Add installation manifests, and helm chart (#14)

* Add OWNERS

* Add OWNERS

* Create charts

* Regenerate static manifests

* Implement suggestions

* Fix crd-init name

* Expand RBAC

* Expand readme

Makefile

@@ -42,15 +42,15 @@ ci-release: build build-image push-image
 clean:
 	rm -rf bin
 
-.PHONY: path-to-referenced-charts
-path-to-referenced-charts:
-	@echo "resources/core"
-
 # Install CRDs into a cluster
 install: manifests
 	kustomize build config/crd | kubectl apply -f -
 	@if ! kubectl get crd virtualservices.networking.istio.io > /dev/null 2>&1 ; then kubectl apply -f hack/networking.istio.io_virtualservice.yaml; fi;
 
+# Generate static installation files
+static: manifests
+	kustomize build config/default -o install/k8s
+
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests
 	kustomize build config/default | kubectl apply -f -

config/default/kustomization.yaml

@@ -33,6 +33,7 @@ patchesStrategicMerge:
   # Only one of manager_auth_proxy_patch.yaml and
   # manager_prometheus_metrics_patch.yaml should be enabled.
 #- manager_prometheus_metrics_patch.yaml
+- manager_sa_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- manager_webhook_patch.yaml

config/default/manager_image_patch.yaml

@@ -7,6 +7,6 @@ spec:
   template:
     spec:
       containers:
-      - image: api-gateway-controller:latest
+      - image: eu.gcr.io/kyma-project/incubator/develop/api-gateway-controller:1669a1f9
         name: manager
         imagePullPolicy: IfNotPresent

config/default/manager_sa_patch.yaml

@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      serviceAccountName: api-gateway-sa

config/rbac/kustomization.yaml

@@ -3,9 +3,13 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- service_account.yaml
 # Comment the following 3 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
+# - auth_proxy_service.yaml
+# - auth_proxy_role.yaml
+# - auth_proxy_role_binding.yaml
+
+patchesStrategicMerge:
+- patches/role_vs_patch.yaml

config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: system
+  name: api-gateway-api-gateway-sa
+  namespace: api-gateway-system

config/rbac/patches/role_vs_patch.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+  - apiGroups: ["gateway.kyma-project.io"]
+    resources: ["gates", "gates/status"]
+    verbs: ["*"]
+  - apiGroups: ["networking.istio.io"]
+    resources: ["virtualservices"]
+    verbs: ["create", "delete", "get", "patch", "list", "watch"]

config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: system
+  name: api-gateway-api-gateway-sa
+  namespace: api-gateway-system

config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: api-gateway-sa

install/README.md

@@ -0,0 +1,38 @@
+# Installation guide
+
+This directory contains two methods of installation for the controller. 
+
+## Static manifests
+The `k8s` directory contains static kubernetes manifests generated by kubebuilder. They can be used to quickly deploy a simple installation of the controller (deployment, RBAC). 
+To install simply run:
+
+```bash
+kubectl apply -f k8s
+```
+
+## Helm chart
+The `helm` directory contains a helm chart for the Gateway controller. It consists of the following elements:
+- CustomResourceDefinition(CRD) managed by a job (for installation and upgrade)
+- Controller deployment
+- RBAC settings
+
+To install simply run:
+
+```bash
+helm install --name gatekeeper --namespace default helm/api-gateway
+```
+
+>**NOTE:** This CRD requires and uses the following applications/CRD, which should be installed beforehand:
+> - Istio [VirtualService](https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/)
+> - Istio [Policy](https://istio.io/docs/reference/config/istio.authentication.v1alpha1/)
+> - Oathkeeper [AccessRule](https://www.ory.sh/docs/oathkeeper/)
+>     + Oathkeeper CRD resources are available as charts in [this repo](https://github.com/ory/k8s)
+
+## HowTo
+Installation example (required tools: `minikube`, `kubectl`, `helm`): 
+- Create a k8s cluster using minikube (`minikube start --memory=8192 --cpus=4`)
+- Installer tiller on the cluster (`helm init`)
+- Apply required CRDs (`kubectl apply -f hack/`)
+- Install the Gatekeeper chart (`helm install --name gatekeeper --namespace some-namespace install/helm/api-gateway`)
+- Create sample resource (`kubectl apply -f config/samples/valid.yaml`)
+- Check controller logs (`kubectl logs -n default -lapp.kubernetes.io/name=api-gateway -c api-gateway`)

install/helm/api-gateway/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

install/helm/api-gateway/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2alpha1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: api-gateway
+version: 0.1.0