Merge pull request #137 from francescotimperi/apisix

Improves nuvolaris/nuvolaris#342
nuvolaris · Jan 13, 2024 · c4a9fcd · c4a9fcd
2 parents abf51f2 + f33a12e
commit c4a9fcd
Show file tree

Hide file tree

Showing 12 changed files with 713 additions and 3 deletions.
diff --git a/deploy/apisix-etcd/etcd-policy.yaml b/deploy/apisix-etcd/etcd-policy.yaml
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: apisix-etcd
+  namespace: nuvolaris
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+spec:
+  minAvailable: 51%
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: etcd
+      app.kubernetes.io/instance: apisix
diff --git a/deploy/apisix-etcd/etcd-pvc.yaml b/deploy/apisix-etcd/etcd-pvc.yaml
@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: etcd-apisix-pv-claim
+  namespace: nuvolaris
+  labels:
+    app: etcd-apisix-pv-claim
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: standard
+  resources:
+    requests:
+      storage: 8Gi
diff --git a/deploy/apisix-etcd/etcd-secret.yaml b/deploy/apisix-etcd/etcd-secret.yaml
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: apisix-etcd-jwt-token
+  namespace: nuvolaris
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+type: Opaque
+data:
+  jwt-token.pem: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdXlNcjdmOUJWajJ2RjhNUC8zNStrcnA0MlF0Nk5YMmEvS3IyY24xNjBSajBuZ0lvCk1qL1RmdXVnMmJnaHlEdnhDdytKZU1QUUNYMXRGZENzM2RHZ0xmSFppM0MyR21VV250VG1WQTRCSENZdmc4RisKRnBYQURjdE5EKzRWc1F4OUVsN1pKR0lxWFkySThFM3JPWkd4SnhxQmR1bDIwVy9xczNSNFFRMlFsbzU0dzNhagpmVWZCQ3FoeTdveXJWclN5NFgwN0JYL09CYkRCU2NBNUJlTG9ZOFdTNWwvYWFvZnRiVlpqYmxHYkE5S0tvclFNCmN6QjNxenBzQXZyUjZkWVBES1dFMVpGQ1huWjBBdjBsQlZMckk4S1ZkREFaWHBRelFEUDl5dytCMWpaelhiaG0KRGg5UmN6YUt3dXJ5UTA4d0JVanpUU09ydkdaY254aEJQUjZ5dTUwUzYranJEZGU0b2J0anpYTHZGQkFmdXNLSQpLczZtRG1sYUpKVGVybUlQNnFZOHZKRUx6eTNYYk40R2tyNk5NMjZFdkxnTnRXYmhtSVBzRysyRVBTelErV3JaCmFsTFNVcFRSU0kzRjl5THFrN21ybE9ZZUxxTjRoYU1rem4ySFc2RXhZL25kSjJJMXBVUWZIQ3d5Y0MxMDNhSDUKN29HZ01DTGpWdnBENjFMZ3hXa3U3dnRGcjI0L1lpS3B1SGc5V21UQlNKY05CcVJ4b3l5UFlRRWJsNjBFLy80UgpLc01XenJLdm9qeFlXQ1ZsLzV1ZElnUGoraDM1VkZ6L3VxOExvLy83QkZ6WWRqRWhLZXc0cHBPc2xIMXlkY3FsCmNPRHNQQUg4L1UxbFZpUzFaY0FRV3V6QWo2b3ppRWlrd3F1RnFYMHdOQnNURkt2YWxiNmYvUFBHc2FVQ0F3RUEKQVFLQ0FnQktVWmFCcHl5Z2ZsREtCQXFYY2ZuOGRaZkd3cnNmQVNvTERDNWhtNW1wN3RvKzRpWnFobFNOQkREVwpKajBzVXpuUUpiUjN4SFFiUUxlUXdWWFZwZ21TRllsS3lsRlh2Q3UybW1CNm96RW5wN2FaQWIvOFlpNXFqQUduCndPcldiRnBEY0cyVitISlF3d1BPUTNPV1lsalRhY0JlcENzdTA5Nkd0RXVKc2tSb3RsNFpha1ZWWEtpNmZkbGYKQ1hpR0w2OFd3L0FycCt6Kzc0cGpxclk2c3ptTlhncVArU001eVkrdUsyL0RnUjhwN25SbVYxRFdjam9rUTBoZwpDcEpRNWxVRnRicENRclR6NU9EL3l0N245VjB5ejNVaE5uVHN6YmhvMS8wRHByM3VmNk5qWmZjSnhzQkhIRE1SClk5TWdqaE5KRmdhaDdQZW9FNUxYRC8vZ3NROVRxZHZmOGpsT2d1OWFzWGF6eGtiNGw4NTc2czVTNkJtbUN5QlIKTG1USGVTSGpvLzBVQ0psU0pWUTZsdDZNZ2FZRHVBMXNZZjhDdkdtT0doRjQzM1pyUWtqTkdSYnZPTVg2R3luegp1aDlvVWhndDFuaFVNSE5iaEZvNjZRbW1tNERmMVJudnpFbTVJVmk1MXY0dnE1eWI5OUFSd0dBQmg1S3V5d292Cm9QaU9OZndwRlF3WGRzWlo2cllDcFJjMUpVbHE0Q25CcnkxbTQ4eDRNNURmakxjaDVmelNLakg1UFd5ZnE2SkIKditPUzRSalZtMlljRThzQk5iVXcyYUF2TW5OQzNLWE5RbFhuV1IzVGg2T05veXhqc3lwN3ErTHNSdTd3RkZlWgoyUTFya21IQ3kyWlFsOFRSeUhObzZ1UXc1aTJ2SGZEWE5abm8vcmZwNTZuUEoxQk5vUUtDQVFFQTlzM0tMSVJlCjJpN0VoekZiRSsvRHNMRnJjeXhlWlJ5V2x4dXR1Q3BCZk1ET0tPTDhtYjhsT1MxcnRzTDZSSit0a0ZhYmFYeXkKTXJoM3dxaW5zazBBRVM5QlMyeU1YaU5PT3RSbjljZkRHMVpPcU1vOXYwVFJXRUZtUlFTQ0x1QThPeXlKZmZKcAorV2psTDNPZU5RTzB4Sk9pNVFxbzVEdDVwSnhvZEl0NXVlOHR1ZUVjaWt6Wm80aUF0Q3oweUovYWVpR3VyOWgwCkZyZlFHL1BGeGtWeVdia210U2lwM3NRbE03d29RZ3Y2ay9rV3NIQ1hZNjI0YzN4cytieThrczRLYzVlSGZxeXAKQUxNZ0NnNXFuVjBFbHdEWThCd1l1NlFETHZsdlF1cVNqNlB4NFRjY2I2NWFJUy9QUm5GOEtQbWZlV3kxaWs5Zgp2SmxSaWNQaWtWMS95UUtDQVFFQXdodzhZV3FLdG90R050UkdieVArVXRTT252OXhIR05rUjRzN0ZRYVltNGF0ClB4SjZlbkJGd3F5VkV6b1VuNkk1cGdhQnRHNzBDdHRQanR2R0lzVkZ2S3BGMGdRZSsrdkQwNHl6RW4rUHFBSWUKUkVCd0NmSWFKWTVWMFJwUHZRdnlrNDFDWG5rTlRsZXc0eEVtV1Zlc1l0U1Fwb3pwMllJeWlYcjhuWjY0a1hsKwp1cDBWdUc2VENPTllhbnhQUTFEbFViOCtzZlBtaCtqSC84U1o5d3ppK0pBQUlIT2VaVktWSFFGcEJPWDB1dU1BCngwR0VVbXN2QlJVeXRBM0RJenEraXRGMFdUeWRQNlR5UU1HaTJVamYrcHNObVhJODgxOVluSHlRaGVOeEZ4aVUKK2dpNDVXQ1JEbFEzWmIrdmZzRWo5S3o5QUl4N1lObmljNFI4Znlnby9RS0NBUUE1Q2JKUnUzM1lXcnFjcS9GcQptQnpYdHdrb0l2YmwwMGVTUUpsVFdLQ3QzamxIQmI1dklkZk9jUXJWd0JYcXlpUm9tVHR0azUzelR1S09vRCt4ClcwNUtxbXNpclVGN2VCbGFTMENEY3RsS2RoWFR1SG13dkl6TklzQXA3ekxPOW8rMDlVUUpVWDdnWHplb1VjWWMKWm5EZWhXZytHc3FSaEpWR1Q4ZHNOOWUzK3VqTWJwUVQrbExLRW4vOEkrK21kaHNkNHE3bWdOWERjbE9zUWhoUgpERGV6T0xFVGFRUnBNVmVQcjBwMmlTSXVGSUVENGVGNjdla1U5NHFQNU9pSDNRcFpVSW5GNHMxa0ZnR3ZrVWxlCmVPTFlxeDkzem1hQTV4UzlSSFJNT0w0S2FFODhSMnBRL1RCalB4TmVLbGdSZUM4ODlyeTE3RVlwNWgwTUE3TlcKK1E3UkFvSUJBUUNqa0pkd253NXo4N2dleTVEdVppNFFMZnhnRG0rSnRGYnowbWJldU1ndmhiVEd5Uk5ieU85LwpzMTJLN2c0aTFkZ3VCcDJWSlVtUFBHNDF1d3Vpa1FqS2lkQjd2KzA3NnRjQWxEYnhCM3hOM2pzUzJCbVF4K2t3CmJGZno4Mi90cFB1clNnVDdCcFlueGN6UUNjdCt6Vm45alpDMlIxZG1hVWVjZ1g0TWM0cWpTdlYyMnBkSzZpSU0KQTBhbHRFbzJOeHlGWGRtK3FmOC8xdTl3bm9IK28yVStmbGtjLzFBaG9RejFmQks2aGV0Szc2M2dPVnorOWtLUQp6ZVFEeFBVQjRxWmM0MUpmUDZ4aHpPUTFuUFZVa3d2cGFHNTFOc1lWYmVxRk1wRzF3SW16Skl1a2hXVUlJKzhYClcrK3lWV3ZVSzN2WTJVdjRBbWlVbkFVdHdoNEdLQmtoQW9JQkFRQ2gzeHk3Uk50QjUzREVUYndJbUtlUUxscGgKTXQzNWZLdWdwRTFDb1Y5WTNVZEpaczdlQ1YyN2pzcEFHZ3VxKytzODg1MEw4L3RuVGd5SHZWbVBlSzZGdW5GTgpEak9uNUNHOHByYVNmTVAvNTZjN282R29aRk1NUUtoZDBzOFczODN0Q2Jobk9YQng1S1FOa2hMNWQ2TlZrQzB2Cnd2WGpMUmdud2IxNlJnaGhESUQwVFhYNHc1UXlMVGVkTEYwZnc5Z0ZPeHY4VFhteWVzOGNVdzh5a3RnUEhMYTAKM1dFbzR1U1N4eE9zQTB4QzZ2dTZZM3VybWtVWTluYWpGUDcwaUtMT1dBWkozVkFQeTUxS2kzU2xNRHBRRmpCTgpmcXg2aXFvUGU2L0ZKc29xcHVoN29UNXEyRzhkMWdWa3h1ak1MQXZ5Z2pHQ2JtczVVV3ZFNS9TQ2hvMU0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
diff --git a/deploy/apisix-etcd/etcd-sts.yaml b/deploy/apisix-etcd/etcd-sts.yaml
@@ -0,0 +1,160 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: apisix-etcd
+  namespace: nuvolaris
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: etcd
+      app.kubernetes.io/instance: apisix
+  serviceName: apisix-etcd-headless
+  podManagementPolicy: Parallel
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: etcd
+        app.kubernetes.io/instance: apisix
+    spec:
+      affinity:
+        podAffinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: etcd
+                    app.kubernetes.io/instance: apisix
+                topologyKey: kubernetes.io/hostname
+              weight: 1
+        nodeAffinity:
+      securityContext:
+        fsGroup: 1001
+      serviceAccountName: "default"
+      containers:
+        - name: etcd
+          image: docker.io/bitnami/etcd:3.5.7-debian-11-r14
+          imagePullPolicy: "IfNotPresent"
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1001
+          env:
+            - name: BITNAMI_DEBUG
+              value: "false"
+            - name: MY_POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_STS_NAME
+              value: "apisix-etcd"
+            - name: ETCDCTL_API
+              value: "3"
+            - name: ETCD_ON_K8S
+              value: "yes"
+            - name: ETCD_START_FROM_SNAPSHOT
+              value: "no"
+            - name: ETCD_DISASTER_RECOVERY
+              value: "no"
+            - name: ETCD_NAME
+              value: "$(MY_POD_NAME)"
+            - name: ETCD_DATA_DIR
+              value: "/bitnami/etcd/data"
+            - name: ETCD_LOG_LEVEL
+              value: "info"
+            - name: ALLOW_NONE_AUTHENTICATION
+              value: "yes"
+            - name: ETCD_AUTH_TOKEN
+              value: "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m"
+            - name: ETCD_ADVERTISE_CLIENT_URLS
+              value: "http://$(MY_POD_NAME).apisix-etcd-headless.nuvolaris.svc.cluster.local:2379,http://apisix-etcd.nuvolaris.svc.cluster.local:2379"
+            - name: ETCD_LISTEN_CLIENT_URLS
+              value: "http://0.0.0.0:2379"
+            - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
+              value: "http://$(MY_POD_NAME).apisix-etcd-headless.nuvolaris.svc.cluster.local:2380"
+            - name: ETCD_LISTEN_PEER_URLS
+              value: "http://0.0.0.0:2380"
+            - name: ETCD_INITIAL_CLUSTER_TOKEN
+              value: "etcd-cluster-k8s"
+            - name: ETCD_INITIAL_CLUSTER_STATE
+              value: "new"
+            - name: ETCD_INITIAL_CLUSTER
+              value: "apisix-etcd-0=http://apisix-etcd-0.apisix-etcd-headless.nuvolaris.svc.cluster.local:2380"
+            - name: ETCD_CLUSTER_DOMAIN
+              value: "apisix-etcd-headless.nuvolaris.svc.cluster.local"
+          envFrom:
+          ports:
+            - name: client
+              containerPort: 2379
+              protocol: TCP
+            - name: peer
+              containerPort: 2380
+              protocol: TCP
+          livenessProbe:
+            exec:
+              command:
+                - /opt/bitnami/scripts/etcd/healthcheck.sh
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 5
+          readinessProbe:
+            exec:
+              command:
+                - /opt/bitnami/scripts/etcd/healthcheck.sh
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 5
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /opt/bitnami/scripts/etcd/prestop.sh
+          resources:
+            limits: {}
+            requests: {}
+          volumeMounts:
+            - name: data
+              mountPath: /bitnami/etcd
+            - name: etcd-jwt-token
+              mountPath: /opt/bitnami/etcd/certs/token/
+              readOnly: true
+      volumes:
+        - name: etcd-jwt-token
+          secret:
+            secretName: apisix-etcd-jwt-token
+            defaultMode: 256
+        - name: data
+          persistentVolumeClaim:
+            claimName: etcd-apisix-pv-claim     
+
diff --git a/deploy/apisix-etcd/etcd-svc.yaml b/deploy/apisix-etcd/etcd-svc.yaml
@@ -0,0 +1,64 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: apisix-etcd
+  namespace: nuvolaris
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+spec:
+  type: ClusterIP
+  sessionAffinity: None
+  ports:
+    - name: "client"
+      port: 2379
+      targetPort: client
+    - name: "peer"
+      port: 2380
+      targetPort: peer
+  selector:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+        timeout: 30    # 30 seconds
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: apisix-etcd-headless
+  namespace: nuvolaris
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+    - name: client
+      port: 2379
+      targetPort: client
+    - name: peer
+      port: 2380
+      targetPort: peer
+  selector:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/instance: apisix