Skip to content

Implement challenge Kubernetes resource deployment #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
detjensrobert merged 16 commits into from
Mar 30, 2025
Merged

Implement challenge Kubernetes resource deployment #41

detjensrobert merged 16 commits into from
Mar 30, 2025

Conversation

@detjensrobert
Copy link
Contributor

@detjensrobert detjensrobert commented Mar 1, 2025

The meat and potatoes, finally.

Depends on #38.

This deploys all the needed Kubernetes resources for challenges. Each challenge is created in its own namespace, with its Deployments for all the pods defined in the challenge config, and any exposed services via Service LoadBalancers or Ingress configs.

Currently, non-HTTP challenges are exposed via their own separate LoadBalancer service at a DNS domain based on the challenge name. This approach does have a slightly higher cost, since this creates more cloud provider loadbalancers (on AWS each LB is about $20/month). We are also not currently exposing what domain to expose TCP challenges at, so this the name is generated from the challenge name.

This is slightly different than how the configuration was initially designed, where all TCP challenges would be exposed on the same domain at different ports. Doable, but using separate load balancers does not require messing with the ingress controller values to proxy TCP services.

Switching from either of these to the Gateway API would let us keep a single loadbalancer (the Gateway controller) and direct TCP traffic via native ingress-like resources, at whatever domains we want, though each TCP service would still need to be on a different port.

@detjensrobert detjensrobert self-assigned this Mar 1, 2025
@detjensrobert detjensrobert mentioned this pull request Mar 1, 2025
Closed
3 tasks
KekoaM
KekoaM approved these changes Mar 30, 2025
View reviewed changes
Copy link
Contributor

@KekoaM KekoaM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All changes look good

@detjensrobert
Slugify challenge directory for container names and uploads
e3ec006 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Split kubernetes templates into own file, try rendering them
c754284 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Update challenge kube templates for actual templating
9539a31 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Enable JSON features in minijinja
48cd8aa 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Template out all challenge kube manifests, only print for now
fcec007 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
move kubernetes deploy helpers to shared client mod
9ff2c6f 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Fix expose subdomain in example http challenge
05d2089 
This should be a subdomain, not the full domain.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Fix image pulls in test k3d cluster
f35fbdd 
Localhost in the k3d containers is not the host localhost, so it cant pull
images from the test registry. Instead, add the registry container to the
k3d network and alias the registry name to pull directly.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Fix ingress class name in ingress template
48212ae 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Actually apply the challenge manifests to cluster
5ff274d 
HTTP challenges should work now, but TCP challenges still need some work to
update the ingress config in order to get exposed.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Return created objects when applying kube manifest
10edf40 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Skeleton for returning deploy expose results in struct
ae02b62 
Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Wait for deployed resources to become ready
1836246 
This waits for:
- pods to become running
- deployments to complete rollouts
- ingresses to become published by controller
- LoadBalancer services to get external IP

Other types of resources or services are ignored and immediately return Ok.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Use inmemory no-op provider for external-dns for test deployment
86ba328 
We don't need to actually create records (nor is there a way to), but this will
still log the records it would have created.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Remove custom template env remnants
7d44318 
These were added to test overriding the minijinja `default` None handling.
Gating in the template was easier, and so this is not needed now.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert
Replace inline k8s condition funcs with upstreamed versions
a56b8a6 
These were contributed to the upstream kube library, so bump it and use
those contributed conditions instead of the custom inline ones.

Signed-off-by: Robert Detjens <github@detjens.dev>
@detjensrobert detjensrobert merged commit 2ca0f4a into main Mar 30, 2025
3 checks passed
@detjensrobert detjensrobert deleted the dr/deploy-kubernetes branch March 30, 2025 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KekoaM KekoaM KekoaM approved these changes

@cacama-valvata cacama-valvata Awaiting requested review from cacama-valvata

Assignees

@detjensrobert detjensrobert

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@detjensrobert @KekoaM