manual-deployment.md

install kong operator

helm upgrade --install kong-operator kong/gateway-operator -n kong-system \
   --create-namespace \
   --set image.tag=1.6.0 \
   --set global.webhooks.options.certManager.enabled=true

create TLS certificate

 kubectl create secret tls vela-staging-cert \
   --cert=letsencrypt/live/demo.vela.run/fullchain.pem \
   --key=letsencrypt/live/demo.vela.run/privkey.pem \
   -n kong-system

Create GatewayConfiguration

kubectl apply -f - <<'EOF'
apiVersion: gateway-operator.konghq.com/v1beta1
kind: GatewayConfiguration
metadata:
  name: kong-gw-config
  namespace: kong-system
spec:
  controlPlaneOptions:
    deployment:
      podTemplateSpec:
        spec:
          containers:
            - name: controller
              resources:
                limits:
                  cpu: 500m
                  memory: 500Mi
  dataPlaneOptions:
    network:
      services:
        ingress:
          type: LoadBalancer
    deployment:
      podTemplateSpec:
        spec:
          containers:
            - name: proxy
              image: kong/kong-gateway:3.9
              env:
                - name: KONG_NGINX_HTTP_LARGE_CLIENT_HEADER_BUFFERS
                  value: "8 32k"
                - name: KONG_NGINX_HTTP_CLIENT_HEADER_BUFFER_SIZE
                  value: "32k"
                - name: KONG_NGINX_PROXY_PROXY_BUFFER_SIZE
                  value: "128k"
                - name: KONG_NGINX_PROXY_PROXY_BUFFERS
                  value: "4 256k"
                - name: KONG_NGINX_PROXY_PROXY_BUSY_BUFFERS_SIZE
                  value: "256k"
                - name: KONG_UNTRUSTED_LUA_SANDBOX_REQUIRES
                  value: "resty.jwt"
EOF

Create GatewayClass

kubectl apply -f - <<'EOF'
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
    name: kong-class
    namespace: kong-system
spec:
    controllerName: konghq.com/gateway-operator
    parametersRef:
        group: gateway-operator.konghq.com
        kind: GatewayConfiguration
        name: kong-gw-config
        namespace: kong-system
EOF

create Gateway

kubectl apply -f - <<'EOF'
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
    name: vela-public-gateway
    namespace: kong-system
spec:
  gatewayClassName: kong-class
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: http
    port: 80
    protocol: HTTP
  - allowedRoutes:
      namespaces:
        from: All
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: vela-run-wildcard-tls
      mode: Terminate
  - allowedRoutes:
      namespaces:
        from: All
    hostname: postbrain.simplyblock.ai
    name: postbrainhttps
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: postbrain-cert-secret
      mode: Terminate
EOF

StackGres

helm upgrade --install stackgres-operator \
  stackgres-operator \
  --repo https://stackgres.io/downloads/stackgres-k8s/stackgres/helm/ \
  --namespace stackgres \
  --create-namespace \
  --wait \
  --timeout 600s

Cert Manager

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace \
  --version v1.13.0 --set installCRDs=true

after installation, create create self-signed certificate issuer ca-issuer. For production we should use LetsEncrypt

kubectl apply -f - <<'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-bootstrap
spec:
  selfSigned: {}

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ca-cert
  namespace: cert-manager
spec:
  isCA: true
  commonName: vela-ca
  secretName: ca-key-pair
  issuerRef:
    name: selfsigned-bootstrap
    kind: ClusterIssuer

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: ca-key-pair
EOF

Monitoring

Disabled node exporter so ask to not to conflict with the onces already exists in cluster Ideally simplyblock should able to hook into the existing monitoring solution. But implementing that feedback was never prioritised: simplyblock/sbcli#408 (comment)

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

helm upgrade --install kube-prometheus-stack prometheus-community/kube-prometheus-stack \
  --namespace monitoring \
  --create-namespace \
  --set grafana.enabled=false \
  --set alertmanager.enabled=false \
  --set nodeExporter.enabled=false \
  --set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName=local-hostpath \
  --set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=5Gi

Make prometheus scrape from PG Exporter accross all the namespaces. ServiceMonitor cannot be used here because service objects connect to branch services as a headless services. In such cases we use PodMonitor where we scrape the metrics directly from pod.

cat <<EOF | kubectl apply -f -
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: postgres
  namespace: monitoring
  labels:
    release: kube-prometheus-stack
spec:
  namespaceSelector:
    any: true
  selector:
    matchLabels:
      app.kubernetes.io/name: NeonVM
  podMetricsEndpoints:
    - targetPort: 9187
      interval: 30s
    - targetPort: 9127
      interval: 30s
EOF

Metrics API

Deploy the Metrics Server API to provide CPU and memory usage.

helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
helm repo update
helm upgrade --install metrics-server metrics-server/metrics-server \
  --namespace kube-system \
  --set args="{--kubelet-insecure-tls,--kubelet-preferred-address-types=InternalIP,--metric-resolution=15s}"

Loki

helm repo add grafana https://grafana.github.io/helm-charts
helm repo update

helm upgrade --install loki grafana/loki \
  --namespace loki \
  --create-namespace \
  --debug \
  -f deployment/addons/loki.yaml

After loki is installed, a data source Loki is added manually in the Grafana dashboard