This PS replaces deprecated kubernetes.io/ingress.class annotation with
spec.ingressClassName field that is a reference to an IngressClass
resource that contains additional Ingress configuration, including the
name of the Ingress controller.
https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#deprecating-the-ingress-class-annotation
Change-Id: I9953d966b4f9f7b1692b39f36f434f5055317025
Co-authored-by: Sergiy Markin <smarkin@mirantis.com>
Co-authored-by: Leointii Istomin <listomin@mirantis.com>
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
A couple of the ingress images are still pointing to the older
stein release of neutron. This change updates them to use the
updated xena release.
Change-Id: I95aecec5474e587d01d7e8812ec662fbf46ca634
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
This adds taint toleration support for openstack jobs
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Ibac507770edd09079e01206fd85b76a193d22915
Some CNIs support the advertisement of service IPs into BGP, which may
provide an alternative to managing the VIP as an interface on the host.
This change adds an option to assign the ingress VIP as an externalIP to
the ingress service. For example:
network:
vip:
manage: false
addr: 172.18.0.1/32 # (with or without subnet mask)
assign_as_external_ip: true
Change-Id: I1eeb07a1f94ef8efcb21f3373e0d5f86be725b33
This change updates the helm-toolkit path in each chart as part
of the move to helm v3. This is due to a lack of helm serve.
Change-Id: I011e282616bf0b5a5c72c1db185c70d8c721695e
- Uplifts the image to nginx 0.42.0 to address CVEs
- Adds labels needed for nginx 0.42.0
- Updates release notes for ingress
Change-Id: I133d6d30d4a68628ee516f5896780cc8096ffd1f
This will ease mirroring capabilities for the docker official images.
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I0f9177b0b83e4fad599ae0c3f3820202bf1d450d
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.
Affects the following resources:
* ingress deployment
* openvswitch-vswitchd daemonset
Change-Id: I5964c595210af60d54158e6f7c962d5abe77fc2f
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: I15950b735b4f8566bc0018fe4f4ea9ba729235fc
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.
Change-Id: I9df4024c7ccf8b3510e665fc07ba0f38871fcbdb
Adds configuration options for the --default-ssl-certificate feature of
NGINX Ingress Controller, which provides a default certificate for
requests that do not match any configured server names.[0]
To enable with a new certificate, specify:
.conf.default_ssl_certificate.enabled=true
.endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
.endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
.manifests.secret_ingress_tls=true
To enable using a TLS cert in an existing secret, specify:
.conf.default_ssl_certificate.enabled=true
.conf.default_ssl_certificate.name="name of the secret"
.conf.default_ssl_certificate.namespace="namespace of the secret"
0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This commit rewrites lint job to make template linting available.
Currently yamllint is run in warning mode against all templates
rendered with default values. Duplicates detected and issues will be
addressed in subsequent commits.
Also all y*ml files are added for linting and corresponding code changes
are made. For non-templates warning rules are disabled to improve
readability. Chart and requirements yamls are also modified in the name
of consistency.
Change-Id: Ife6727c5721a00c65902340d95b7edb0a9c77365
Use nginx-ingress-controller:0.32.0 and change user to 101
intead of 33 which is suported by this image.
Change-Id: I38679e350ec352f13074055b7e08b98df1090fbf
In 0.30.0 (busybox inside) the "find" tool doesn't support
"writable" option, so use "perm" instead. Also get rid of
several system calls by means of make all by one command.
Change-Id: Ia4f7bc01fb61f4f32c21c50d8c4e870d0244c868
Some infra charts still have old ocata xenial images as default. This
should bring them up to date with the OSH charts.
Change-Id: If8454b6d0fe52387bf6327501ee4ff87f56e87b8
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.
Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
nginx-ingress-controller 0.26.1 introduces configurable parameters for
streamPort and profilerPort, and changes the default for statusPort.
This change allows those parameters to be configured, while maintaining
compatibility with earlier versions of nginx-ingress.controller. It also
modifies the default status port value from 18080 to 10246.
Reference: https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0261
Change-Id: I88a7315f2ed47c31b8c2862ce1ad47b590b32137
k8s 1.14 first enabled Ingress in the networking.k8s.io/v1beta1 API
group, while still serving it in the extensions/v1beta1 API group. The
extensions/v1beta1 API endpoint is deprecated in 1.16 and scheduled for
removal in 1.20. [0]
ingress-nginx 0.25.0 actually uses the networking.k8s.io/v1beta1 API,
which requires updated RBAC rules. [1]
This change updates the ClusterRole used by the ingress service account
to grant access to Ingress resources via either the extensions/v1beta1
or networking.k8s.io/v1beta1 API, aligning with the static manifests
from the kubernetes/ingress-nginx repo [2]. It does not change the
apiVersion used when creating Ingress resources.
[0] https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/
[1] https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.25.0
[2] 870be3bcd8/deploy/static/mandatory.yaml (L50-L106)
Change-Id: I67d4dbdb3834ca4ac8ce90ec51c8d6414ce80a01
When the ingress pod (in routed mode, using a managed vip) moves from
one host to another, it is sometimes observed that: 1. the vip interface
is not removed on the original host, and 2. in some network topologies,
the switch fabric is unable to find the new pod.
This change updates the ingress deployment as follows:
Adds a 5s sleep before the shutdown of the ingress container in order to
allow the preStop action of the ingress-vip container to run completely.
Updates the start action of the ingress-vip-init container to check if
the vip is part of an existing connected subnet, and if so, sends a few
gratuitous ARP messages to let the switch fabric to build its ARP cache.
Change-Id: I784906865358566f42157dc2133569e4cb270cfa
Sergiy Markin