Ingress: Update image and add UDP/TCP proxying support

This PS updates the image used in the ingress controller and adds UDP/TCP proxying. In addition the chart has been given a spring clean to better match other OSH charts. Change-Id: Ib892b82c4657c42e7531a2ce81746398e7bd4df5
2018-01-11 15:14:53 -05:00 · 2018-01-11 15:14:53 -05:00 · e446e5eceb
parent e4fa63aea9
commit e446e5eceb
27 changed files with 249 additions and 113 deletions
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -136,7 +136,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -60,7 +60,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    port: 8777
    node_port:
      enabled: false
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -220,7 +220,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/congress/values.yaml
+++ b/congress/values.yaml
@ -26,7 +26,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 1789
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -276,8 +276,8 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
-        ingress.kubernetes.io/proxy-body-size: "1024M"
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-body-size: "1024M"
    external_policy_local: false
    node_port:
      enabled: false
@ -287,7 +287,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@ -29,7 +29,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -223,7 +223,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
@ -233,7 +233,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 30800
@ -242,7 +242,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 30003
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -38,7 +38,7 @@ network:
    public: true
    annotations:
      kubernetes.io/ingress.class: "nginx"
-      ingress.kubernetes.io/rewrite-target: /
+      nginx.ingress.kubernetes.io/rewrite-target: /
  external_policy_local: false
  node_port:
    enabled: false
--- a/ingress/templates/bin/_ingress-controller.sh.tpl
+++ b/ingress/templates/bin/_ingress-controller.sh.tpl
@ -0,0 +1,25 @@
+#!/bin/sh
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec /usr/bin/dumb-init \
+    /nginx-ingress-controller \
+    --default-backend-service=${POD_NAMESPACE}/ingress-error-pages \
+    --configmap=${POD_NAMESPACE}/ingress-conf \
+    --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
+    --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp
--- a/ingress/templates/bin/_ingress-error-pages.sh.tpl
+++ b/ingress/templates/bin/_ingress-error-pages.sh.tpl
@ -0,0 +1,20 @@
+#!/bin/sh
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec /server
--- a/ingress/templates/configmap-bin.yaml
+++ b/ingress/templates/configmap-bin.yaml
@ -14,20 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.configmap_bin }}
 {{- $envAll := . }}
-
-{{- $serviceAccountName := "ingress-api" }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
+apiVersion: v1
+kind: ConfigMap
 metadata:
-  name: nginx-ingress-role-nisa-binding
-  namespace: {{ $envAll.Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: nginx-ingress-role
-subjects:
-  - kind: ServiceAccount
-    name: {{ $serviceAccountName }}
-    namespace: {{ $envAll.Release.Namespace }}
+  name: ingress-bin
+data:
+  ingress-controller.sh: |+
+{{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ingress-error-pages.sh: |+
+{{ tuple "bin/_ingress-error-pages.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
--- a/ingress/templates/nginx-custom-configuration.yaml
+++ b/ingress/templates/nginx-custom-configuration.yaml
@ -14,12 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.configmap_conf }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: nginx-custom-configuration
+  name: ingress-conf
 data:
-{{ toYaml .Values.config | indent 2 }}
-
+{{ toYaml .Values.config.controller | indent 2 }}
+{{- end }}
--- a/ingress/templates/configmap-services-tcp.yaml
+++ b/ingress/templates/configmap-services-tcp.yaml
@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_services_tcp }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-services-tcp
+{{- if not (empty $envAll.Values.config.services.tcp) }}
+data:
+{{ toYaml $envAll.Values.config.services.tcp | indent 2 }}
+{{- end }}
+{{- end }}
--- a/ingress/templates/configmap-services-udp.yaml
+++ b/ingress/templates/configmap-services-udp.yaml
@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_services_udp }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-services-udp
+{{- if not (empty $envAll.Values.config.services.udp) }}
+data:
+{{ toYaml $envAll.Values.config.services.udp | indent 2 }}
+{{- end }}
+{{- end }}
--- a/ingress/templates/deployment-error.yaml
+++ b/ingress/templates/deployment-error.yaml
@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.deployment_error }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.error_pages }}

@ -54,3 +55,16 @@ spec:
            timeoutSeconds: 5
          ports:
            - containerPort: 8080
+          command:
+            - /tmp/ingress-error-pages.sh
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-error-pages.sh
+              subPath: ingress-error-pages.sh
+              readOnly: true
+      volumes:
+      - name: ingress-bin
+        configMap:
+          name: ingress-bin
+          defaultMode: 0555
+{{- end }}
--- a/ingress/templates/deployment-ingress.yaml
+++ b/ingress/templates/deployment-ingress.yaml
@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.deployment_ingress }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ingress }}

@ -85,6 +86,63 @@ subjects:
    name: {{ $serviceAccountName }}
    namespace: {{ $envAll.Release.Namespace }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: nginx-ingress-role
+  namespace: {{ $envAll.Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: nginx-ingress-role-nisa-binding
+  namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nginx-ingress-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
 {{- if eq .Values.deployment_type "Deployment" }}
 apiVersion: apps/v1beta1
 kind: Deployment
@ -150,7 +208,16 @@ spec:
              hostPort: 80
            - containerPort: 443
              hostPort: 443
-          args:
-            - /nginx-ingress-controller
-            - '--default-backend-service=$(POD_NAMESPACE)/ingress-error-pages'
-            - --configmap=$(POD_NAMESPACE)/nginx-custom-configuration
+          command:
+            - /tmp/ingress-controller.sh
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-controller.sh
+              subPath: ingress-controller.sh
+              readOnly: true
+      volumes:
+      - name: ingress-bin
+        configMap:
+          name: ingress-bin
+          defaultMode: 0555
+{{- end }}
--- a/ingress/templates/role.yaml
+++ b/ingress/templates/role.yaml
@ -1,62 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- $envAll := . }}
-
-{{- $serviceAccountName := "ingress-api" }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: nginx-ingress-role
-  namespace: {{ $envAll.Release.Namespace }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    resourceNames:
-      # Defaults to "<election-id>-<ingress-class>"
-      # Here: "<ingress-controller-leader>-<nginx>"
-      # This has to be adapted if you change either parameter
-      # when launching the nginx-ingress-controller.
-      - "ingress-controller-leader-nginx"
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - create
-      - update
--- a/ingress/templates/service-error.yaml
+++ b/ingress/templates/service-error.yaml
@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.service_error }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@ -30,3 +31,4 @@ spec:
    targetPort: 8080
  selector:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
--- a/ingress/templates/service-ingress.yaml
+++ b/ingress/templates/service-ingress.yaml
@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- if .Values.manifests.service_ingress }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@ -34,3 +35,4 @@ spec:
    targetPort: 443
  selector:
    app: ingress-api
+{{- end }}
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@ -20,19 +20,19 @@
 images:
  tags:
    entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
-    # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/Changelog.md
-    ingress: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.8
+    # https://github.com/kubernetes/ingress-nginx/blob/09524cd3363693463da5bf4a9bb3900da435ad05/Changelog.md#090
+    ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
    error_pages: gcr.io/google_containers/defaultbackend:1.0
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
  pull_policy: "IfNotPresent"

 pod:
  affinity:
-      anti:
-        type:
-          default: preferredDuringSchedulingIgnoredDuringExecution
-        topologyKey:
-          default: kubernetes.io/hostname
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
  replicas:
    ingress: 1
    error_page: 1
@ -84,4 +84,19 @@ endpoints:
 deployment_type: DaemonSet

 config:
-  enable-underscores-in-headers: "true"
+  controller:
+    enable-underscores-in-headers: "true"
+  services:
+    tcp: null
+    udp:
+      53: "kube-system/kube-dns:53"
+
+manifests:
+  configmap_bin: true
+  configmap_conf: true
+  configmap_services_tcp: true
+  configmap_services_udp: true
+  deployment_error: true
+  deployment_ingress: true
+  service_error: true
+  service_ingress: true
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -55,7 +55,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -117,7 +117,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -45,7 +45,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 28989
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -93,7 +93,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -116,7 +116,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
@ -129,7 +129,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    external_policy_local: false
    node_port:
      enabled: false
@ -140,7 +140,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 30778
--- a/rally/templates/ingress-api.yaml
+++ b/rally/templates/ingress-api.yaml
@ -31,8 +31,8 @@ metadata:
  name: {{ $ingressName }}
  annotations:
    kubernetes.io/ingress.class: "nginx"
-    ingress.kubernetes.io/rewrite-target: /
-    ingress.kubernetes.io/proxy-body-size: {{ .Values.network.rally.ingress.proxy_body_size }}
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.network.rally.ingress.proxy_body_size }}
 spec:
  rules:
 {{ if ne $hostNameNamespaced $hostNameFull }}
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -130,7 +130,7 @@ network:
      public: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
    node_port:
      enabled: false
      port: 30778