From 2243dfeb53dabc710f2482137f06024a94ad347d Mon Sep 17 00:00:00 2001 From: Mangirdas Judeikis Date: Fri, 21 Nov 2025 11:47:48 +0200 Subject: [PATCH 1/2] Update helm production docs. Add gateway api support --- backend/http/server.go | 2 +- .../charts/backend/templates/deployment.yaml | 20 ----- .../charts/backend/templates/gateway-api.yaml | 88 ++++++++++++++++++ deploy/charts/backend/templates/service.yaml | 10 --- deploy/charts/backend/values.yaml | 27 ++++-- docs/content/developers/.pages | 3 +- docs/content/developers/testing-changes.md | 82 +++++++++++++++++ docs/content/setup/helm.md | 90 ++++++++++--------- 8 files changed, 243 insertions(+), 79 deletions(-) create mode 100644 deploy/charts/backend/templates/gateway-api.yaml create mode 100644 docs/content/developers/testing-changes.md diff --git a/backend/http/server.go b/backend/http/server.go index 6bb547dbf..a7a5208ca 100644 --- a/backend/http/server.go +++ b/backend/http/server.go @@ -49,7 +49,7 @@ func (s *Server) Addr() net.Addr { } func (s *Server) Start(ctx context.Context) error { - log.Println("Starting HTTP server") + log.Println("Starting web server") server := &http.Server{ Handler: s.Router, ReadHeaderTimeout: 1 * time.Minute, diff --git a/deploy/charts/backend/templates/deployment.yaml b/deploy/charts/backend/templates/deployment.yaml index 39885ee10..e1f7ae59f 100644 --- a/deploy/charts/backend/templates/deployment.yaml +++ b/deploy/charts/backend/templates/deployment.yaml @@ -82,25 +82,15 @@ spec: {{- if .Values.backend.cookieEncryptionKey }} - --cookie-encryption-key={{ .Values.backend.cookieEncryptionKey }} {{- end }} - {{- if .Values.backend.tls.enabled }} - - --tls-cert-file={{ .Values.backend.tls.tlsCertFile }} - - --tls-key-file={{ .Values.backend.tls.tlsKeyFile }} - {{- end }} {{- if eq .Values.backend.oidc.type "embedded" }} - --oidc-type=embedded {{- else if eq .Values.backend.oidc.type "external" }} - --oidc-type=external {{- end }} ports: - {{- if .Values.backend.tls.enabled }} - - name: https - containerPort: 8443 - protocol: TCP - {{- else }} - name: http containerPort: 8080 protocol: TCP - {{- end }} {{- with .Values.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -114,20 +104,10 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.backend.tls.enabled }} - - name: tls-certs - mountPath: /etc/kube-bind/tls - readOnly: true - {{- end }} {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} volumes: - {{- if .Values.backend.tls.enabled }} - - name: tls-certs - secret: - secretName: {{ .Values.backend.tls.certSecretName }} - {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deploy/charts/backend/templates/gateway-api.yaml b/deploy/charts/backend/templates/gateway-api.yaml new file mode 100644 index 000000000..187ddb888 --- /dev/null +++ b/deploy/charts/backend/templates/gateway-api.yaml @@ -0,0 +1,88 @@ +{{- if .Values.gatewayApi.enabled }} +{{- if .Values.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "kube-bind.fullname" . }}-tls + labels: + {{- include "kube-bind.labels" . | nindent 4 }} +spec: + secretName: {{ include "kube-bind.fullname" . }}-tls + issuerRef: + name: {{ .Values.certManager.clusterIssuer }} + kind: ClusterIssuer + {{- if .Values.gatewayApi.route.hostnames }} + dnsNames: + {{- range .Values.gatewayApi.route.hostnames }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ include "kube-bind.fullname" . }}-gateway + labels: + {{- include "kube-bind.labels" . | nindent 4 }} + {{- with .Values.gatewayApi.gateway.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + gatewayClassName: {{ .Values.gatewayApi.gateway.className }} + listeners: + - name: https + protocol: HTTPS + port: {{ .Values.gatewayApi.gateway.httpsPort | default 443 }} + tls: + mode: Terminate + certificateRefs: + {{- if .Values.certManager.enabled }} + - name: {{ include "kube-bind.fullname" . }}-tls + {{- else if .Values.gatewayApi.gateway.tls.certificateRefs }} + {{- range .Values.gatewayApi.gateway.tls.certificateRefs }} + - name: {{ .name }} + {{- if .namespace }} + namespace: {{ .namespace }} + {{- end }} + {{- if .group }} + group: {{ .group }} + {{- end }} + {{- if .kind }} + kind: {{ .kind }} + {{- end }} + {{- end }} + {{- end }} + - name: http + protocol: HTTP + port: {{ .Values.gatewayApi.gateway.httpPort | default 80 }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "kube-bind.fullname" . }}-route + labels: + {{- include "kube-bind.labels" . | nindent 4 }} + {{- with .Values.gatewayApi.route.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: + - name: {{ include "kube-bind.fullname" . }}-gateway + {{- if .Values.gatewayApi.route.hostnames }} + hostnames: + {{- range .Values.gatewayApi.route.hostnames }} + - {{ . | quote }} + {{- end }} + {{- end }} + rules: + - matches: + - path: + type: {{ .Values.gatewayApi.route.pathType | default "PathPrefix" }} + value: {{ .Values.gatewayApi.route.path | default "/" }} + backendRefs: + - name: {{ include "kube-bind.fullname" . }} + port: {{ .Values.service.port }} +{{- end }} \ No newline at end of file diff --git a/deploy/charts/backend/templates/service.yaml b/deploy/charts/backend/templates/service.yaml index b30d7355b..d541ff9e3 100644 --- a/deploy/charts/backend/templates/service.yaml +++ b/deploy/charts/backend/templates/service.yaml @@ -7,15 +7,6 @@ metadata: spec: type: {{ .Values.service.type }} ports: - {{- if .Values.backend.tls.enabled }} - - port: {{ .Values.service.httpsPort | default 8443 }} - targetPort: https - protocol: TCP - name: https - {{- if and (eq .Values.service.type "NodePort") .Values.service.httpsNodePort }} - nodePort: {{ .Values.service.httpsNodePort }} - {{- end }} - {{- else }} - port: {{ .Values.service.port }} targetPort: http protocol: TCP @@ -23,6 +14,5 @@ spec: {{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }} nodePort: {{ .Values.service.nodePort }} {{- end }} - {{- end }} selector: {{- include "kube-bind.selectorLabels" . | nindent 4 }} diff --git a/deploy/charts/backend/values.yaml b/deploy/charts/backend/values.yaml index 67a6cb3e7..0be0e7ca9 100644 --- a/deploy/charts/backend/values.yaml +++ b/deploy/charts/backend/values.yaml @@ -10,11 +10,6 @@ backend: listenAddress: "0.0.0.0:8080" externalAddress: "" externalServerName: "" - tls: - enabled: false - certSecretName: "" - tlsCertFile: "/etc/kube-bind/tls/tls.crt" - tlsKeyFile: "/etc/kube-bind/tls/tls.key" # OIDC configuration. Empty values - will run embedded OIDC server. oidc: issuerUrl: "" @@ -37,6 +32,28 @@ certManager: enabled: false clusterIssuer: "" +# Gateway API configuration +gatewayApi: + enabled: false + gateway: + className: "" + httpPort: 80 + httpsPort: 443 + annotations: {} + tls: + certificateRefs: [] + # Example: + # - name: tls-cert + # namespace: default + route: + hostnames: [] + # Example: + # - "example.com" + # - "api.example.com" + path: "/" + pathType: "PathPrefix" + annotations: {} + examples: # Example resources to seed on first start enabled: false diff --git a/docs/content/developers/.pages b/docs/content/developers/.pages index a549ca52d..ab903794b 100644 --- a/docs/content/developers/.pages +++ b/docs/content/developers/.pages @@ -3,4 +3,5 @@ nav: - Development Environment: dev-environments.md - Backend: backend - Konnector: konnector - - Publishing a release: publishing-a-release.md \ No newline at end of file + - Publishing a release: publishing-a-release.md + - Testing changes: testing-changes.md \ No newline at end of file diff --git a/docs/content/developers/testing-changes.md b/docs/content/developers/testing-changes.md new file mode 100644 index 000000000..79f444608 --- /dev/null +++ b/docs/content/developers/testing-changes.md @@ -0,0 +1,82 @@ +--- +description: > + How to test changes made to kube-bind in your development environment. +weight: 30 +title: Testing Changes +--- + +# Testing code changes + +When making changes to kube-bind, it's important to test them in a realistic multi-cluster environment. + +Follow [development setup instructions](../developers/development-setup/) to set up your development environment using kcp. +kcp allows you to simulate multiple clusters using logical clusters. + + +# Testing helm chart changes + +By default, in helm chart, the backend component does not have TLS enabled, and the embedded OIDC server is not used. +To test changes related to TLS or OIDC, you need to enable them explicitly by setting the appropriate Helm values. + +To test basic Helm-install flow you will need GatewayAPI enabled kubernetes cluster with cert-manager installed. +By default it will use TLS termination at the Gateway level. + + +```bash +# Use a specific development version: +# VERSION=0.0.0-9fd9281e661c0d9a426a941111d3d8b08019ebc1 +``` + +And run full helm install command with additional parameters: +```bash +helm upgrade --install \ + --namespace kube-bind \ + --create-namespace \ + --set certManager.enabled=true \ + --set certManager.clusterIssuer=letsencrypt-prod \ + --set backend.oidc.issuerUrl=https://auth.genericcontrolplane.io \ + --set backend.oidc.clientId=platform-mesh \ + --set backend.oidc.clientSecret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \ + --set backend.oidc.callbackUrl=https://kube-bind.genericcontrolplane.io/api/callback \ + --set gatewayApi.enabled=true \ + --set gatewayApi.gateway.className=nginx \ + --set gatewayApi.gateway.httpPort=80 \ + --set gatewayApi.gateway.httpsPort=443 \ + --set 'gatewayApi.gateway.tls.certificateRefs[0].name=backend-tls-cert' \ + --set 'gatewayApi.route.hostnames[0]=kube-bind.genericcontrolplane.io' \ + --set gatewayApi.route.path=/ \ + --set gatewayApi.route.pathType=PathPrefix \ + --set image.tag=${VERSION} \ + kube-bind \ + ./deploy/charts/backend +``` + +After the deployment at minimum url should be accessible: + +```bash + curl https://kube-bind.genericcontrolplane.io + + + + + + + Kube Bind + + + + +
+ + +% +``` + + +# Local dev environment testing + +If you changed helm charts and neet to test them in local development environment you can do the following: + +```bash + ./bin/kubectl-bind dev create --chart-path ./deploy/charts/backend +``` \ No newline at end of file diff --git a/docs/content/setup/helm.md b/docs/content/setup/helm.md index 83adf69d9..14c7c0414 100644 --- a/docs/content/setup/helm.md +++ b/docs/content/setup/helm.md @@ -10,8 +10,6 @@ The backend chart is available as an OCI image for service providers, with konne ## Quick Start -**Important**: Current version of kube-bind uses application-level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior. - ## Prerequisites & Setup Guides The following prerequisites are required. Click the links below for detailed setup instructions: @@ -20,6 +18,7 @@ The following prerequisites are required. Click the links below for detailed set - **[Helm 3.x](#helm)** - Package manager for Kubernetes - **[cert-manager](#cert-manager-setup)** - For TLS certificate management - **[OIDC provider](#oidc-provider-setup)** - For authentication (Dex, Keycloak, etc.) +- **[Gateway API](#gateway-api-setup)** - (Optional) For advanced ingress management ### Install kube-bind Backend @@ -31,7 +30,7 @@ The following prerequisites are required. Click the links below for detailed set VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//') # Or use a specific development version: - # VERSION=0.0.0- + # VERSION=0.0.0-9fd9281e661c0d9a426a941111d3d8b08019ebc1 ``` 2. **Configure your values:** @@ -41,21 +40,34 @@ The following prerequisites are required. Click the links below for detailed set - Update hostnames to match your setup 3. **Install the backend using OCI chart:** - ```bash + + Note !!! + To install production configuration, you will need to have OIDC provider. + If you interested just to try - check quickstart [quickstart]. + +```bash # Using latest release version - helm upgrade --install \ - --namespace kube-bind \ - --create-namespace \ - --values ./deploy/charts/backend/examples/values-local-development.yaml \ - kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION} - - # Or install a specific development version - helm upgrade --install \ - --namespace kube-bind \ - --create-namespace \ - --values ./deploy/charts/backend/examples/values-local-development.yaml \ - kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a50df39d7e4c71f7808f4209ec23f294c5ac8f86 - ``` +helm upgrade --install \ + --namespace kube-bind \ + --create-namespace \ + --set certManager.enabled=true \ + --set certManager.clusterIssuer=letsencrypt-prod \ + --set backend.oidc.issuerUrl=https://auth.example.com \ + --set backend.oidc.clientId=platform-mesh \ + --set backend.oidc.clientSecret= \ + --set backend.oidc.callbackUrl=https://kube-bind.example.com/api/callback \ + --set gatewayApi.enabled=true \ + --set gatewayApi.gateway.className=nginx \ + --set gatewayApi.gateway.httpsPort=443 \ + --set 'gatewayApi.gateway.tls.certificateRefs[0].name=backend-tls-cert' \ + --set 'gatewayApi.route.hostnames[0]=kube-bind.example.com' \ + --set gatewayApi.route.path=/ \ + --set gatewayApi.route.pathType=PathPrefix \ + --set image.tag=${VERSION} \ + kube-bind \ + kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION} +``` + 4. **Seed with example resources (optional):** ```bash @@ -70,13 +82,6 @@ That's it! Your kube-bind backend is now ready to use. --- -### Kubernetes Cluster -You need a running Kubernetes cluster with `kubectl` configured. For testing, you can create a local cluster: - -```bash -kind create cluster --name kube-bind-test -``` - ### Helm Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs/intro/install/) @@ -85,6 +90,23 @@ Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs export HELM_EXPERIMENTAL_OCI=1 ``` +### Gateway API Setup + +Install gateway API CRDs and controller for advanced ingress management. Kube-bind supports Gateway API for routing traffic to the backend service. + +Follow the official Gateway API installation instructions: +https://gateway-api.sigs.k8s.io/guides/ + +```bash +kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml +``` + +We used NGINX Gateway controller for testing. Install it as follows: + +```bash +helm upgrade --install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway +``` + ### cert-manager Setup Install cert-manager for automatic TLS certificate management: @@ -216,7 +238,7 @@ config: redirectURIs: - https://auth.example.com/callback - http://localhost:8000 - - https://kube-bind.example.com/callback # Replace with your domain + - https://kube-bind.example.com/api/callback # Replace with your domain name: 'KubeBindApp' secret: ### REPLACE ME ### @@ -281,20 +303,4 @@ curl -s https://api.github.com/repos/kube-bind/kube-bind/releases | grep '"tag_n # Get latest release version VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//') echo "Latest version: ${VERSION}" -``` - -**Development versions:** -Development charts are built from every commit to the main branch with the format `0.0.0-`. - -### Installing Different Versions - -```bash -# Install latest stable release (recommended for production) -helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION} - -# Install specific release version -helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 1.0.0 - -# Install development build (for testing) -helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a1b2c3d -``` +``` \ No newline at end of file From 5639019e8a8bc6b3bc4c15455f08705dd8fedc39 Mon Sep 17 00:00:00 2001 From: Mangirdas Judeikis Date: Wed, 26 Nov 2025 10:46:43 +0200 Subject: [PATCH 2/2] revert tls setup --- .../charts/backend/templates/deployment.yaml | 20 +++++++++++++++++++ deploy/charts/backend/templates/service.yaml | 10 ++++++++++ deploy/charts/backend/values.yaml | 5 +++++ docs/content/developers/testing-changes.md | 3 ++- docs/content/setup/helm.md | 5 +++-- docs/content/setup/kind-setup.md | 6 ++++-- 6 files changed, 44 insertions(+), 5 deletions(-) diff --git a/deploy/charts/backend/templates/deployment.yaml b/deploy/charts/backend/templates/deployment.yaml index e1f7ae59f..39885ee10 100644 --- a/deploy/charts/backend/templates/deployment.yaml +++ b/deploy/charts/backend/templates/deployment.yaml @@ -82,15 +82,25 @@ spec: {{- if .Values.backend.cookieEncryptionKey }} - --cookie-encryption-key={{ .Values.backend.cookieEncryptionKey }} {{- end }} + {{- if .Values.backend.tls.enabled }} + - --tls-cert-file={{ .Values.backend.tls.tlsCertFile }} + - --tls-key-file={{ .Values.backend.tls.tlsKeyFile }} + {{- end }} {{- if eq .Values.backend.oidc.type "embedded" }} - --oidc-type=embedded {{- else if eq .Values.backend.oidc.type "external" }} - --oidc-type=external {{- end }} ports: + {{- if .Values.backend.tls.enabled }} + - name: https + containerPort: 8443 + protocol: TCP + {{- else }} - name: http containerPort: 8080 protocol: TCP + {{- end }} {{- with .Values.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -104,10 +114,20 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + {{- if .Values.backend.tls.enabled }} + - name: tls-certs + mountPath: /etc/kube-bind/tls + readOnly: true + {{- end }} {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} volumes: + {{- if .Values.backend.tls.enabled }} + - name: tls-certs + secret: + secretName: {{ .Values.backend.tls.certSecretName }} + {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deploy/charts/backend/templates/service.yaml b/deploy/charts/backend/templates/service.yaml index d541ff9e3..b30d7355b 100644 --- a/deploy/charts/backend/templates/service.yaml +++ b/deploy/charts/backend/templates/service.yaml @@ -7,6 +7,15 @@ metadata: spec: type: {{ .Values.service.type }} ports: + {{- if .Values.backend.tls.enabled }} + - port: {{ .Values.service.httpsPort | default 8443 }} + targetPort: https + protocol: TCP + name: https + {{- if and (eq .Values.service.type "NodePort") .Values.service.httpsNodePort }} + nodePort: {{ .Values.service.httpsNodePort }} + {{- end }} + {{- else }} - port: {{ .Values.service.port }} targetPort: http protocol: TCP @@ -14,5 +23,6 @@ spec: {{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }} nodePort: {{ .Values.service.nodePort }} {{- end }} + {{- end }} selector: {{- include "kube-bind.selectorLabels" . | nindent 4 }} diff --git a/deploy/charts/backend/values.yaml b/deploy/charts/backend/values.yaml index 0be0e7ca9..e003fe2d2 100644 --- a/deploy/charts/backend/values.yaml +++ b/deploy/charts/backend/values.yaml @@ -10,6 +10,11 @@ backend: listenAddress: "0.0.0.0:8080" externalAddress: "" externalServerName: "" + tls: + enabled: false + certSecretName: "" + tlsCertFile: "/etc/kube-bind/tls/tls.crt" + tlsKeyFile: "/etc/kube-bind/tls/tls.key" # OIDC configuration. Empty values - will run embedded OIDC server. oidc: issuerUrl: "" diff --git a/docs/content/developers/testing-changes.md b/docs/content/developers/testing-changes.md index 79f444608..fdd13fa6f 100644 --- a/docs/content/developers/testing-changes.md +++ b/docs/content/developers/testing-changes.md @@ -29,7 +29,8 @@ By default it will use TLS termination at the Gateway level. And run full helm install command with additional parameters: ```bash -helm upgrade --install \ +helm upgrade \ + --install \ --namespace kube-bind \ --create-namespace \ --set certManager.enabled=true \ diff --git a/docs/content/setup/helm.md b/docs/content/setup/helm.md index 14c7c0414..e26ab2122 100644 --- a/docs/content/setup/helm.md +++ b/docs/content/setup/helm.md @@ -43,11 +43,12 @@ The following prerequisites are required. Click the links below for detailed set Note !!! To install production configuration, you will need to have OIDC provider. - If you interested just to try - check quickstart [quickstart]. + For more information, just check out the [quickstart guide].(./quickstart.md) ```bash # Using latest release version -helm upgrade --install \ +helm upgrade \ + --install \ --namespace kube-bind \ --create-namespace \ --set certManager.enabled=true \ diff --git a/docs/content/setup/kind-setup.md b/docs/content/setup/kind-setup.md index 6e71915b0..7db19ce04 100644 --- a/docs/content/setup/kind-setup.md +++ b/docs/content/setup/kind-setup.md @@ -24,12 +24,14 @@ export KIND_EXPERIMENTAL_DOCKER_NETWORK=kube-bind kind create cluster --name provider kubectl cluster-info --context kind-provider -helm upgrade --install \ +helm upgrade \ + --install \ --namespace kube-bind \ --create-namespace \ kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a50df39d7e4c71f7808f4209ec23f294c5ac8f86 -helm upgrade --install \ +helm upgrade \ + --install \ --namespace kube-bind \ --create-namespace \ --set image.repository=ghcr.io/mjudeikis/kube-bind/backend \