Merge pull request #503 from achetronic/docs/how-to-kubernetes

docs: How to deploy in Kubernetes

Author: mbentley

external_mongodb/README.md

@@ -196,3 +196,62 @@ While I have this WIP for migrating from all in one, it would be much simplier t
       docker volume rm omada-data omada-logs ;\
       docker network rm omada
     ```
+
+## Kubernetes Deployment Guide
+
+In advanced setups, deploying applications in container orchestrators like Kubernetes is common,
+even in homelabs to enhance reliability.
+
+Below, we’ll use both Helm and Kustomize to deploy **MongoDB** and **Omada Controller**.
+
+### Deploy MongoDB
+
+
+We use a custom Helm chart that wraps Bitnami's MongoDB chart.
+
+The customization includes templates for managing secrets securely, avoiding the bad practice of
+hardcoding credentials in `values.yaml`.
+
+Instead, it supports tools like **External Secrets** to fetch credentials from secure vaults and
+generate Kubernetes secrets automatically.
+
+The custom Helm chart has credentials hardcoded as an example, but provides commented examples
+about how to get secrets safely from mentioned vaults.
+
+Let's deploy our chart:
+
+1. Update dependencies
+
+```console
+helm dependency update kubernetes/mongodb
+```
+
+2. Deploy MongoDB in the cluster currently pointed by your Kubeconfig
+
+> [!IMPORTANT]
+> Customize chart's parameters to meet your needs
+
+```console
+helm upgrade --install mongodb kubernetes/mongodb \
+  -f kubernetes/mongodb/values-customized.yaml \
+  -n omada-controller --create-namespace
+```
+
+### Deploy Omada Controller
+
+We'll use Kustomize since there's no official Helm chart provided by Omada Controller's maintainers
+or a trusted external provider like Bitnami.
+
+Ensure your cluster has Ingress-Nginx as the ingress controller and Cert-Manager for certificate management.
+
+If you're in an on-premises environment, you might need tools like MetalLB or Kube-VIP to provision
+load balancers for services of type LoadBalancer.
+
+To deploy Omada Controller, just execute the following command
+
+```console
+kubectl apply -k kubernetes/production
+```
+
+> [!IMPORTANT]
+> Always adjust parameters to align with your infrastructure and requirements.

external_mongodb/kubernetes/mongodb/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: mongodb
+version: 0.1.0
+dependencies:
+  - name: mongodb
+    version: 14.13.0
+    repository: https://charts.bitnami.com/bitnami

external_mongodb/kubernetes/mongodb/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "meta-mongodb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "meta-mongodb.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "meta-mongodb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "meta-mongodb.labels" -}}
+helm.sh/chart: {{ include "meta-mongodb.chart" . }}
+{{ include "meta-mongodb.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "meta-mongodb.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "meta-mongodb.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

external_mongodb/kubernetes/mongodb/templates/external-secrets.yaml

@@ -0,0 +1,15 @@
+{{- range $key, $value := .Values.customComponents.externalSecrets }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "meta-mongodb.fullname" $ }}-{{ $key }}
+  labels:
+    {{- include "meta-mongodb.labels" $ | nindent 4 }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ toYaml $value.spec | nindent 2 }}
+---
+{{- end }}

external_mongodb/kubernetes/mongodb/values-customized.yaml

@@ -0,0 +1,123 @@
+customComponents: {}
+
+  # externalSecrets:
+  #   mongodb-users-credentials:
+  #     annotations: {}
+  #     spec:
+  #       secretStoreRef:
+  #         kind: ClusterSecretStore
+  #         name: gitlab-secret-store
+  #       target:
+  #         name: mongodb-users-credentials
+  #       data:
+  #         - secretKey: mongodb-root-password
+  #           remoteRef:
+  #             key: MONGODB_USERS_CREDENTIALS_PASSWORD_ROOT
+  #         - secretKey: mongodb-passwords
+  #           remoteRef:
+  #             key: MONGODB_USERS_CREDENTIALS_PASSWORD_OMADA
+
+# Ref: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml
+mongodb:
+  # MongoDB Authentication parameters
+  auth:
+    enabled: true
+
+    # MongoDB root user
+    #rootUser: root
+
+    # MongoDB root password
+    # Ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run
+    rootPassword: "provision-me-externally"
+
+    # MongoDB custom users and databases
+    # Ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run
+    # List of custom users to be created during the initialization
+    # List of passwords for the custom users set at `auth.usernames`
+    # List of custom databases to be created during the initialization
+    # Ref: https://github.com/bitnami/charts/issues/16975#issuecomment-1803017023
+    # Relationship between following lists is [0]->[0]->[0]; [1]->[1]->[1]; ...
+    databases: ["omada"]
+    usernames: ["omada"]
+    passwords: ["provision-me-externally"]
+
+    # Existing secret with MongoDB credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`)
+    # When it's set the passwords defined in previous parameters are ignored.
+    #existingSecret: "mongodb-users-credentials"
+
+  # Dictionary of initdb scripts
+  # Specify dictionary of scripts to be run at first boot
+  initdbScripts:
+
+    # Ref: https://github.com/mbentley/docker-omada-controller/blob/master/external_mongodb/omada.js
+    init-mongo.sh: |
+      #!/bin/bash
+
+      mongosh --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD <<EOF
+        use omada
+        db.grantRolesToUser("omada", [
+          { role: "readWrite", db: "omada" },
+          { role: "dbOwner", db: "omada" },
+          { role: "readWrite", db: "omada_data" },
+          { role: "dbOwner", db: "omada_data" }
+        ]);
+      EOF
+
+  # Optionally specify an extra list of additional volumeMounts for the MongoDB container(s)
+  # extraVolumeMounts:
+  #   - name: extras
+  #     mountPath: /usr/share/extras
+  #     readOnly: true
+  extraVolumeMounts: []
+
+  # Optionally specify an extra list of additional volumes to the MongoDB statefulset
+  # extraVolumes:
+  #   - name: extras
+  #     emptyDir: {}
+  extraVolumes: []
+
+  # Cluster IP is fixed as Omada Controller is listening on the host network to look for the APs
+  # and then, cannot resolve internal DNS request properly for Service FQDN
+  #service:
+  #  clusterIP: '10.96.89.12'
+
+  persistence:
+    enabled: true
+
+    # Name of the PVC and mounted volume
+    name: "mongodb-data"
+
+    # Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
+    # If defined, PVC must be created manually before volume will be bound
+    existingClaim: ""
+
+    # Setting it to "keep" to avoid removing PVCs during a helm delete operation.
+    # Leaving it empty will delete PVCs after the chart is deleted
+    resourcePolicy: "keep"
+
+    # PVC Storage Class for MongoDB data volume
+    # If undefined (the default) or set to null, no storageClassName spec is
+    # set, choosing the default provisioner.
+    #storageClass: "standard-nfs"
+
+    # PV Access Mode
+    accessModes:
+      - ReadWriteOnce
+
+    # PVC Storage Request for MongoDB data volume
+    size: 8Gi
+
+  # ATTENTION: Following parameters are only needed when deployed as StatefulSet.
+  # I have not yet decided what fits better with my homelab in this regard
+
+  # Persistent Volume Claim Retention Policy
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
+  persistentVolumeClaimRetentionPolicy:
+    # Enable Persistent volume retention policy for MongoDB Statefulset
+    enabled: false
+
+    # Volume retention behavior when the replica count of the StatefulSet is reduced
+    whenScaled: Retain
+
+    # Volume retention behavior that applies when the StatefulSet is deleted
+    whenDeleted: Retain

external_mongodb/kubernetes/mongodb/values.yaml

@@ -0,0 +1,12 @@
+nameOverride: ""
+fullnameOverride: ""
+
+customComponents:
+
+  externalSecrets: {}
+    # mongodb-auth-secret:
+    #   annotations: {}
+    #   spec: {}
+
+# Ref: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml
+mongodb: {}

external_mongodb/kubernetes/omada-controller/base/configmap-env.yaml

@@ -0,0 +1,44 @@
+# Ref: https://github.com/mbentley/docker-omada-controller/blob/master/docker-compose.yml
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: omada-controller-environment
+data:
+  #
+  PUID: "508"
+  PGID: "508"
+
+  #
+  SHOW_SERVER_LOGS: "true"
+  SHOW_MONGODB_LOGS: "false"
+  SSL_CERT_NAME: "tls.crt"
+  SSL_KEY_NAME: "tls.key"
+  TZ: "Etc/UTC"
+
+  # Ref: https://github.com/mbentley/docker-omada-controller/tree/master/external_mongodb#common-steps
+  NO_MONGODB: "true"
+  MONGO_EXTERNAL: "true"
+  MONGODB_HOST: "mongodb.mongodb.svc:27017"
+  EAP_MONGOD_URI: "mongodb://omada:${MONGODB_PASSWORD}@${MONGODB_HOST}/omada"
+
+  #
+  MANAGE_HTTP_PORT: "8088"
+  MANAGE_HTTPS_PORT: "8043"
+  PORTAL_HTTP_PORT: "8088"
+  PORTAL_HTTPS_PORT: "8843"
+
+  #
+  PORT_APP_DISCOVERY: "27001"
+  PORT_DISCOVERY: "29810"
+
+  # V1
+  PORT_MANAGER_V1: "29811"
+  PORT_ADOPT_V1: "29812"
+  PORT_UPGRADE_V1: "29813"
+
+  # V2
+  PORT_MANAGER_V2: "29814"
+  PORT_TRANSFER_V2: "29815"
+
+  PORT_RTTY: "29816"