* Split up the massive "./Tiltfile" file into much more manageable su…

…bfiles. * Switched from the ingress-based version of Traefik (under @Attempt6 folder) to the gateway-based one (under @attempt7 folder). Gateway-approach is cleaner, and is apparently the focus/future. While I think it still has the certificate-provisioning bug (traefik/traefik#9158), it was flagged recently as "bug:confirmed", so it'll likely be fixed eventually -- and I don't need it fixed right away, since Cloudflare offers the "Flexible" HTTPS option, which solves the main problem (ie. for end-users) for now. * Improved traefik's gateway config, by having it no longer require the "NET_BIND_SERVICE" security-context. * Updated traefik to latest version, by changing the helm-chart version. * Updated traefik's gateway config, to the latest contents found at: https://github.com/kubernetes-sigs/gateway-api/blob/69e4d8b69b8ec936bc1ed3ca8af807cd45dca09d/config/webhook * Removed some folders for kube-prometheus and such. (superseded by loki-stack) * Fixed that the grafana.debatemap.app subdomain was not working. (I had only tested locally previously using localhost:XXXX, whereas in prod I needed to handle the fact that the service was in another namespace)
debate-map · Jan 17, 2023 · 81a4cfa · 81a4cfa
1 parent fb70453
commit 81a4cfa
Show file tree

Hide file tree

Showing 150 changed files with 1,116 additions and 80,516 deletions.
diff --git a/Packages/app-server/Dockerfile.dockerignore b/Packages/app-server/Dockerfile.dockerignore
@@ -43,7 +43,7 @@ target
 .eslintrc.cjs
 package-scripts.js
 README.md
-Tiltfile
+Tilt
 templateBase.dockerignore
 
 # within packages

diff --git a/Packages/deploy/@JSBase/Dockerfile.dockerignore b/Packages/deploy/@JSBase/Dockerfile.dockerignore
@@ -43,7 +43,7 @@ target
 .eslintrc.cjs
 package-scripts.js
 README.md
-Tiltfile
+Tilt
 templateBase.dockerignore
 
 # within packages

diff --git a/Packages/deploy/@RustBase/Dockerfile.dockerignore b/Packages/deploy/@RustBase/Dockerfile.dockerignore
@@ -43,7 +43,7 @@ target
 .eslintrc.cjs
 package-scripts.js
 README.md
-Tiltfile
+Tilt
 templateBase.dockerignore
 
 # within packages

diff --git a/Packages/deploy/LoadBalancer/@Attempt7/@Helm/traefik-values.yaml b/Packages/deploy/LoadBalancer/@Attempt7/@Helm/traefik-values.yaml
@@ -13,28 +13,47 @@ additionalArguments:
   - "--api.dashboard"
   - --log.level=debug
 
-hostNetwork: true
+  # fix approach 1
+  - '--serversTransport.insecureSkipVerify=true'
+
+# fix approach 2
+insecureSkipVerify: true
+# fix approach 3
+ssl:
+  insecureSkipVerify: true
+
+# fix approach 4 (seems best)
+serversTransport:
+  # fixes "x509: certificate signed by unknown authority" error in prod (and apparently it's safe to set this; see: https://community.traefik.io/t/insecureskipverify-explanation/2195/2)
+  insecureSkipVerify: true
+
+
+#hostNetwork: true
 # see here for what are supposed to be the defaults (but seem messed up in my case): https://github.com/traefik/traefik-helm-chart/blob/ff25058604da2eeee7eac3fec3b1e0e89949c407/traefik/values.yaml
 ports:
   web:
-    port: 80
-    #port: 8000
-    #hostPort: 80
+    #port: 80
+    port: 8000
+    #port: 8005
+    hostPort: 80
     #expose: true
     #exposedPort: 80
     #redirectTo: websecure
   websecure:
-    port: 443
-    #port: 8443
-    #hostPort: 443
+    #port: 443
+    port: 8443
+    #port: 8006
+    hostPort: 443
     #expose: true
     #exposedPort: 443
 
-securityContext:
-  capabilities:
-    drop: [ALL]
-    add: [NET_BIND_SERVICE]
-  readOnlyRootFilesystem: true
-  runAsGroup: 0
-  runAsNonRoot: false
-  runAsUser: 0
+# needed for binding to the host's 80/443 ports, when deploying to the ovh/production cluster (see: https://github.com/traefik/traefik-helm-chart/issues/516#issuecomment-949041101)
+# note: seems to conflict with loki-stack (which also tries to use the protected 80:443 host-ports, I think)
+# securityContext:
+#   capabilities:
+#     drop: [ALL]
+#     add: [NET_BIND_SERVICE]
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 0
+#   runAsNonRoot: false
+#   runAsUser: 0
diff --git a/Packages/deploy/LoadBalancer/@Attempt7/gateway-webhooks/admission_webhook.yaml b/Packages/deploy/LoadBalancer/@Attempt7/gateway-webhooks/admission_webhook.yaml
@@ -1,10 +1,5 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gateway-api
-  labels:
-    name: gateway-api
----
+# from: https://github.com/kubernetes-sigs/gateway-api/blob/69e4d8b69b8ec936bc1ed3ca8af807cd45dca09d/config/webhook/admission_webhook.yaml
+
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -13,13 +8,9 @@ webhooks:
   - name: validate.gateway.networking.k8s.io
     matchPolicy: Equivalent
     rules:
-      - operations: [ "CREATE" , "UPDATE" ]
-        apiGroups: [ "networking.x-k8s.io" ]
-        apiVersions: [ "v1alpha1" ]
-        resources: [ "gateways", "gatewayclasses", "httproutes" ]
       - operations: [ "CREATE" , "UPDATE" ]
         apiGroups: [ "gateway.networking.k8s.io" ]
-        apiVersions: [ "v1alpha2" ]
+        apiVersions: [ "v1alpha2", "v1beta1" ]
         resources: [ "gateways", "gatewayclasses", "httproutes" ]
     failurePolicy: Fail
     sideEffects: None
@@ -28,17 +19,16 @@ webhooks:
     clientConfig:
       service:
         name: gateway-api-admission-server
-        namespace: gateway-api
+        namespace: gateway-system
         path: "/validate"
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     name: gateway-api-webhook-server
-    version: 0.0.1
   name: gateway-api-admission-server
-  namespace: gateway-api
+  namespace: gateway-system
 spec:
   type: ClusterIP
   ports:
@@ -52,7 +42,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: gateway-api-admission-server
-  namespace: gateway-api
+  namespace: gateway-system
   labels:
     name: gateway-api-admission-server
 spec:
@@ -68,7 +58,7 @@ spec:
     spec:
       containers:
         - name: webhook
-          image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3
+          image: gcr.io/k8s-staging-gateway-api/admission-server:v0.6.0
           imagePullPolicy: Always
           args:
             - -logtostderr
@@ -95,4 +85,4 @@ spec:
       volumes:
         - name: webhook-certs
           secret:
-            secretName: gateway-api-admission
+            secretName: gateway-api-admission
diff --git a/Packages/deploy/LoadBalancer/@Attempt7/gateway-webhooks/certificate_config.yaml b/Packages/deploy/LoadBalancer/@Attempt7/gateway-webhooks/certificate_config.yaml
@@ -1,19 +1,12 @@
-# v-removed
-# apiVersion: v1
-# kind: Namespace
-# metadata:
-#   name: gateway-api
-#   labels:
-#     name: gateway-api
-# ---
+# from: https://github.com/kubernetes-sigs/gateway-api/blob/69e4d8b69b8ec936bc1ed3ca8af807cd45dca09d/config/webhook/certificate_config.yaml
 
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: gateway-api-admission
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -37,15 +30,15 @@ metadata:
   annotations:
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: gateway-api-admission
 subjects:
   - kind: ServiceAccount
     name: gateway-api-admission
-    namespace: gateway-api
+    namespace: gateway-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -54,7 +47,7 @@ metadata:
   annotations:
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 rules:
   - apiGroups:
       - ''
@@ -71,15 +64,15 @@ metadata:
   annotations:
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: gateway-api-admission
 subjects:
   - kind: ServiceAccount
     name: gateway-api-admission
-    namespace: gateway-api
+    namespace: gateway-system
 ---
 apiVersion: batch/v1
 kind: Job
@@ -88,7 +81,7 @@ metadata:
   annotations:
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 spec:
   template:
     metadata:
@@ -102,8 +95,8 @@ spec:
           imagePullPolicy: IfNotPresent
           args:
             - create
-            - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc
-            - --namespace=gateway-api
+            - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-system.svc
+            - --namespace=gateway-system
             - --secret-name=gateway-api-admission
           env:
             - name: POD_NAMESPACE
@@ -122,7 +115,7 @@ metadata:
   name: gateway-api-admission-patch
   labels:
     name: gateway-api-webhook
-  namespace: gateway-api
+  namespace: gateway-system
 spec:
   template:
     metadata:
@@ -137,7 +130,7 @@ spec:
           args:
             - patch
             - --webhook-name=gateway-api-admission
-            - --namespace=gateway-api
+            - --namespace=gateway-system
             - --patch-mutating=false
             - --patch-validating=true
             - --secret-name=gateway-api-admission
@@ -151,4 +144,4 @@ spec:
       serviceAccountName: gateway-api-admission
       securityContext:
         runAsNonRoot: true
-        runAsUser: 2000
+        runAsUser: 2000