implementation with kustormize

.gitignore

@@ -130,4 +130,7 @@ dmypy.json
 *_pb2_*
 *_pb2.py*
 .vscode
-.local.notes
+.local.notes
+.temp
+
+src/kustomize/**/charts

README.md

@@ -19,3 +19,27 @@ A long with have codes to create gRPC services on many languages I build them an
 
 ### Issue: Couldn't pull image from ghcr.io
 apparently `minikube start` did work very well to me as I spent dissent amount of time authenticating to `ghcr.io` using guides like [this](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). All of a sudden, seems like the issue was in the network, not in the auth. [simple trick](https://github.com/kubernetes/minikube/issues/8902#issuecomment-697834355) helped me a lot.
+
+
+# Kustomize
+The current section describes how to apply and initialize demo `kustomization` implementation. Primary purpose of the implementation is learning.
+
+## How to apply
+
+1. in `/src/kustomize/base/app/python/server` create file `.temp/.dockerconfigjson` with a dockerconfig secret in base64
+2. apply `kustomize` using commands
+```bash
+cd src/kustomize
+kubectl kustomize <profile>/ --enable-helm | k apply -f -
+```
+
+## Vault Initialization
+helpful [link](https://mycloudjourney.medium.com/vault-installation-to-minikube-via-helm-with-integrated-storage-15c9d1a907e6)
+
+## Exposing TCP service via NGINX ingress controller
+Following this guide seem to be not enough [guide](https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/) and I had to open the port in the deployment as well according to [minikube documentation](https://minikube.sigs.k8s.io/docs/tutorials/nginx_tcp_udp_ingress/#patch-the-ingress-nginx-controller)
+
+
+## configMap generator
+couldn't manage to add value like this `- 9000=grpc-python/grpc-python-server-service:50051` via kustomize configMap generator.
+Workaround: export the config map to yaml and add required data there.

src/kustomize/base/app/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- python
+
+labels:
+  - pairs:
+      semashkinvg.io/learning-applications-technology: grpc
+      owner: semashkinvg
+    includeTemplates: true

src/kustomize/base/app/python/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: grpc-python
+resources:
+- python-grpc-namespace.yaml
+- server
+
+labels:
+  - pairs:
+      semashkinvg.io/learning-applications-language: python
+    includeTemplates: true

src/kustomize/base/app/python/python-grpc-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: grpc-python

src/kustomize/base/app/python/server/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grpc-python-server-deployment
+spec:
+  selector:
+    # added with kustomize
+    # matchLabels:
+    #   app: grpc-python-server
+  template:
+    metadata: {}
+      # added with kustomize
+      # labels:
+      #   app: grpc-python-server
+    spec:
+      containers:
+      - image: ghcr.io/semashkinvg/python-server-data-transfer:latest
+        imagePullPolicy: Always
+        name: grpc-python-server
+        ports:
+        - containerPort: 50051
+          protocol: TCP
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: SECRET_NAME_PLACEHOLDER
+      restartPolicy: Always
+  replicas: 1

src/kustomize/base/app/python/server/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml
+- service.yaml
+
+secretGenerator:
+- files:
+  - .dockerconfigjson=.temp/.dockerconfigjson
+  name: regcred
+  type: kubernetes.io/dockerconfigjson
+
+replacements:
+- source:
+    fieldPath: metadata.name
+    kind: Secret
+    name: regcred
+    version: v1
+  targets:
+  - select:
+      name: grpc-python-server-deployment
+      kind: Deployment
+    fieldPaths:
+    - spec.template.spec.imagePullSecrets.[name=SECRET_NAME_PLACEHOLDER].name
+    options:
+      create: true
+
+labels:
+  - pairs:
+      semashkinvg.io/learning-applications-app: grpc-python-server
+    includeTemplates: true
+    includeSelectors: true

src/kustomize/base/app/python/server/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grpc-python-server-service
+spec:
+  externalTrafficPolicy: Cluster
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 50051
+    nodePort: 31769
+    targetPort: 50051
+    protocol: TCP
+  # added with kustomize
+  # selector:
+  #   app: grpc-python-server
+  sessionAffinity: None
+  type: NodePort

src/kustomize/base/cluster/default-vault-values.yaml

@@ -0,0 +1,9 @@
+server:
+  replicas: 1
+  service:
+    type: NodePort
+  affinity: ""
+  ha:
+    enabled: true
+    raft: 
+      enabled: true

src/kustomize/base/cluster/ingress-controller/ingress-nginx-controller-deployment.yaml

@@ -0,0 +1,136 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx-controller
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        gcp-auth-skip-secret: "true"
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-nginx-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --watch-ingress-without-class=true
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+        - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        - containerPort: 9000
+          hostPort: 9000
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+        minikube.k8s.io/primary: "true"
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: ingress-nginx
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          defaultMode: 420
+          secretName: ingress-nginx-admission

src/kustomize/base/cluster/ingress-controller/ingress-nginx-controller-svc.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx-controller
+spec:
+  clusterIP: 10.108.14.102
+  clusterIPs:
+  - 10.108.14.102
+  externalTrafficPolicy: Cluster
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    nodePort: 30680
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    nodePort: 32422
+    port: 443
+    protocol: TCP
+    targetPort: https
+  - name: proxied-tcp-9000
+    nodePort: 30691
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  sessionAffinity: None
+  type: NodePort

src/kustomize/base/cluster/ingress-controller/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: ingress-nginx
+resources:
+  - tcp-services.yaml
+  - ingress-nginx-controller-deployment.yaml
+  - ingress-nginx-controller-svc.yaml
+# configMapGenerator:
+# - name: tcp-services
+#   literals: 
+#   - whatever=whatever
+#   # kustromize can't parse it
+#   # - 9000=grpc-python/grpc-python-server-service:50051
+#   options:
+#     disableNameSuffixHash: true
+#     labels:
+#       app.kubernetes.io/component: controller
+#       app.kubernetes.io/instance: ingress-nginx
+#       app.kubernetes.io/name: ingress-nginx
+

src/kustomize/base/cluster/ingress-controller/tcp-services.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: tcp-services
+data:
+  "9000": "grpc-python/test-grpc-python-server-service:50051"

src/kustomize/base/cluster/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces/shared/shared-namespace.yaml
+
+helmCharts:
+- name: vault
+  repo: https://helm.releases.hashicorp.com
+  version: 0.24.1
+  releaseName: vault
+  namespace: shared
+  valuesFile: default-vault-values.yaml
+