Optional components - single helm chart #1190
Replies: 3 comments 7 replies
-
With the above plan, we can get rid of the second (installer) helm chart. We will only ship one helm chart that can be used for any type of installation. This should unblock this story: #1182 |
Beta Was this translation helpful? Give feedback.
-
I'm still a bit puzzled about the "check, check, check". I think that if we want to simplify the installation we should not even check for existing stuff, but just give the minimum viable product and eventually give instructions on how to spice it up. So basically the single basic chart should be only Epinio. 🙂 i.e.: Mandatory componentsEpiniorun this chart and you got Epinio up&running (and that's it). OCI RegistryThen you need an OCI registry where to store the images, if you have one just set the env var like this, or you can install an internal one like this. IngressIf you want to reach Epinio you need to setup an ingress like this, or if you already have Traefik or an Nginx add this labels/services etc. Optional components (security, production configuration)Cert ManagerYou should secure your traffic, so you should install cert-manager, to do so you have to blablabla. But if you already have you just need to add this issuers and do this. Linkerd/IstioAlso the internal traffic should be encrypted, then you could use Linkerd, Istio or something else, just add this labels like this blabla. |
Beta Was this translation helpful? Give feedback.
-
I'm playing with the most simple Epinio installation, to see what can be improved or simplified. So at the moment I have cut down the chart to these Epinio components:
there are also the components about the Epinio "configuration", such as the ClusterRole, ClusterRoleBinding, Role, RoleBinding and ServiceAccount. With only these components Epinio is reachable and up&running. Furthermore the only needed variable in the values seems to be the Then I've added manually the Ingress (I wanted to test both the Traefik and Nginx but since I needed to install the Nginx controller withouth Traefik that was taking time and it was also something that @manno was trying I gave up).: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: epinio
namespace: epinio
annotations:
kubernetes.io/ingress.class: traefik
labels:
app.kubernetes.io/name: epinio
spec:
rules:
- host: epinio.172.18.0.3.omg.howdoi.website
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: epinio-server
port:
number: 80 After the Ingress I've tried to deploy an app, and I've seen that the first problem was obviously about my configuration. Trying to do an apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.suse.org/api-user-credentials: "true"
name: default-epinio-user
namespace: epinio
stringData:
password: password
username: admin Tried again in order to get the config but it hangs here. Basically it tells me that it's waiting for the server certs, but it should not be so "mandatory", because after I edited manually the config file with the correct username and password then the cli works, also because we provide the Proposal: can we skip the cert if not available? After that I've tried a push with This part is probably related to a huge topic that we will need to address, about multi-tenancy, user permissions and so on. |
Beta Was this translation helpful? Give feedback.
-
Epinio needs various components for its provided functionality. Up to now, these components should be there otherwise Epinio won't work. This puts a lower limit to the installation complexity even when Epinio is just installed for quick demo locally. To make the process easier we had to come up with a custom installer. This installer is a maintenance burden has limited functionality and forces us to publish two different helm charts.
A better approach would be for Epinio to use the components when they are available but not fail otherwise. This is how it's possible (per component):
Linkerd
It is used to encrypt communication between components (e.g. Epinio server talking to Minio). It's enabled through annotations on namespaces. It can be made optional by putting the annotations in place and making sure it's going to work if likerd is installed (check through tests). If linkerd is not there, communication will simply not be encrypted, done.
Traefik
This is the ingress controller which implements our Ingresses for the epinio api server, the internal registry and the applications. We don't have complex requirements from the Ingress and we could as well live with nginx or other ingress if the user has one installed. We can make Traefik optional by putting the needed annotations for the various ingresses. Whichever is there (or is the default) will work. Relevant issues: #1178, #382
See also here regarding the usage of each component: https://docs.epinio.io/installation/install_epinio_manual.html
Kubed
This is needed to copy the registry secrets to every new Epinio namespace (and possibly other secret copying I'm currently missing). It's a very lightweight component and easy to install. We can simply make this a subchart of the Epinio chart. No need to make it optional.
https://github.com/epinio/helm-charts/issues/91
Cert manager
Needed to create TLS certificates for anything that has an Ingress. We can detect its presence by checking if the relevant CRDs exist. If not, we simply skip the creation of Certificates and let all communication be non-TLS.
#1192
Tekton
gone
S3 storage
Will be gone with this: #1157
OCI registry
Use to store the staging artifacts (images) and as a replacement for S3 (see issue above). This can't be made optional but it can be external or a subchart in the Epinio chart.
Beta Was this translation helpful? Give feedback.
All reactions