diff --git a/content/post/kubedb-v2024.11.18/hero.jpg b/content/post/kubedb-v2024.11.18/hero.jpg index 7dd6ceeb..3fe467ba 100644 Binary files a/content/post/kubedb-v2024.11.18/hero.jpg and b/content/post/kubedb-v2024.11.18/hero.jpg differ diff --git a/content/post/kubedb-v2024.11.18/index.md b/content/post/kubedb-v2024.11.18/index.md index 4a5c8471..46f552aa 100644 --- a/content/post/kubedb-v2024.11.18/index.md +++ b/content/post/kubedb-v2024.11.18/index.md @@ -43,18 +43,20 @@ tags: We are thrilled to announce the release of **KubeDB v2024.11.18**. This release introduces several key features, including: -- **TLS/SSL Support**: TLS/SSL support has been implemented for both Druid, Memcached, , PgBouncer, and ZooKeeper, significantly improving security by enabling encrypted communication. +- **TLS/SSL Support**: TLS/SSL support has been implemented for Druid, Memcached, PgBouncer, and ZooKeeper significantly improving security by enabling encrypted communication. - **OpsRequest Support**: Enhanced operational request capabilities for Druid, Memcached, Microsoft SQL Server, PgBouncer, Solr, and ZooKeeper, providing greater management flexibility. -- **RotateAuth**: A new Ops Request named `RotateAuth` has been introduced. This feature enables users to rotate the credentials of the database enhancing overall security. It is initially added for `Druid`, `Elasticsearch`, `Kafka`, `MongoDB`, `Postgres`, and `Solr`. - - **Autoscaling**: Added autoscaling support for Apache Solr to automatically adjust resources based on workload demands. +- **RotateAuth**: A new Ops Request named `RotateAuth` has been introduced. This feature enables users to rotate the credentials of the database enhancing overall security. It is initially added for Druid, Elasticsearch, Kafka, MongoDB, Postgres, and Solr. + - **Authentication**: Authentication support has been introduced for Memcached, providing an additional layer of security by verifying client identities before granting access. - **New Version Support**: Added support for Druid version `30.0.1` and MongoDB version `8.0.3`. +- **Monitoring**: Added enhanced monitoring feature for KubeDB-managed Cassandra deployments by integrating Grafana dashboards. + - **Recommendation Engine**: This release includes important fixes and improvements for the Recommendation Engine. - **Performance Improvement**: This release brings enhancements to controller performance, ensuring more efficient and faster operations. @@ -81,11 +83,12 @@ In this release, we are introducing **TLS support for Apache Druid**. By impleme With TLS enabled, client applications can securely connect to the Druid cluster, ensuring that data transmitted between clients and servers remains encrypted and protected from unauthorized access or tampering. This encryption adds an extra layer of security, particularly important for sensitive data environments where confidentiality and integrity are paramount. -In addition to securing client-to-server communication, **internal communication** between Druid nodes is also encrypted. Furthermore, **connections to external dependencies**, such as metadata storage and deep storage systems, are secured. +In addition to securing client-to-server communication, **internal communication** among Druid nodes is also encrypted. Furthermore, **connections to external dependencies**, such as metadata storage and deep storage systems, are secured. To configure TLS/SSL in Druid, KubeDB utilizes cert-manager to issue certificates. Before proceeding with TLS configuration in Druid, ensure that cert-manager is installed in your cluster. You can follow the steps provided [here](https://cert-manager.io/docs/installation/kubectl/) to install cert-manager in your cluster. To issue a certificate, cert-manager employs the following Custom Resource (CR): + **Issuer/ClusterIssuer**: Issuers and ClusterIssuers represent certificate authorities (CAs) capable of generating signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to fulfill the request. Further details can be found [here](https://cert-manager.io/docs/concepts/issuer/). **Certificate**: cert-manager introduces the concept of Certificates, which define the desired x509 certificate to be renewed and maintained up to date. More details on Certificates can be found [here](https://cert-manager.io/docs/usage/certificate/). @@ -222,19 +225,18 @@ It is also possible to provide a username and password through a custom authenti Support for Druid Version `30.0.1` has been added in this release and `30.0.0` is marked as deprecated. - ## Elasticsearch RotateAuth OpsRequest has been added for elasticsearch. in this release. It will rotate the admin credential of elasticsearch. We can provide a secret name in the spec.authentication.secretRef.name and the ops manager will update the credential of the database. If we don’t provide any secret then the password of the current secret will be updated. -***Elasticsearch Cluster Mode*** +**Elasticsearch Cluster Mode** ```yaml apiVersion: kubedb.com/v1 kind: Elasticsearch metadata: - name: ess-cluster + name: es-cluster namespace: demo spec: storageType: Durable @@ -272,11 +274,11 @@ spec: version: xpack-8.15.0 ``` -***Elasticsearch RotateAuth OpsRequest*** +**Elasticsearch RotateAuth OpsRequest** ```yaml apiVersion: ops.kubedb.com/v1alpha1 -kind: SolrOpsRequest +kind: ElasticsearchOpsRequest metadata: name: roatate-es namespace: demo @@ -452,7 +454,7 @@ This is an example showing how to add TLS to an existing `Memcached` database. R ## Microsoft SQL Server -### Ops-Requests: Reconfigure and Reconfigure-TLS +### Ops-Requests We are excited to introduce two new Ops-Requests for managing Microsoft SQL Server configurations in Kubernetes: **Reconfigure**, and **Reconfigure TLS**. These allow you to easily modify SQL Server settings and TLS configurations for enhanced flexibility and security. Below, you’ll find examples demonstrating how to use these new features. @@ -645,7 +647,7 @@ You have to specify the SQL Server product edition using the `MSSQL_PID` environ - `EnterpriseCore`: Uses the Enterprise Edition Core. - ``: Uses the edition associated with the specified product ID. -- In addition, the `ACCEPT_EULA` environment variable is required to confirm your acceptance of the [End-User Licensing Agreement](https://go.microsoft.com/fwlink/?linkid=857698). It must be set to "Y" to allow the SQL Server container to run. +- In addition, the `ACCEPT_EULA` environment variable is required to confirm your acceptance of the [End-User Licensing Agreement](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-configure-environment-variables?view=sql-server-ver16#environment-variables:~:text=ACCEPT_EULA,SQL%20Server%20image.). It must be set to "Y" to allow the SQL Server container to run. **Example YAML Configuration**: @@ -799,7 +801,7 @@ spec: - name: pgbouncer ``` -### Ops-Requests Support: +### Ops-Requests Support **Restart** @@ -817,7 +819,6 @@ spec: type: Restart ``` - ## Postgres In this release we improved the postgres point time recovery to support seamless archiving and recovery with db pods spread out in different zones in a single region. We also improved our algorithm to calculate and find the suitable base backup for PITR. @@ -872,14 +873,11 @@ Finally, the operator will update the postgres cluster with the new credential a We have added a field `.spec.authSecret.activeFrom` to the db yaml which refers to the timestamp of the credential is active from. - -## SingleStore - ## Solr Solr autoscaler support has been added in this release. Kubedb autoscaler leverages the automation of storage and memory autoscaling with the help of metrics configuration and prometheus. -***Solr Combined Mode***: +**Solr Combined Mode**: ```yaml apiVersion: kubedb.com/v1alpha2 kind: Solr @@ -901,7 +899,7 @@ spec: storageClassName: longhorn ``` -***Solr Cluster Mode***: +**Solr Cluster Mode**: ```yaml apiVersion: kubedb.com/v1alpha2 kind: Solr @@ -942,7 +940,7 @@ spec: storage: 1Gi ``` -***Computer Autoscaler***: +**Computer Autoscaler**: Computer autoscaler deals with scaling cpu and memory and we need metrics configuration in our cluster for this operation. @@ -1026,7 +1024,7 @@ spec: containerControlledValues: "RequestsAndLimits" ``` -***Storage Autoscaler***: +**Storage Autoscaler**: Storage autoscaler deal with scaling pvc storage with the help of prometheus. So, we need prometheus in the cluster for this operation For combined cluster: @@ -1070,9 +1068,10 @@ spec: scalingThreshold: 100 ``` -***RotateAuth OpsRequest***: +**RotateAuth OpsRequest**: + We have also added support for RotateAuth ops request for `Solr` in this release. It will rotate the admin credential of solr. We can provide secret name in the spec.authentication.secretRef.name and ops manager with update the credential of database. -If we don’t provide any secret anime the password of the current secret will be updated. +If we don’t provide any secret and the password of the current secret will be updated. Solr RotateAuth OpsRequest: @@ -1138,7 +1137,7 @@ spec: deletionPolicy: "WipeOut" ``` -### Ops-Requests Support: +### Ops-Requests Support **Reconfigure TLS** @@ -1257,7 +1256,6 @@ status: reason: SuccessfullyExecutedOperation ``` - ## Support To speak with us, please leave a message on [our website](https://appscode.com/contact/). diff --git a/static/files/products/appscode/aws-marketplace/ace_pay_arch.png b/static/files/products/appscode/aws-marketplace/ace_pay_arch.png deleted file mode 100644 index 99259d80..00000000 Binary files a/static/files/products/appscode/aws-marketplace/ace_pay_arch.png and /dev/null differ diff --git a/static/files/products/appscode/aws-marketplace/ace_payg_aws_eula.pdf b/static/files/products/appscode/aws-marketplace/ace_payg_aws_eula.pdf deleted file mode 100644 index c98443dd..00000000 Binary files a/static/files/products/appscode/aws-marketplace/ace_payg_aws_eula.pdf and /dev/null differ diff --git a/static/files/products/appscode/aws-marketplace/ace_payg_cf.yaml b/static/files/products/appscode/aws-marketplace/ace_payg_cf.yaml deleted file mode 100644 index 1d534d28..00000000 --- a/static/files/products/appscode/aws-marketplace/ace_payg_cf.yaml +++ /dev/null @@ -1,370 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: CloudFormation template for creating an EC2 instance in a new VPC - -Parameters: - InstanceType: - Description: "CIDR range of remote ip for ssh" - Type: String - Default: "m5.xlarge" - AllowedValues: - - "m5.xlarge" - - "m5.2xlarge" - - "m5.4xlarge" - - "m5.8xlarge" - - "m5.12xlarge" - - "m5.16xlarge" - - "m5.24xlarge" - - "m5d.xlarge" - - "m5d.2xlarge" - - "m5d.4xlarge" - - "m5d.8xlarge" - - "m5d.12xlarge" - - "m5d.16xlarge" - - "m5d.24xlarge" - SSHIpCIDR: - Description: "CIDR range of remote ip for ssh for debug or management purposes. Please set CIDR to x.x.x.x/32 to allow one specific IP address access, 0.0.0.0/0 to allow all IP addresses access, or another CIDR range." - Type: String - AllowedPattern: '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(3[0-2]|[1-2]?[0-9])$' - ApplicationAccessIpCIDR: - Description: "CIDR range from where the application will be accessed. 0.0.0.0/0 is recommended to allow all IP addresses access. Set CIDR to x.x.x.x/32 to allow one specific IP address access or another CIDR range as needed." - Type: String - AllowedPattern: '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(3[0-2]|[1-2]?[0-9])$' - InstallerURL: - Description: "Download URL of the selfhost Installer" - Type: String - AllowedPattern: "^https:\\/\\/appscode\\.com\\/links\\/installer.*$" - KeyPair: - Description: "Name of an existing EC2 KeyPair to enable SSH access to the instance." - Type: 'AWS::EC2::KeyPair::KeyName' -Mappings: - InstanceMap: - us-east-1: - AMI: "ami-0984f4b9e98be44bf" - us-east-2: - AMI: "ami-09caa684bdee947fc" - us-west-1: - AMI: "ami-0a9271c49701613c1" - us-west-2: - AMI: "ami-04907d7291cd8e06a" - ap-south-1: - AMI: "ami-03753afda9b8ba740" - ap-northeast-3: - AMI: "ami-0f7c0a87233c91cfb" - ap-northeast-2: - AMI: "ami-0c63ba386d57a6296" - ap-southeast-1: - AMI: "ami-09fcb1e15a7d9b9f2" - ap-southeast-2: - AMI: "ami-09c380248cbc422a4" - ap-northeast-1: - AMI: "ami-0b6fe957a0eb4c1b9" - ca-central-1: - AMI: "ami-0926a49ffde4bb836" -Resources: - VPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 10.5.0.0/16 - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: !Ref AWS::StackName - Subnet: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - CidrBlock: 10.5.0.0/24 - AvailabilityZone: !Join ['', [ !Ref AWS::Region, 'a'] ] - Tags: - - Key: Name - Value: !Ref AWS::StackName - ElasticIP: - Type: AWS::EC2::EIP - Properties: - Tags: - - Key: Name - Value: !Ref AWS::StackName - InternetGateway: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Ref AWS::StackName - AttachGateway: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - VpcId: !Ref VPC - InternetGatewayId: !Ref InternetGateway - RouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref VPC - Tags: - - Key: Name - Value: !Ref AWS::StackName - RouteToInternet: - Type: AWS::EC2::Route - DependsOn: AttachGateway - Properties: - RouteTableId: !Ref RouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref InternetGateway - SecurityGroupIngress4222: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 4222 - ToPort: 4222 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - SecurityGroupIngress80: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - SecurityGroupIngress443: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - SecurityGroupIngress6443: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 6443 - ToPort: 6443 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - SecurityGroupIngress22: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: !Ref SSHIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - SubnetRouteTableAssociation: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref RouteTable - SubnetId: !Ref Subnet - Instance: - Type: AWS::EC2::Instance - Properties: - ImageId: !FindInMap [InstanceMap, !Ref 'AWS::Region', AMI] - InstanceType: !Ref InstanceType - KeyName: !Ref KeyPair - Tags: - - Key: "Name" - Value: - Ref: AWS::StackName - NetworkInterfaces: - - AssociatePublicIpAddress: "true" - DeviceIndex: "0" - SubnetId: - Ref: "Subnet" - BlockDeviceMappings: - - DeviceName: /dev/xvda #/dev/sta1 root volume for ubuntu, /dev/xvda for amzn-linux - Ebs: - VolumeSize: 100 # Specify the size of the root volume in GB - VolumeType: gp3 - UserData: - Fn::Base64: - !Join - - "\n" - - - | - #!/bin/bash - sudo su - HOME="/root" - cd $HOME - apt-get -y update - apt upgrade -y - set -xeo pipefail - exec >/root/userdata.log 2>&1 - - !Sub 'INSTALLER_URL=${InstallerURL}' - - !Sub 'PUBLIC_IP=${ElasticIP.PublicIp}' - - !Sub 'REGION=${AWS::Region}' - - | - #constants (don't touch) - BUCKET_NAME="ace" - INSTALLER_ID=$(echo $INSTALLER_URL | awk -F '[/]' '{ print $8 }') - timestamp() { - date +"%Y/%m/%d %T" - } - log() { - local type="$1" - local msg="$2" - local script_name=${0##*/} - echo "$(timestamp) [$script_name] [$type] $msg" - } - retry() { - local retries="$1" - shift - local count=0 - local wait=5 - until "$@"; do - exit="$?" - if [ $count -lt $retries ]; then - log "INFO" "Attempt $count/$retries. Command exited with exit_code: $exit. Retrying after $wait seconds..." - sleep $wait - else - log "INFO" "Command failed in all $retries attempts with exit_code: $exit. Stopping trying any further...." - return $exit - fi - count=$(($count + 1)) - done - return 0 - } - create_k3s() { - echo 'fs.inotify.max_user_instances=100000' | sudo tee -a /etc/sysctl.conf - echo 'fs.inotify.max_user_watches=100000' | sudo tee -a /etc/sysctl.conf - sudo sysctl -p - # Create k3s cluster - SERVER_IP=${PUBLIC_IP} - #selinux policy resolve. ref: https://github.com/k3s-io/k3s/issues/10411#issuecomment-2231879747 - amazon-linux-extras enable selinux-ng; sudo yum install selinux-policy-targeted -y - cmd="curl -sfL https://get.k3s.io" - retry 5 $cmd | INSTALL_K3S_EXEC="--disable=traefik --disable=metrics-server" sh -s - --tls-san "$SERVER_IP" - echo 'alias k=kubectl' >> ${HOME}/.bashrc - export KUBECONFIG=/etc/rancher/k3s/k3s.yaml - # wait for 2 pods to become running - cmd="kubectl wait --for=condition=ready pods --all -A --timeout=5m" - retry 5 $cmd - # Install helm - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash - } - download_values(){ - mkdir old - cd old - curl -L "${INSTALLER_URL}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - #soruce azure credential file from archive.tar.gz - source env.sh - cd .. - } - aws_cli() { - BUCKET_NAME=${BUCKET_NAME}$(head /dev/urandom | tr -dc 'a-z' | head -c 6) - echo "s3 bucket name: "${BUCKET_NAME} - # install jq - yum install jq -y - # aws s3api create-bucket --bucket ${BUCKET_NAME} --region ${REGION} --object-ownership BucketOwnerEnforced - aws s3api create-bucket --bucket ${BUCKET_NAME} --region ${REGION} - ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') - CLUSTER_ID=$(kubectl get ns kube-system -o=jsonpath='{.metadata.uid}') - UTC_TIME=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ") - #call the webhook here - resp=$(curl -X POST https://appscode.com/marketplace/api/v1/marketplaces/aws/notification/resource?secret=${API_SECRET} \ - -H "Content-Type: application/json" \ - -d '{ - "eventType": "BIND", - "eventTime": "'${UTC_TIME}'", - "accountId": "'${ACCOUNT_ID}'", - "bindingInfo": { - "installerID": "'${INSTALLER_ID}'", - "clusterId": "'${CLUSTER_ID}'", - "options": { - "infra": { - "dns": { - "provider": "none", - "targetIPs": ["'${PUBLIC_IP}'"] - }, - "cloudServices": { - "objstore": { - "auth": { - "s3": { - "AWS_ACCESS_KEY_ID": "'${AWS_ACCESS_KEY_ID}'", - "AWS_SECRET_ACCESS_KEY": "'${AWS_SECRET_ACCESS_KEY}'" - } - }, - "bucket": "s3://'${BUCKET_NAME}'?s3ForcePathStyle=true", - "endpoint": "s3.amazonaws.com", - "prefix": "ace", - "region": "'${REGION}'" - }, - "provider": "s3" - }, - "kubestash": { - "backend": { - "provider": "s3", - "s3": { - "bucket": "s3://'${BUCKET_NAME}'", - "endpoint": "s3.amazonaws.com", - "prefix": "ace", - "region": "'${REGION}'" - } - }, - "retentionPolicy": "keep-1mo", - "schedule": "0 */2 * * *", - "storageSecret": { - "create": true - } - } - }, - "initialSetup": { - "cluster": { - "region": "'${REGION}'" - }, - "subscription": { - "aws": { - "customer-identifier": "demo-customer-identifier" - } - } - } - } - } - }') - link=$(echo ${resp} | jq -r '.link') - if [ ${link} == "null" ]; then exit 1 ; fi - mkdir new - cd new - curl -L "${link}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - cd .. - } - install_fluxcd() { - helm upgrade -i flux2 \ - oci://ghcr.io/appscode-charts/flux2 \ - --version ${FLUXCD_CHART_VERSION} \ - --namespace flux-system --create-namespace \ - --set helmController.create=true \ - --set sourceController.create=true \ - --set imageAutomationController.create=false \ - --set imageReflectionController.create=false \ - --set kustomizeController.create=true \ - --set notificationController.create=true \ - --set-string helmController.labels."ace\.appscode\.com/managed=true" \ - --set-string sourceController.labels."ace\.appscode\.com/managed=true" \ - --set-string kustomizeController.labels."ace\.appscode\.com/managed=true" \ - --set-string notificationController.labels."ace\.appscode\.com/managed=true" \ - --set cli.image=ghcr.io/appscode/flux-cli \ - --wait --debug --burst-limit=10000 - } - deploy_ace(){ - helm upgrade -i ace-installer \ - oci://ghcr.io/appscode-charts/ace-installer \ - --version ${ACE_INSTALLER_CHART_VERSION} \ - --namespace kubeops --create-namespace \ - --values=./new/values.yaml \ - --wait --debug --burst-limit=10000 - } - init(){ - create_k3s - download_values - aws_cli - install_fluxcd - deploy_ace - } - init - - IPAssoc: - Type: AWS::EC2::EIPAssociation - Properties: - InstanceId: !Ref Instance - EIP: !GetAtt ElasticIP.PublicIp diff --git a/static/files/products/appscode/aws-marketplace/ace_payg_cf_ubuntu.yaml b/static/files/products/appscode/aws-marketplace/ace_payg_cf_ubuntu.yaml deleted file mode 100644 index 31bcd2a2..00000000 --- a/static/files/products/appscode/aws-marketplace/ace_payg_cf_ubuntu.yaml +++ /dev/null @@ -1,365 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: CloudFormation template for creating an EC2 instance in a new VPC - -Parameters: - InstanceType: - Description: "CIDR range of remote ip for ssh" - Type: String - Default: "m5.xlarge" - AllowedValues: - - "m5.xlarge" - - "m6g.xlarge" - SSHIpCIDR: - Description: "CIDR range of remote ip for ssh for debug or management purposes. Please set CIDR to x.x.x.x/32 to allow one specific IP address access, 0.0.0.0/0 to allow all IP addresses access, or another CIDR range." - Type: String - AllowedPattern: '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(3[0-2]|[1-2]?[0-9])$' - ApplicationAccessIpCIDR: - Description: "CIDR range from where the application will be accessed. 0.0.0.0/0 is recommended to allow all IP addresses access. Set CIDR to x.x.x.x/32 to allow one specific IP address access or another CIDR range as needed." - Type: String - AllowedPattern: '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(3[0-2]|[1-2]?[0-9])$' - InstallerURL: - Description: "Download URL of the selfhost Installer" - Type: String - AllowedPattern: "^https:\\/\\/appscode\\.com\\/links\\/installer.*$" - KeyPair: - Description: "Name of an existing EC2 KeyPair to enable SSH access to the instance." - Type: 'AWS::EC2::KeyPair::KeyName' - -Mappings: - InstanceMap: - m5.xlarge: - ImageID: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/noble/stable/current/amd64/hvm/ebs-gp3/ami-id}}' - m6g.xlarge: - ImageID: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/noble/stable/current/arm64/hvm/ebs-gp3/ami-id}}' - -Resources: - VPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 10.5.0.0/16 - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: !Ref AWS::StackName - - Subnet: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - CidrBlock: 10.5.0.0/24 - Tags: - - Key: Name - Value: !Ref AWS::StackName - - ElasticIP: - Type: AWS::EC2::EIP - Properties: - Tags: - - Key: Name - Value: !Ref AWS::StackName - - InternetGateway: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Ref AWS::StackName - - AttachGateway: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - VpcId: !Ref VPC - InternetGatewayId: !Ref InternetGateway - - RouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref VPC - Tags: - - Key: Name - Value: !Ref AWS::StackName - - RouteToInternet: - Type: AWS::EC2::Route - DependsOn: AttachGateway - Properties: - RouteTableId: !Ref RouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref InternetGateway - - SecurityGroupIngress4222: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 4222 - ToPort: 4222 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - - SecurityGroupIngress80: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - - SecurityGroupIngress443: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - - SecurityGroupIngress6443: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 6443 - ToPort: 6443 - CidrIp: !Ref ApplicationAccessIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - - SecurityGroupIngress22: - Type: AWS::EC2::SecurityGroupIngress - Properties: - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: !Ref SSHIpCIDR - GroupId: !GetAtt VPC.DefaultSecurityGroup - - SubnetRouteTableAssociation: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref RouteTable - SubnetId: !Ref Subnet - - Instance: - Type: AWS::EC2::Instance - Properties: - ImageId: !FindInMap [ InstanceMap, !Ref InstanceType, ImageID] - InstanceType: !Ref InstanceType - KeyName: !Ref KeyPair - Tags: - - Key: "Name" - Value: - Ref: AWS::StackName - NetworkInterfaces: - - AssociatePublicIpAddress: "true" - DeviceIndex: "0" - SubnetId: - Ref: "Subnet" - BlockDeviceMappings: - - DeviceName: /dev/sda1 #/dev/sta1 is the device name for root volume - Ebs: - VolumeSize: 100 # Specify the size of the root volume in GB - VolumeType: gp3 - UserData: - Fn::Base64: - !Join - - "\n" - - - | - #!/bin/bash - sudo su - HOME="/root" - cd $HOME - apt-get -y update - apt upgrade -y - set -xeo pipefail - exec >/root/userdata.log 2>&1 - - !Sub 'INSTALLER_URL=${InstallerURL}' - - !Sub 'PUBLIC_IP=${ElasticIP.PublicIp}' - - !Sub 'REGION=${AWS::Region}' - - | - #constants (don't touch) - BUCKET_NAME="ace" - INSTALLER_ID=$(echo $INSTALLER_URL | awk -F '[/]' '{ print $8 }') - timestamp() { - date +"%Y/%m/%d %T" - } - log() { - local type="$1" - local msg="$2" - local script_name=${0##*/} - echo "$(timestamp) [$script_name] [$type] $msg" - } - retry() { - local retries="$1" - shift - local count=0 - local wait=5 - until "$@"; do - exit="$?" - if [ $count -lt $retries ]; then - log "INFO" "Attempt $count/$retries. Command exited with exit_code: $exit. Retrying after $wait seconds..." - sleep $wait - else - log "INFO" "Command failed in all $retries attempts with exit_code: $exit. Stopping trying any further...." - return $exit - fi - count=$(($count + 1)) - done - return 0 - } - create_k3s() { - echo 'fs.inotify.max_user_instances=100000' | sudo tee -a /etc/sysctl.conf - echo 'fs.inotify.max_user_watches=100000' | sudo tee -a /etc/sysctl.conf - sudo sysctl -p - - # Create k3s cluster - SERVER_IP=${PUBLIC_IP} - cmd="curl -sfL https://get.k3s.io" - retry 5 $cmd | INSTALL_K3S_EXEC="--disable=traefik --disable=metrics-server" sh -s - --tls-san "$SERVER_IP" - - echo 'alias k=kubectl' >> ${HOME}/.bashrc - echo 'export KUBECONFIG=/etc/rancher/k3s/k3s.yaml' >> ${HOME}/.bashrc - source "${HOME}/.bashrc" - - export KUBECONFIG=/etc/rancher/k3s/k3s.yaml - - # wait for 2 pods to become running - cmd="kubectl wait --for=condition=ready pods --all -A --timeout=5m" - retry 5 $cmd - - # Install helm - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash - } - download_values(){ - mkdir old - cd old - curl -L "${INSTALLER_URL}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - - #soruce azure credential file from archive.tar.gz - source env.sh - - cd .. - } - aws_cli() { - apt install unzip >/dev/null - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" >/dev/null - unzip awscliv2.zip >/dev/null - sudo ./aws/install >/dev/null - #install jq - apt-get install jq -y - BUCKET_NAME=${BUCKET_NAME}$(head /dev/urandom | tr -dc 'a-z' | head -c 6) - echo "s3 bucket name: "${BUCKET_NAME} - aws s3api create-bucket --bucket ${BUCKET_NAME} --region ${REGION} --object-ownership BucketOwnerEnforced - ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') - - CLUSTER_ID=$(kubectl get ns kube-system -o=jsonpath='{.metadata.uid}') - UTC_TIME=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ") - - #call the webhook here - resp=$(curl -X POST https://appscode.com/marketplace/api/v1/marketplaces/aws/notification/resource?secret=vstktmgwvkxyrsrfmt5tr0i66qpxkeoeaejjr3gyxkeywkm/00kyfahzvxjkfyb/qn5tgxgt9s/xb6vsamhh4w== \ - -H "Content-Type: application/json" \ - -d '{ - "eventType": "BIND", - "eventTime": "'${UTC_TIME}'", - "accountId": "'${ACCOUNT_ID}'", - "bindingInfo": { - "installerID": "'${INSTALLER_ID}'", - "clusterId": "'${CLUSTER_ID}'", - "options": { - "infra": { - "dns": { - "provider": "none", - "targetIPs": ["'${PUBLIC_IP}'"] - }, - "cloudServices": { - "objstore": { - "auth": { - "s3": { - "AWS_ACCESS_KEY_ID": "'${AWS_ACCESS_KEY_ID}'", - "AWS_SECRET_ACCESS_KEY": "'${AWS_SECRET_ACCESS_KEY}'" - } - }, - "bucket": "s3://'${BUCKET_NAME}'?s3ForcePathStyle=true", - "endpoint": "s3.amazonaws.com", - "prefix": "ace", - "region": "'${REGION}'" - }, - "provider": "s3" - }, - "kubestash": { - "backend": { - "provider": "s3", - "s3": { - "bucket": "s3://'${BUCKET_NAME}'", - "endpoint": "s3.amazonaws.com", - "prefix": "ace", - "region": "'${REGION}'" - } - }, - "retentionPolicy": "keep-1mo", - "schedule": "0 */2 * * *", - "storageSecret": { - "create": true - } - } - }, - "initialSetup": { - "cluster": { - "region": "'${REGION}'" - }, - "subscription": { - "aws": { - "customer-identifier": "demo-customer-identifier" - } - } - } - } - } - }') - link=$(echo ${resp} | jq -r '.link') - if [ ${link} == "null" ]; then exit 1 ; fi - - mkdir new - cd new - curl -L "${link}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - cd .. - } - install_fluxcd() { - helm upgrade -i flux2 \ - oci://ghcr.io/appscode-charts/flux2 \ - --version ${FLUXCD_CHART_VERSION} \ - --namespace flux-system --create-namespace \ - --set helmController.create=true \ - --set sourceController.create=true \ - --set imageAutomationController.create=false \ - --set imageReflectionController.create=false \ - --set kustomizeController.create=false \ - --set notificationController.create=false \ - --set-string helmController.labels."ace\.appscode\.com/managed=true" \ - --set-string sourceController.labels."ace\.appscode\.com/managed=true" \ - --wait --debug --burst-limit=10000 - } - deploy_ace(){ - helm upgrade -i ace-installer \ - oci://ghcr.io/appscode-charts/ace-installer \ - --version ${ACE_INSTALLER_CHART_VERSION} \ - --namespace kubeops --create-namespace \ - --values=./new/values.yaml \ - --wait --debug --burst-limit=10000 - #--set helm.releases.ace.values.global.infra.dns.targetIPs={${PUBLIC_IP}} - } - init(){ - create_k3s - download_values - aws_cli - install_fluxcd - deploy_ace - } - init - - IPAssoc: - Type: AWS::EC2::EIPAssociation - Properties: - InstanceId: !Ref Instance - EIP: !GetAtt ElasticIP.PublicIp diff --git a/static/files/products/appscode/azure-marketplace/ace_payg_azure_eula.pdf b/static/files/products/appscode/azure-marketplace/ace_payg_azure_eula.pdf deleted file mode 100644 index 32417177..00000000 Binary files a/static/files/products/appscode/azure-marketplace/ace_payg_azure_eula.pdf and /dev/null differ diff --git a/static/files/products/appscode/azure-marketplace/v2024.10.17/init-script.sh b/static/files/products/appscode/azure-marketplace/v2024.10.17/init-script.sh deleted file mode 100644 index b0cfec8b..00000000 --- a/static/files/products/appscode/azure-marketplace/v2024.10.17/init-script.sh +++ /dev/null @@ -1,229 +0,0 @@ -#!/bin/bash - -ACE_PLATFORM=$1 -API_SECRET=$2 -APPLICATION_NAME=$3 -INSTALLER_URL=$4 -LOCATION=$5 -PUBLIC_IP=$6 -RESOURCE_GROUP=$7 - -sudo su -HOME="/root" -cd $HOME - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update || true -apt upgrade -y || true -set -xeo pipefail -exec >/root/userdata.log 2>&1 - -#constants (don't touch) -SKU="Standard_LRS" -STORAGE_ACCOUNT_NAME="ace" -CONTAINER_NAME="ace" -ACCESS_KEY="" -INSTALLER_ID=$(echo $INSTALLER_URL | awk -F '[/]' '{ print $8 }') - -timestamp() { - date +"%Y/%m/%d %T" -} -log() { - local type="$1" - local msg="$2" - local script_name=${0##*/} - echo "$(timestamp) [$script_name] [$type] $msg" -} -retry() { - local retries="$1" - shift - local count=0 - local wait=5 - until "$@"; do - exit="$?" - if [ $count -lt $retries ]; then - log "INFO" "Attempt $count/$retries. Command exited with exit_code: $exit. Retrying after $wait seconds..." - sleep $wait - else - log "INFO" "Command failed in all $retries attempts with exit_code: $exit. Stopping trying any further...." - return $exit - fi - count=$(($count + 1)) - done - return 0 -} - -create_k3s() { - echo 'fs.inotify.max_user_instances=100000' | sudo tee -a /etc/sysctl.conf - echo 'fs.inotify.max_user_watches=100000' | sudo tee -a /etc/sysctl.conf - sudo sysctl -p - - # Create k3s cluster - SERVER_IP=${PUBLIC_IP} - cmd="curl -sfL https://get.k3s.io" - retry 5 $cmd | INSTALL_K3S_EXEC="--disable=traefik --disable=metrics-server" sh -s - --tls-san "$SERVER_IP" - - echo 'alias k=kubectl' >> ${HOME}/.bashrc - echo 'export KUBECONFIG=/etc/rancher/k3s/k3s.yaml' >> ${HOME}/.bashrc - source "${HOME}/.bashrc" - - export KUBECONFIG=/etc/rancher/k3s/k3s.yaml - - # wait for 2 pods to become running - cmd="kubectl wait --for=condition=ready pods --all -A --timeout=5m" - retry 5 $cmd - - # Install helm - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -} - -download_values(){ - mkdir old - cd old - curl -L "${INSTALLER_URL}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - - #soruce azure credential file from archive.tar.gz - source env.sh - - cd .. -} - -###test az cli -az_cli() { - curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - - #azure cli login - az login \ - --service-principal \ - -t ${AZURE_TENANT_ID} \ - -u ${AZURE_CLIENT_ID} \ - -p ${AZURE_CLIENT_SECRET} - - #set subscription id - az account set -s ${AZURE_SUBSCRIPTION_ID} - - #install jq - apt-get install jq -y - - STORAGE_ACCOUNT_NAME=${STORAGE_ACCOUNT_NAME}$(head /dev/urandom | tr -dc 'a-z' | head -c 6) - echo "storage account name: "${STORAGE_ACCOUNT_NAME} - - az storage account create --name ${STORAGE_ACCOUNT_NAME} --resource-group ${RESOURCE_GROUP} --location ${LOCATION} --sku ${SKU} - - #in the --assignee-object-id flag you have to give the objectId of the service account - #not the appId. Currently the service principal that we are using has the contributor permission, - #that's why it can't assign the role to himself -# az ad signed-in-user show --query id -o tsv | az role assignment create \ -# --role "Storage Blob Data Contributor" \ -# --assignee-object-id "0000-000-000000-0000000" \ -# --scope "/subscriptions/0000-000-000000-0000000/resourceGroups//providers/Microsoft.Storage/storageAccounts/" - - - az storage container create \ - --account-name ${STORAGE_ACCOUNT_NAME} \ - --name ${CONTAINER_NAME} - - ACCESS_KEY=$(az storage account keys list --account-name ${STORAGE_ACCOUNT_NAME} | jq -r '.[0].value') - - CLUSTER_ID=$(kubectl get ns kube-system -o=jsonpath='{.metadata.uid}') - UTC_TIME=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ") - - #call the webhook here - resp=$(curl -X POST https://appscode."$ACE_PLATFORM"/marketplace/api/v1/marketplaces/azure/notification/resource?secret=${API_SECRET} \ - -H "Content-Type: application/json" \ - -d '{ - "eventType": "BIND", - "eventTime": "'${UTC_TIME}'", - "applicationId": "/subscriptions/'${AZURE_SUBSCRIPTION_ID}'/resourceGroups/'${RESOURCE_GROUP}'/providers/Microsoft.Solutions/applications/'${APPLICATION_NAME}'", - "bindingInfo": { - "installerID": "'${INSTALLER_ID}'", - "clusterId": "'${CLUSTER_ID}'", - "options": { - "infra": { - "dns": { - "provider": "none", - "targetIPs": ["'${PUBLIC_IP}'"] - }, - "cloudServices": { - "objstore": { - "auth": { - "azure": { - "AZURE_ACCOUNT_KEY": "'${ACCESS_KEY}'", - "AZURE_ACCOUNT_NAME": "'${STORAGE_ACCOUNT_NAME}'" - } - }, - "bucket": "azblob://'${CONTAINER_NAME}'" - }, - "provider": "azure" - }, - "kubestash": { - "backend": { - "azure": { - "container": "'${CONTAINER_NAME}'", - "prefix": "ace" - } - }, - "retentionPolicy": "keep-1mo", - "schedule": "0 */2 * * *", - "storageSecret": { - "create": true - } - } - }, - "initialSetup": { - "cluster": { - "region": "'${LOCATION}'" - }, - "subscription": { - "azure": { - "applicationId": "/subscriptions/'${AZURE_SUBSCRIPTION_ID}'/resourceGroups/'${RESOURCE_GROUP}'/providers/Microsoft.Solutions/applications/'${APPLICATION_NAME}'" - } - } - } - } - } - }') - link=$(echo ${resp} | jq -r '.link') - if [ ${link} == "null" ]; then exit 1 ; fi - - mkdir new - cd new - curl -L "${link}" -o "archive.tar.gz" - tar -xvzf archive.tar.gz - cd .. -} - -install_fluxcd() { - helm upgrade -i flux2 \ - oci://ghcr.io/appscode-charts/flux2 \ - --version ${FLUXCD_CHART_VERSION} \ - --namespace flux-system --create-namespace \ - --set helmController.create=true \ - --set sourceController.create=true \ - --set imageAutomationController.create=false \ - --set imageReflectionController.create=false \ - --set kustomizeController.create=false \ - --set notificationController.create=false \ - --set-string helmController.labels."ace\.appscode\.com/managed=true" \ - --set-string sourceController.labels."ace\.appscode\.com/managed=true" \ - --wait --debug --burst-limit=10000 -} -deploy_ace(){ - helm upgrade -i ace-installer \ - oci://ghcr.io/appscode-charts/ace-installer \ - --version ${ACE_INSTALLER_CHART_VERSION} \ - --namespace kubeops --create-namespace \ - --values=./new/values.yaml \ - --wait --debug --burst-limit=10000 - #--set helm.releases.ace.values.global.infra.dns.targetIPs={${PUBLIC_IP}} - -} -init(){ - create_k3s - download_values - az_cli - install_fluxcd - deploy_ace -} -init diff --git a/static/files/products/appscode/gcp-marketplace/ace_payg_gcp_eula.pdf b/static/files/products/appscode/gcp-marketplace/ace_payg_gcp_eula.pdf deleted file mode 100644 index 6ec0f561..00000000 Binary files a/static/files/products/appscode/gcp-marketplace/ace_payg_gcp_eula.pdf and /dev/null differ