Values.pro.ports.auth }}
allow_request_body: false # setting this to 'true' allows Plugin and External filters to access the body, but has performance overhead
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
auth_service: 127.0.0.1:{{ .Values.pro.ports.auth }}
{{- toYaml .Values.pro.authService.optional_configurations | nindent 6}}
---
# This mapping needs to exist, but is never actually followed.
apiVersion: ambassador/v1
kind: Mapping
name: callback_mapping
prefix: /callback
service: NoTaReAlSeRvIcE
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
prefix: /callback
service: NoTaReAlSeRvIcE
{{- end }}
{{- if .Values.pro.rateLimit.enabled }}
---
apiVersion: ambassador/v1
kind: RateLimitService
name: ambassador-pro-ratelimit
service: 127.0.0.1:{{ .Values.pro.ports.ratelimit }}
{{- if hasKey .Values.env "AMBASSADOR_ID" }}
ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }}
{{- end }}
service: 127.0.0.1:{{ .Values.pro.ports.ratelimit }}
{{- end }}
spec:
ports:
- name: ratelimit-grpc
port: 80
{{- end -}}
# {{- end }}
{{- end }}
30 changes: 20 additions & 10 deletions stable/ambassador/templates/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -37,8 +38,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -64,8 +66,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -91,8 +94,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -118,8 +122,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -145,8 +150,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -172,8 +178,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -199,8 +206,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -226,8 +234,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand All @@ -252,8 +261,9 @@ metadata:
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ if .Values.crds.keep }}
annotations:
"helm.sh/hook": crd-install
{{ if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{ end }}
spec:
Expand Down
Loading

0 comments on commit ba4a95b

Please sign in to comment.