Merge pull request #83 from nautible/release/2024.2.0

Release/2024.2.0

albc/README.md

@@ -1,26 +1,34 @@
 
 # AWS LoadBalancer Controller
 
+## 0. 注意事項
+
+本導入手順はnautible-infraの tag:2024.2.0 バージョン以降で構築されたEKSに対応しています。  
+（2024.2.0から認証方式をIRSAからPod Identityに変更しています）
+
+2024.2.0より前のバージョンのnautible-infraでEKSを構築している場合、nautible-pluginのバージョンも2024.2.0より前のバージョンを利用してください。
+
 ## 1. 概要
 
 AWS LoadBalancer Controllerを導入する。  
 
-以下の理由からAWS LoadBalancer Controllerを導入する  
+以下の理由からAWS LoadBalancer Controllerを導入する。  
 
 - AWSのロードバランサーはCloudfrontからのリクエストのみ受け付けるように制御する(AWS Security Groupで制御)。  
 - Classic LoadBalancerは2022年8月で廃止
 
 ## 2. 導入
 
-helm.parameters.valueの値をLoadBalancer Controllerのロールarnに変更する。  
-※ロールはterraformで作成されます。terraformのoutpoutを参照してください。
+### コントローラーの導入
+
+helm.parameters.valueのclusterNameにALBを導入するクラスタ名を設定する。
 
 application.yaml
 ```YAML
     helm:
       parameters:
-        - name: 'serviceAccount.annotations.eks\.amazonaws\.com/role-arn'
-          value: 'arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX-AmazonEKSLoadBalancerControllerRole' # 対象のロールarnに変更する。
+        - name: 'clusterName'
+          value: 'nautible-dev-cluster' # 対象のクラスタ名に変更する。
 ```
 
 AWS LoadBalancer Controllerをデプロイする。
@@ -29,8 +37,9 @@ AWS LoadBalancer Controllerをデプロイする。
 $ kubectl apply -f albc/application.yaml
 ```
 
+### Istio用ロードバランサの導入
+
 Ingressの設定でLoadBalancerに設定するセキュリティグループに変更する。  
-※ロールはterraformで作成されます。terraformのoutpoutを参照してください。
 
 albc/ingress/manifest/ingress.yaml
 ```YAML

albc/application.yaml

@@ -11,18 +11,16 @@ spec:
   source:
     path: ''
     repoURL: 'https://aws.github.io/eks-charts/'
-    targetRevision: 1.7.0
+    targetRevision: 1.7.1
     chart: 'aws-load-balancer-controller'
     helm:
       parameters:
         - name: 'serviceAccount.create'
           value: 'true'
         - name: 'serviceAccount.name'
-          value: 'aws-load-balancer-controller'
-        - name: 'serviceAccount.annotations.eks\.amazonaws\.com/role-arn'
-          value: 'arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX-AmazonEKSLoadBalancerControllerRole' # 対象のロールarnに変更する。
+          value: 'aws-load-balancer-controller-sa'
         - name: 'clusterName'
-          value: 'nautible-dev-cluster'
+          value: 'nautible-dev-cluster' #FIXME: clusterName
   project: default
   syncPolicy:
     automated:

albc/ingress/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: albc/ingress/manifest
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

albc/ingress/manifest/ingress.yaml

@@ -12,16 +12,15 @@ metadata:
     alb.ingress.kubernetes.io/healthcheck-path: '/healthz/ready'
     # 対象のセキュリティグループに変更する。idまたは名称を指定する。
     # Blue/Greenデプロイの場合など複数バージョンのKubernetesが稼働する環境ではセキュリティグループの名前にバージョンも含めておいたほうが良い。
-    alb.ingress.kubernetes.io/security-groups: 'nautible-dev-cluster-albc-sg'
+    alb.ingress.kubernetes.io/security-groups: 'nautible-dev-cluster-v1_29-albc-sg'
 spec:
   rules:
-    - 
-      http:
+    - http:
         paths:
           - pathType: Prefix
             path: /
             backend:
               service:
                 name: istio-ingressgateway
-                port: 
+                port:
                   number: 80

app-bookinfo/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-bookinfo/
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/base/examples-go/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: nautible-app-examples-manifest-go/overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-examples-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/base/examples-java/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: nautible-app-examples-manifest-java/overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-examples-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/base/examples-node/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: nautible-app-examples-manifest-node/overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-examples-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/base/examples-python/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: nautible-app-examples-manifest-python/overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-examples-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/overlays/aws/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-examples/overlays/aws
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-examples/overlays/azure/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-examples/overlays/azure
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/customer/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-customer-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/delivery/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-delivery-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/order/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-order-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/payment/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: payment/overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-payment-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/product/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-product-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/stock/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-stock-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/base/stockbatch/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: overlays/dev/
     repoURL: https://github.com/nautible/nautible-app-ms-stock-batch-manifest
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/overlays/aws/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-ms/overlays/aws
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/overlays/aws/secret-parameter/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-ms/overlays/aws/secret-parameter
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/overlays/azure/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-ms/overlays/azure
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

app-ms/overlays/azure/secret-parameter/application.yaml

@@ -11,7 +11,7 @@ spec:
   source:
     path: app-ms/overlays/azure/secret-parameter
     repoURL: https://github.com/nautible/nautible-plugin
-    targetRevision: HEAD
+    targetRevision: develop
   syncPolicy:
     automated:
       prune: true

auth/base/keycloak-deploy.yaml

@@ -27,66 +27,78 @@ spec:
         app.kubernetes.io/managed-by: manual
     spec:
       containers:
-      - name: keycloak
-        image: quay.io/keycloak/keycloak:18.0.0
-        args: ["start","--import-realm","--hostname-strict=false","--auto-build","--db=postgres","--http-relative-path /auth","--proxy edge"]
-        # args: ["start-dev","--import-realm","--hostname-strict=false","--db=postgres","--http-relative-path /auth"]
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: 1000
-        env:
-        - name: KC_IMPORT_VAL_FRONTEND_URL
-          value: http://localhost:8080/api/v1.0/nautible-auth/auth # fix me
-        - name: KC_IMPORT_VAL_ROOT_URL
-          value: http://localhost:3000 # fix me
-        - name: KEYCLOAK_ADMIN
-          valueFrom:
-            secretKeyRef:
-              name: secret-keycloak
-              key: KEYCLOAK_USER
-        - name: KEYCLOAK_ADMIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: secret-keycloak
-              key: KEYCLOAK_PASSWORD
-        - name: KC_DB_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: secret-keycloak
-              key: DB_USER
-        - name: KC_DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: secret-keycloak
-              key: DB_PASSWORD
-        - name: KC_DB_URL_HOST
-          valueFrom:
-            secretKeyRef:
-              name: secret-keycloak
-              key: DB_HOST
-        - name: PROXY_ADDRESS_FORWARDING
-          value: "true"
-        volumeMounts:
-          - name: realm
-            mountPath: "/opt/keycloak/data/import"
-            readOnly: true
-        ports:
-        - name: http
-          containerPort: 8080
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:25.0.0
+          args:
+            [
+              'start',
+              '--import-realm',
+              '--hostname-strict=false',
+              '--db=postgres',
+              '--http-relative-path=/auth',
+              '--proxy=edge',
+            ]
+          # args: ["start-dev","--import-realm","--hostname-strict=false","--db=postgres","--http-relative-path /auth"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: KC_IMPORT_VAL_FRONTEND_URL
+              value: http://localhost:8080/api/v1.0/nautible-auth/auth # fix me
+            - name: KC_IMPORT_VAL_ROOT_URL
+              value: http://localhost:3000 # fix me
+            - name: KEYCLOAK_ADMIN
+              valueFrom:
+                secretKeyRef:
+                  name: secret-keycloak
+                  key: KEYCLOAK_USER
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: secret-keycloak
+                  key: KEYCLOAK_PASSWORD
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: secret-keycloak
+                  key: DB_USER
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: secret-keycloak
+                  key: DB_PASSWORD
+            - name: KC_DB_URL_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: secret-keycloak
+                  key: DB_HOST
+            - name: PROXY_ADDRESS_FORWARDING
+              value: 'true'
+          volumeMounts:
+            - name: realm
+              mountPath: '/opt/keycloak/data/import'
+              readOnly: true
+          ports:
+            - name: http
+              containerPort: 8080
       volumes:
         - name: realm
           emptyDir: {}
         - name: secret-keycloak-realm
           secret:
             secretName: secret-keycloak-realm
       initContainers:
-      - name: touch
-        image: busybox
-        command: ["sh", "-c","cp /secret-keycloak-realm/realm.json /realm/realm.json"]
-        volumeMounts:
-          - name: realm
-            mountPath: /realm
-          - name: secret-keycloak-realm
-            mountPath: "/secret-keycloak-realm"
-            readOnly: true
-
+        - name: touch
+          image: busybox
+          command:
+            [
+              'sh',
+              '-c',
+              'cp /secret-keycloak-realm/realm.json /realm/realm.json',
+            ]
+          volumeMounts:
+            - name: realm
+              mountPath: /realm
+            - name: secret-keycloak-realm
+              mountPath: '/secret-keycloak-realm'
+              readOnly: true