[PDP-3293][PDP-3191] update with traefik and recipe validation change (…

…#15) * [PDP-3293] remove the pipeline env validation on cue * Add traefik support
TIBCOSoftware · Sep 26, 2024 · 836c6df · 836c6df
1 parent 317e9af
commit 836c6df
Show file tree

Hide file tree

Showing 9 changed files with 139 additions and 11 deletions.
diff --git a/charts/common-dependency/Chart.yaml b/charts/common-dependency/Chart.yaml
@@ -6,7 +6,7 @@
 
 apiVersion: v2
 name: common-dependency
-version: "1.0.11"
+version: "1.0.12"
 appVersion: "1.0.0"
 description: common-dependency
 type: application

diff --git a/charts/common-dependency/scripts/_functions.sh b/charts/common-dependency/scripts/_functions.sh
@@ -1116,7 +1116,12 @@ function load-customized-env() {
 # this needs to be as same as shard.cue defined
 function init-global-variables() {
   export REPLACE_RECIPE=${REPLACE_RECIPE:-"true"}
+  export PIPELINE_MOCK=${PIPELINE_MOCK:-"false"}
   export PIPELINE_LOG_DEBUG=${PIPELINE_LOG_DEBUG:-"false"}
+  export PIPELINE_VALIDATE_INPUT=${PIPELINE_VALIDATE_INPUT:-"true"}
+  export PIPELINE_CHECK_DOCKER_STATUS=${PIPELINE_CHECK_DOCKER_STATUS:-"false"}
+  export PIPELINE_INITIAL_ASSUME_ROLE=${PIPELINE_INITIAL_ASSUME_ROLE:-"true"}
+  export PIPELINE_FUNCTION_INIT=${PIPELINE_FUNCTION_INIT:-"true"}
 }
 
 #######################################

diff --git a/charts/common-dependency/scripts/shared.cue b/charts/common-dependency/scripts/shared.cue
@@ -64,20 +64,20 @@ package recipe
 	}
 	// this is used for setting up global environment variables inside the pipeline container
 	globalEnvVariable?: {
-		REPLACE_RECIPE: "true" | "false" | true | false | *true
+		// REPLACE_RECIPE: "true" | "false" | true | false | *true
 		// The variables that starts with PIPELINE_ will be used as pipeline control environment variables
 		// if true, will mock run pipeline. (only run meta part)
-		PIPELINE_MOCK: "true" | "false" | true | false | *false
+		// PIPELINE_MOCK: "true" | "false" | true | false | *false
 		// if true, will print pipeline debug log
-		PIPELINE_LOG_DEBUG: "true" | "false" | true | false | *false
+		// PIPELINE_LOG_DEBUG: "true" | "false" | true | false | *false
 		// if true, will validate input against cue schema
-		PIPELINE_VALIDATE_INPUT: "true" | "false" | true | false | *false
+		// PIPELINE_VALIDATE_INPUT: "true" | "false" | *true | false | false
 		// set to false to skip check docker status
-		PIPELINE_CHECK_DOCKER_STATUS: "true" | "false" | true | false | *true
+		// PIPELINE_CHECK_DOCKER_STATUS: "true" | "false" | true | *false | true
 		// set to false to skip initial assume to target account
-		PIPELINE_INITIAL_ASSUME_ROLE: "true" | "false" | true | false | *true
+		// PIPELINE_INITIAL_ASSUME_ROLE: "true" | "false" | true | false | *true
 		// hen set to false to skip function init which is used to load TIBCO specific functions and envs for pipeline
-		PIPELINE_FUNCTION_INIT: "true" | "false" | true | false | *true
+		// PIPELINE_FUNCTION_INIT: "true" | "false" | true | false | *true
 		// the role to assume to. We will use current AWS role to assume to this role to perform the task.
 		// current role --> "arn:aws:iam::${_account}:role/${PIPELINE_AWS_MANAGED_ACCOUNT_ROLE}"
 		PIPELINE_AWS_MANAGED_ACCOUNT_ROLE?: string

diff --git a/charts/common-dependency/templates/secret-github.yaml b/charts/common-dependency/templates/secret-github.yaml
@@ -16,4 +16,5 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.Version }}
 data:
   GITHUB_TOKEN: {{ .Values.githubToken | b64enc }}
+  JFROG_DEV_TOKEN: {{ .Values.jfrogDevToken | b64enc }}
 type: Opaque
diff --git a/charts/common-dependency/values.yaml b/charts/common-dependency/values.yaml
@@ -30,3 +30,5 @@ finallyTimout: 5m
 serviceAccount: tekton-task
 # read-only GitHub token which is used to share between pipelines
 githubToken: ""
+# read-only jfrog dev token which is used to share between pipelines
+jfrogDevToken: ""
diff --git a/docs/recipes/k8s/cloud/deploy-tp-aks.yaml b/docs/recipes/k8s/cloud/deploy-tp-aks.yaml
@@ -69,6 +69,7 @@ meta:
     TP_INSTALL_O11Y: ${GUI_TP_INSTALL_O11Y:-false}
     # Do not change, variables to configure nginx/kong related resources based on ingressclass passed
     TP_ENABLE_NGINX: $([[ "$TP_INGRESS_CLASS" == "nginx" ]] && echo "true" || echo "false")
+    TP_ENABLE_TRAEFIK: $([[ "$TP_INGRESS_CLASS" == "traefik" ]] && echo "true" || echo "false")
     TP_ENABLE_SECONDARY_KONG: $([[ "$TP_SECONDARY_INGRESS_CLASS" == "kong" ]] && echo "true" || echo "false")
     TP_DEPLOY_SECONDARY_INGRESS: $([[ "$TP_ENABLE_SECONDARY_KONG" == "true" ]] && echo "true" || echo "false")
     TP_SKIP_GENERATE_MAIN_INGRESS_CERTIFICATE: false
@@ -221,7 +222,6 @@ helmCharts:
         echo "injected values:"
         cat "${TP_INSTALL_CHART_VALUES_FILE}"
 - name: dp-config-aks
-  condition: ${TP_ENABLE_NGINX}
   version: "${TP_CHART_VERSION_DP_CONFIG_AKS}"
   repo:
     helm:
@@ -247,6 +247,32 @@ helmCharts:
             use-forwarded-headers: 'true'          # PDP-945
           extraArgs:
             default-ssl-certificate: ${TP_INGRESS_NAMESPACE}/tp-certificate-main-ingress
+      traefik:
+        enabled: ${TP_ENABLE_TRAEFIK}
+        service:
+          type: LoadBalancer # use NLB for Traefik, set to ClusterIP when using ALB
+          annotations:
+            external-dns.alpha.kubernetes.io/hostname: "*.${TP_DOMAIN}"
+            service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
+        ingressRoute: # for dashboard
+          dashboard:
+            enabled: true
+            matchRule: Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/dashboard`) || Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/api`)
+            entryPoints:
+              - traefik
+              - web
+              - websecure
+        providers:  # for external service
+          kubernetesIngress:
+            allowExternalNameServices: true
+        additionalArguments:
+          - '--entryPoints.websecure.forwardedHeaders.insecure'
+          - '--serversTransport.insecureSkipVerify=true'
+          - '--providers.kubernetesingress.ingressendpoint.publishedservice=${TP_INGRESS_NAMESPACE}/${TP_INGRESS_RELEASE_NAME}-traefik'
+        tlsStore:
+          default:
+            defaultCertificate:
+              secretName: tp-certificate-main-ingress
       kong:
         enabled: false
   cluster:

diff --git a/docs/recipes/k8s/cloud/deploy-tp-eks.yaml b/docs/recipes/k8s/cloud/deploy-tp-eks.yaml
@@ -56,6 +56,7 @@ meta:
     TP_INSTALL_POSTGRES: ${GUI_TP_INSTALL_POSTGRES:-true}
     # Do not change, variables to configure nginx/kong related resources based on ingressclass passed
     TP_ENABLE_NGINX: $([[ "$TP_INGRESS_CLASS" == "nginx" ]] && echo "true" || echo "false")
+    TP_ENABLE_TRAEFIK: $([[ "$TP_INGRESS_CLASS" == "traefik" ]] && echo "true" || echo "false")
     TP_ENABLE_SECONDARY_KONG: $([[ "$TP_SECONDARY_INGRESS_CLASS" == "kong" ]] && echo "true" || echo "false")
     TP_DEPLOY_SECONDARY_INGRESS: $([[ "$TP_ENABLE_SECONDARY_KONG" == "true" ]] && echo "true" || echo "false")
     TP_HTTP_INGRESS_BACKEND_SERVICE: ${TP_INGRESS_RELEASE_NAME}-$( ( [[  "$TP_INGRESS_CLASS" == "nginx" ]] && echo "ingress-nginx-controller" ) || ( [[ "$TP_INGRESS_CLASS" == "kong" ]] && echo "kong-proxy" ) )
@@ -236,6 +237,34 @@ helmCharts:
             use-forwarded-headers: 'true'          # PDP-945
           extraArgs:
             default-ssl-certificate: ${TP_INGRESS_NAMESPACE}/tp-certificate-main-ingress
+      traefik:
+        enabled: ${TP_ENABLE_TRAEFIK}
+        service:
+          type: LoadBalancer # use NLB for traefik, set to ClusterIP when using ALB
+          loadBalancerClass: service.k8s.aws/nlb # 
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip # by default it is instance which will route traffic to instance nodePort
+            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing # used for aws-load-balancer-controller to create public NLB
+            external-dns.alpha.kubernetes.io/hostname: "*.${TP_DOMAIN}"
+        ingressRoute: # for dashboard
+          dashboard:
+            enabled: true
+            matchRule: Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/dashboard`) || Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/api`)
+            entryPoints:
+              - traefik
+              - web
+              - websecure
+        providers:  # for external service
+          kubernetesIngress:
+            allowExternalNameServices: true
+        additionalArguments:
+          - '--entryPoints.websecure.forwardedHeaders.insecure'
+          - '--serversTransport.insecureSkipVerify=true'
+          - '--providers.kubernetesingress.ingressendpoint.publishedservice=${TP_INGRESS_NAMESPACE}/${TP_INGRESS_RELEASE_NAME}-traefik'
+        tlsStore:
+          default:
+            defaultCertificate:
+              secretName: tp-certificate-main-ingress
       kong:
         enabled: false
   cluster:

diff --git a/docs/recipes/k8s/cloud/deploy-tp-gke.yaml b/docs/recipes/k8s/cloud/deploy-tp-gke.yaml
@@ -36,8 +36,9 @@ meta:
     TP_MAIN_INGRESS_SANDBOX_SUBDOMAIN: ${GUI_TP_MAIN_INGRESS_SANDBOX_SUBDOMAIN}
     TP_DOMAIN: ${TP_MAIN_INGRESS_SANDBOX_SUBDOMAIN}.${TP_SANDBOX}.${TP_TOP_LEVEL_DOMAIN} # the actual domain for the TIBCO platform. Sample format: <cp/dp-env>.${SANDBOX}.${TP_TOP_LEVEL_DOMAIN}
     # ingress
-    TP_INSTALL_NGINX_INGRESS: ${GUI_TP_INSTALL_NGINX_INGRESS:-"true"}
     TP_INGRESS_CLASS: ${GUI_TP_INGRESS_CLASS:-"nginx"}
+    TP_INSTALL_NGINX_INGRESS: $([[ "$TP_INGRESS_CLASS" == "nginx" ]] && echo "true" || echo "false")
+    TP_INSTALL_TRAEFIK_INGRESS: $([[ "$TP_INGRESS_CLASS" == "traefik" ]] && echo "true" || echo "false")
     TP_INGRESS_NAMESPACE: ingress-system
     TP_INGRESS_SERVICE_TYPE: LoadBalancer # NodePort for kind, LoadBalancer for others
     TP_CERTIFICATE_CLUSTER_ISSUER: ${GUI_TP_CERTIFICATE_CLUSTER_ISSUER:-"tp-prod"} # the cluster issuer for tp-certificate
@@ -248,6 +249,70 @@ helmCharts:
           dnsNames:
             - '*.${TP_DOMAIN}'
         EOF
+- condition: ${TP_INSTALL_TRAEFIK_INGRESS}
+  name: traefik
+  namespace: ${TP_INGRESS_NAMESPACE}
+  version: 30.1.0 # release: https://github.com/kubernetes/ingress-nginx/releases
+  repo:
+    helm:
+      url: https://traefik.github.io/charts
+  values:
+    keepPrevious: true
+    content: |
+      hub:  # for hub
+        enabled: false
+      service:  # for external-dns
+        type: ${TP_INGRESS_SERVICE_TYPE}
+      ingressClass:
+        name: traefik
+      ingressRoute: # for dashboard
+        dashboard:
+          enabled: true
+          matchRule: Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/dashboard`) || Host(`traefik-alb-apps.${TP_DOMAIN}`) && PathPrefix(`/api`)
+          entryPoints:
+            - traefik
+            - web
+            - websecure
+      providers:  # for external service
+        kubernetesIngress:
+          allowExternalNameServices: true
+      additionalArguments:
+        - '--entryPoints.websecure.forwardedHeaders.insecure'
+        - '--serversTransport.insecureSkipVerify=true'
+        - '--providers.kubernetesingress.ingressendpoint.publishedservice=${TP_INGRESS_NAMESPACE}/traefik'
+      tlsStore:
+        default:
+          defaultCertificate:
+            secretName: tp-certificate-main-ingress
+  cluster:
+    names:
+      - ${TP_CLUSTER_NAME}
+  releaseName: traefik
+  flags:
+    wait: true
+    timeout: 1h
+    createNamespace: true
+  hooks:
+    preDeploy:
+      ignoreErrors: false
+      base64Encoded: false
+      skip: false
+      content: |
+        kubectl create ns ${TP_INGRESS_NAMESPACE}
+        kubectl apply -f  - <<EOF
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: tp-certificate-main-ingress
+          namespace: ${TP_INGRESS_NAMESPACE}
+        spec:
+          secretName: tp-certificate-main-ingress
+          issuerRef:
+            name: ${TP_CERTIFICATE_CLUSTER_ISSUER}
+            kind: ClusterIssuer
+          dnsNames:
+            - '*.${TP_DOMAIN}'
+        EOF
 - name: postgresql
   version: 11.9.13 # 14.3.3 use postgresql 16.2.0, 11.9.13 use postgresql 14.5.0 PCP-4922
   namespace: tibco-ext

diff --git a/docs/recipes/k8s/on-prem/minikube.md b/docs/recipes/k8s/on-prem/minikube.md
@@ -23,7 +23,7 @@ Now we should have a minikube cluster ready to install CP.
 
 ## Prepare TIBCO Platform for minikube
 
-After setting up [Platform Provisioner Prerequisite](https://github.com/tibco/platform-provisioner?tab=readme-ov-file#install-tekton-with-tekton-dashboard); 
+After setting up [Platform Provisioner Prerequisite](https://github.com/TIBCOSoftware/platform-provisioner?tab=readme-ov-file#install-tekton-with-tekton-dashboard); 
 We have Platform Provisioner installed in minikube.
 
 Now we can use the recipe `tp-base-on-prem-https.yaml` to install third party tools for CP on minikube. Before we run the recipe; we need to set the following environment variables in the recipe: