Merge pull request #732 from PureStorage-OpenConnect/trainingdns

wetty: use real certs and provision route53 record

Author: danpaul81

assets/wetty.yaml

@@ -25,10 +25,75 @@ echo "Applying Flannel"
 kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/v0.25.1/Documentation/kube-flannel.yml
 kubectl config set-context --current --namespace=default
 
-# on aws ec2 install aws-load-balancer-controller
+# on aws ec2 install aws-load-balancer-controller and external-dns
 if [ $cloud = aws ] && [ $platform != eks ] && [ $platform != ocp4 ]; then
     echo "Applying aws-eks-load-balancer-controller"
     helm repo add eks https://aws.github.io/eks-charts
     helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --version 1.14.0 --set clusterName=$name-$cluster --set feature-gates=ServiceTypeLoadBalancerOnly=true --wait
     kubectl patch deployment aws-load-balancer-controller -n kube-system --type "json" -p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--default-load-balancer-scheme=internet-facing"}]'
+    kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+  - apiGroups: [""]
+    resources:
+      - services
+      - endpoints
+      - pods
+      - nodes
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+      - ingresses
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: external-dns
+    namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: k8s.gcr.io/external-dns/external-dns:v0.14.2
+          args:
+            - --source=service
+            - --source=ingress
+            - --provider=aws
+            - --policy=sync
+            - --registry=txt
+            - --txt-owner-id=k8s
+            - --domain-filter=$ocp4_domain
+EOF
 fi

infra/k8s-master

@@ -1,3 +1,108 @@
 mkdir /etc/wetty
 rm -f /etc/securetty
-kubectl apply -f /assets/wetty.yaml
+sed -i '/master-1/s/$/ px-training/' /etc/hosts
+
+echo "kubectl delete svc -n wetty wetty" >/px-deploy/script-delete/delete-service
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wetty
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ssh-config
+  namespace: wetty
+data:
+  ssh-config: |
+    LogLevel=ERROR
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wetty-tls
+  namespace: wetty
+type: kubernetes.io/tls
+data:
+  tls.crt: $training_cert
+  tls.key: $training_key
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wetty
+  namespace: wetty
+  labels:
+    app: wetty
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wetty
+  template:
+    metadata:
+      labels:
+        app: wetty
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      hostNetwork: true
+      containers:
+      - name: wetty
+        image: wettyoss/wetty:latest
+        args:
+        - "--port"
+        - "3000"
+        - "--base"
+        - "/"
+        - "--ssh-host"
+        - "px-training"
+        - "--force-ssh"
+        - "--ssl-key"
+        - "/etc/tls/tls.key"
+        - "--ssl-cert"
+        - "/etc/tls/tls.crt"
+        ports:
+        - containerPort: 3000
+        securityContext:
+          allowPrivilegeEscalation: false
+        volumeMounts:
+        - name: tls
+          mountPath: /etc/tls
+        - name: ssh-config
+          mountPath: /etc/ssh/ssh_config
+          subPath: ssh-config
+      volumes:
+      - name: tls
+        secret:
+          secretName: wetty-tls
+      - name: ssh-config
+        configMap:
+          name: ssh-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wetty
+  namespace: wetty
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    external-dns.alpha.kubernetes.io/hostname: $name.training.$ocp4_domain
+spec:
+  type: LoadBalancer
+  selector:
+    app: wetty
+  ports:
+  - name: https
+    port: 443
+    targetPort: 3000
+EOF