Update Cortex to be installable on any k8s cluster on AWS and GCP

README.md

@@ -82,6 +82,5 @@ $ curl http://example.com/text-generator -X POST -H "Content-Type: application/j
 
 ## Get started
 
-* [Read the docs](https://docs.cortex.dev)
-* [Report an issue](https://github.com/cortexlabs/cortex/issues)
-* [Join our community](https://gitter.im/cortexlabs/cortex)
+* [Install Cortex](https://docs.cortex.dev)
+* [Join our community](https://join.slack.com/t/cortex-dot-dev/shared_invite/zt-lf58axgy-0QkLZzFSSku5_Jybd9yiZQ)

build/cli.sh

@@ -61,8 +61,22 @@ function build_python {
   popd
 }
 
+function upload_charts {
+  set -euo pipefail
+
+  echo -e "\nCompressing charts"
+  tar -czf charts.tar.gz charts/
+
+  echo "Uploading compressed charts to s3://$CLI_BUCKET_NAME/$CORTEX_VERSION/charts/cortex-$CORTEX_VERSION.tar.gz"
+  aws s3 cp charts.tar.gz s3://$CLI_BUCKET_NAME/$CORTEX_VERSION/charts/cortex-$CORTEX_VERSION.tar.gz --only-show-errors
+
+  rm -rf charts.tar.gz
+}
+
 build_and_upload darwin
 
 build_and_upload linux
 
 build_python
+
+upload_charts

build/lint.sh

@@ -75,6 +75,7 @@ output=$(cd "$ROOT" && find . -type f \
 ! -path "**/.history/*" \
 ! -path "**/__pycache__/*" \
 ! -path "./test/*" \
+! -path "./charts/*" \
 ! -path "./dev/config/*" \
 ! -path "./bin/*" \
 ! -path "./.circleci/*" \
@@ -146,6 +147,7 @@ output=$(cd "$ROOT" && find . -type f \
 ! -path "./dev/config/*" \
 ! -path "./bin/*" \
 ! -path "./.git/*" \
+! -path "./charts/charts/networking/charts/*" \
 ! -name ".*" \
 ! -name "*.bin" \
 ! -name "*.wav" \
@@ -166,6 +168,7 @@ output=$(cd "$ROOT" && find . -type f \
 ! -path "./dev/config/*" \
 ! -path "./bin/*" \
 ! -path "./.git/*" \
+! -path "./charts/charts/networking/charts/*" \
 ! -name ".*" \
 ! -name "*.bin" \
 ! -name "*.wav" \
@@ -186,6 +189,7 @@ output=$(cd "$ROOT" && find . -type f \
 ! -path "./dev/config/*" \
 ! -path "./bin/*" \
 ! -path "./.git/*" \
+! -path "./charts/charts/networking/charts/*" \
 ! -name ".*" \
 ! -name "*.bin" \
 ! -name "*.wav" \

charts/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cortex
+description: A Helm chart for installing Cortex
+type: application
+version: 0.1.0       # CORTEX_VERSION
+appVersion: "master" # CORTEX_VERSION

charts/charts/networking/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/charts/networking/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: networking
+description: A Helm chart for setting up Cortex's networking dependencies
+type: application
+version: 0.1.0       # CORTEX_VERSION
+appVersion: "master" # CORTEX_VERSION

charts/charts/networking/charts/api-ingress/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+name: api-ingress
+version: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio gateways
+keywords:
+  - istio
+  - ingressgateway
+  - gateways
+sources:
+  - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png

charts/charts/networking/charts/api-ingress/NOTES.txt

@@ -0,0 +1,43 @@
+
+Changes:
+- separate namespace allows:
+-- easier reconfig of just the gateway
+-- TLS secrets and domain name management is isolated, for better security
+-- simplified configuration
+-- multiple versions of the ingress can be used, to minimize upgrade risks
+
+- the new chart uses the default namespace service account, and doesn't require
+additional RBAC permissions.
+
+- simplified label and chart structure.
+- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
+and allows a bit more flexibility.
+- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
+
+# Port and basic host configuration
+
+In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
+In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
+both in upgrade, Gateway and VirtualService.
+
+The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
+Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
+config for the rest.
+
+All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
+
+# Migration from istio-system
+
+Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
+with the Service and bound to the namespace, it is recommended to:
+
+1. Install the new gateway in a new namespace.
+2. Copy any TLS certificate to the new namespace, and configure the domains.
+3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
+4. Modify the DNS server to add the A record of the new namespace
+5. Check traffic
+6. Delete the A record corresponding to the gateway in istio-system
+7. Upgrade istio-system, disabling the ingressgateway
+8. Delete the domain TLS certs from istio-system.
+
+If using certmanager, all Certificate and associated configs must be moved as well.

charts/charts/networking/charts/api-ingress/templates/_affinity.tpl

@@ -0,0 +1,93 @@
+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{- define "nodeaffinity" }}
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    {{- include "nodeAffinityRequiredDuringScheduling" . }}
+    preferredDuringSchedulingIgnoredDuringExecution:
+    {{- include "nodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "nodeAffinityRequiredDuringScheduling" }}
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/arch
+          operator: In
+          values:
+        {{- range $key, $val := .global.arch }}
+          {{- if gt ($val | int) 0 }}
+          - {{ $key | quote }}
+          {{- end }}
+        {{- end }}
+        {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
+        {{- range $key, $val := $nodeSelector }}
+        - key: {{ $key }}
+          operator: In
+          values:
+          - {{ $val | quote }}
+        {{- end }}
+{{- end }}
+
+{{- define "nodeAffinityPreferredDuringScheduling" }}
+  {{- range $key, $val := .global.arch }}
+    {{- if gt ($val | int) 0 }}
+    - weight: {{ $val | int }}
+      preference:
+        matchExpressions:
+        - key: kubernetes.io/arch
+          operator: In
+          values:
+          - {{ $key | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+  podAntiAffinity:
+    {{- if .podAntiAffinityLabelSelector }}
+    requiredDuringSchedulingIgnoredDuringExecution:
+    {{- include "podAntiAffinityRequiredDuringScheduling" . }}
+    {{- end }}
+    {{- if .podAntiAffinityTermLabelSelector }}
+    preferredDuringSchedulingIgnoredDuringExecution:
+    {{- include "podAntiAffinityPreferredDuringScheduling" . }}
+    {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityRequiredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityLabelSelector }}
+    - labelSelector:
+        matchExpressions:
+        - key: {{ $item.key }}
+          operator: {{ $item.operator }}
+          {{- if $item.values }}
+          values:
+          {{- $vals := split "," $item.values }}
+          {{- range $i, $v := $vals }}
+          - {{ $v | quote }}
+          {{- end }}
+          {{- end }}
+      topologyKey: {{ $item.topologyKey }}
+    {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityPreferredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+    - podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: {{ $item.key }}
+            operator: {{ $item.operator }}
+            {{- if $item.values }}
+            values:
+            {{- $vals := split "," $item.values }}
+            {{- range $i, $v := $vals }}
+            - {{ $v | quote }}
+            {{- end }}
+            {{- end }}
+        topologyKey: {{ $item.topologyKey }}
+      weight: 100
+    {{- end }}
+{{- end }}

charts/charts/networking/charts/api-ingress/templates/autoscale.yaml

@@ -0,0 +1,24 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ $gateway.name | default "istio-ingressgateway" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+    release: {{ .Release.Name }}
+spec:
+  maxReplicas: {{ $gateway.autoscaleMax }}
+  minReplicas: {{ $gateway.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ $gateway.name | default "istio-ingressgateway" }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
+---
+{{- end }}