diff --git a/ingress/Chart.yaml b/ingress/Chart.yaml new file mode 100644 index 000000000..44f2fb768 --- /dev/null +++ b/ingress/Chart.yaml @@ -0,0 +1,23 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +description: OpenStack-Helm Ingress Controller +name: ingress +version: 0.1.0 +home: https://github.com/kubernetes/ingress +sources: + - https://github.com/kubernetes/ingress + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/ingress/requirements.yaml b/ingress/requirements.yaml new file mode 100644 index 000000000..53782e69b --- /dev/null +++ b/ingress/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/ingress/templates/bin/_ingress-controller.sh.tpl b/ingress/templates/bin/_ingress-controller.sh.tpl new file mode 100644 index 000000000..6514ae59c --- /dev/null +++ b/ingress/templates/bin/_ingress-controller.sh.tpl @@ -0,0 +1,42 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec /usr/bin/dumb-init \ + /nginx-ingress-controller \ + {{- if eq .Values.deployment.mode "namespace" }} + --watch-namespace ${POD_NAMESPACE} \ + {{- end }} + --http-port=${PORT_HTTP} \ + --https-port=${PORT_HTTPS} \ + --election-id=${RELEASE_NAME} \ + --ingress-class=${INGRESS_CLASS} \ + --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \ + --configmap=${POD_NAMESPACE}/ingress-conf \ + --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \ + --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/ingress/templates/bin/_ingress-error-pages.sh.tpl b/ingress/templates/bin/_ingress-error-pages.sh.tpl new file mode 100644 index 000000000..cf62c33f4 --- /dev/null +++ b/ingress/templates/bin/_ingress-error-pages.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/sh + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +if [ "x${COMMAND}" == "xstart" ]; then + exec /server +elif [ "x${COMMAND}" == "xstop" ]; then + kill -TERM 1 +fi diff --git a/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl b/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl new file mode 100644 index 000000000..0cba1faae --- /dev/null +++ b/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl @@ -0,0 +1,31 @@ +#!/bin/bash + +# Copyright 2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +COMMAND="${@:-start}" + +function kernel_modules () { + chroot /mnt/host-rootfs modprobe ip_vs +} + +function start () { + # Exit if the interface does not exist + ip link show ${interface} > /dev/null || exit 1 + ip link set ${interface} up +} + +$COMMAND diff --git a/ingress/templates/bin/_ingress-vip-routed.sh.tpl b/ingress/templates/bin/_ingress-vip-routed.sh.tpl new file mode 100644 index 000000000..e0ad6fc3c --- /dev/null +++ b/ingress/templates/bin/_ingress-vip-routed.sh.tpl @@ -0,0 +1,57 @@ +#!/bin/bash + +# Copyright 2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +COMMAND="${@:-start}" + +function kernel_modules () { + chroot /mnt/host-rootfs modprobe dummy +} + +function test_vip () { + ip addr show ${interface} | \ + awk "/inet / && /${interface}/{print \$2 }" | \ + awk -F '/' '{ print $1 }' | \ + grep -q "${addr%/*}" +} + +function start () { + ip link show ${interface} > /dev/null || ip link add ${interface} type dummy + if ! test_vip; then + ip addr add ${addr} dev ${interface} + fi + ip link set ${interface} up +} + +function sleep () { + exec /usr/bin/dumb-init bash -c "while :; do sleep 2073600; done" +} + +function stop () { + ip link show ${interface} > /dev/null || exit 0 + if test_vip; then + ip addr del ${addr} dev ${interface} + fi + if [ "$(ip address show ${interface} | \ + awk "/inet / && /${interface}/{print \$2 }" | \ + wc -l)" -le "0" ]; then + ip link set ${interface} down + ip link del ${interface} + fi +} + +$COMMAND diff --git a/ingress/templates/configmap-bin.yaml b/ingress/templates/configmap-bin.yaml new file mode 100644 index 000000000..b2eacc70d --- /dev/null +++ b/ingress/templates/configmap-bin.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ingress-bin +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} +{{- if and .Values.network.host_namespace .Values.network.vip.manage }} + ingress-vip.sh: | +{{- if eq .Values.network.vip.mode "routed" }} +{{ tuple "bin/_ingress-vip-routed.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- else if eq .Values.network.vip.mode "keepalived" }} +{{ tuple "bin/_ingress-vip-keepalived.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} +{{- end }} + ingress-controller.sh: | +{{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ingress-error-pages.sh: | +{{ tuple "bin/_ingress-error-pages.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/ingress/templates/configmap-conf.yaml b/ingress/templates/configmap-conf.yaml new file mode 100644 index 000000000..5483b0fd4 --- /dev/null +++ b/ingress/templates/configmap-conf.yaml @@ -0,0 +1,36 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_conf }} +{{- $envAll := . }} + +{{- if and .Values.network.host_namespace .Values.network.vip.manage -}} +{{- if empty (index .Values.network.vip "mode") -}} +{{- $_ := set .Values.network.vip "mode" "routed" }} +{{- end -}} +{{- if empty (index .Values.conf.ingress "bind-address") -}} +{{- $_ := set .Values.conf.ingress "bind-address" ( .Values.network.vip.addr | split "/" )._0 }} +{{- end -}} +{{- end -}} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ingress-conf +data: +{{ toYaml .Values.conf.ingress | indent 2 }} +{{- end }} diff --git a/ingress/templates/configmap-services-tcp.yaml b/ingress/templates/configmap-services-tcp.yaml new file mode 100644 index 000000000..4454702f9 --- /dev/null +++ b/ingress/templates/configmap-services-tcp.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_services_tcp }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ingress-services-tcp +{{- if not (empty $envAll.Values.conf.services.tcp) }} +data: +{{ toYaml $envAll.Values.conf.services.tcp | indent 2 }} +{{- end }} +{{- end }} diff --git a/ingress/templates/configmap-services-udp.yaml b/ingress/templates/configmap-services-udp.yaml new file mode 100644 index 000000000..402010560 --- /dev/null +++ b/ingress/templates/configmap-services-udp.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_services_udp }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ingress-services-udp +{{- if not (empty $envAll.Values.conf.services.udp) }} +data: +{{ toYaml $envAll.Values.conf.services.udp | indent 2 }} +{{- end }} +{{- end }} diff --git a/ingress/templates/deployment-error.yaml b/ingress/templates/deployment-error.yaml new file mode 100644 index 000000000..7ccaf7e33 --- /dev/null +++ b/ingress/templates/deployment-error.yaml @@ -0,0 +1,80 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_error }} +{{- $envAll := . }} + +{{- $serviceAccountName := "ingress-error-pages"}} +{{ tuple $envAll "error_pages" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ingress-error-pages + labels: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.error_page }} + selector: + matchLabels: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.error_server.node_selector_key }}: {{ .Values.labels.error_server.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }} + initContainers: +{{ tuple $envAll "error_pages" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ingress-error-pages +{{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + command: + - /tmp/ingress-error-pages.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/ingress-error-pages.sh + - stop + volumeMounts: + - name: ingress-bin + mountPath: /tmp/ingress-error-pages.sh + subPath: ingress-error-pages.sh + readOnly: true + volumes: + - name: ingress-bin + configMap: + name: ingress-bin + defaultMode: 0555 +{{- end }} diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml new file mode 100644 index 000000000..38b25ec6f --- /dev/null +++ b/ingress/templates/deployment-ingress.yaml @@ -0,0 +1,330 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_ingress }} +{{- $envAll := . }} + +{{- if empty .Values.conf.controller.INGRESS_CLASS -}} +{{- if eq .Values.deployment.mode "cluster" }} +{{- $_ := set .Values.conf.controller "INGRESS_CLASS" .Values.deployment.cluster.class -}} +{{- else if eq .Values.deployment.mode "namespace" }} +{{- $_ := set .Values.conf.controller "INGRESS_CLASS" "nginx" -}} +{{- end }} +{{- end -}} + +{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }} +{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - {{ printf "%s-%s" .Release.Name .Values.conf.controller.INGRESS_CLASS | quote }} + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +{{- if eq .Values.deployment.type "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +{{- else if eq .Values.deployment.type "DaemonSet" }} +apiVersion: apps/v1 +kind: DaemonSet +{{- end }} +metadata: + name: ingress + labels: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + app: ingress-api +spec: +{{- if eq .Values.deployment.type "Deployment" }} + replicas: {{ .Values.pod.replicas.ingress }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} +{{- end }} + selector: + matchLabels: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + app: ingress-api + template: + metadata: + labels: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + app: ingress-api + spec: + serviceAccountName: {{ $serviceAccountName }} +{{- if eq .Values.deployment.type "Deployment" }} + affinity: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} +{{- end }} + nodeSelector: + {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} +{{- if .Values.network.host_namespace }} + hostNetwork: true +{{- end }} + dnsPolicy: "ClusterFirstWithHostNet" + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "60" }} + initContainers: +{{ tuple $envAll "ingress" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{- if and .Values.network.host_namespace .Values.network.vip.manage }} + - name: ingress-vip-kernel-modules +{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + capabilities: + add: + - SYS_MODULE + runAsUser: 0 + command: + - /tmp/ingress-vip.sh + - kernel_modules + volumeMounts: + - name: ingress-bin + mountPath: /tmp/ingress-vip.sh + subPath: ingress-vip.sh + readOnly: true + - name: host-rootfs + mountPath: /mnt/host-rootfs + readOnly: true + - name: ingress-vip-init +{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + capabilities: + add: + - NET_ADMIN + runAsUser: 0 + env: +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} + command: + - /tmp/ingress-vip.sh + - start + volumeMounts: + - name: ingress-bin + mountPath: /tmp/ingress-vip.sh + subPath: ingress-vip.sh + readOnly: true +{{- end }} + containers: + - name: ingress +{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + readinessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + livenessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PORT_HTTP + value: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} + - name: PORT_HTTPS + value: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} + - name: RELEASE_NAME + value: {{ .Release.Name | quote }} + - name: ERROR_PAGE_SERVICE + value: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controller | indent 12 }} + ports: + - containerPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- if .Values.network.host_namespace }} + hostPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- end }} + - containerPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- if .Values.network.host_namespace }} + hostPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- end }} + command: + - /tmp/ingress-controller.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/ingress-controller.sh + - stop + volumeMounts: + - name: ingress-bin + mountPath: /tmp/ingress-controller.sh + subPath: ingress-controller.sh + readOnly: true +{{- if and .Values.network.host_namespace .Values.network.vip.manage }} + - name: ingress-vip + securityContext: + capabilities: + add: + - NET_ADMIN + runAsUser: 0 +{{- if eq .Values.network.vip.mode "routed" }} +{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} + env: +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} + command: + - /tmp/ingress-vip.sh + - sleep + lifecycle: + preStop: + exec: + command: + - /tmp/ingress-vip.sh + - stop + volumeMounts: + - name: ingress-bin + mountPath: /tmp/ingress-vip.sh + subPath: ingress-vip.sh + readOnly: true +{{- else if eq .Values.network.vip.mode "keepalived" }} +{{ tuple $envAll "keepalived" | include "helm-toolkit.snippets.image" | indent 10 }} + env: + - name: KEEPALIVED_INTERFACE + value: {{ .Values.network.vip.interface | quote }} + - name: KEEPALIVED_VIRTUAL_IPS + value: {{ ( .Values.network.vip.addr | split "/" )._0 | quote }} + - name: KEEPALIVED_UNICAST_PEERS + value: null +{{- end }} +{{- end }} + volumes: + - name: ingress-bin + configMap: + name: ingress-bin + defaultMode: 0555 + {{- if and .Values.network.host_namespace .Values.network.vip.manage }} + - name: host-rootfs + hostPath: + path: / + {{- end }} +{{- end }} diff --git a/ingress/templates/endpoints-ingress.yaml b/ingress/templates/endpoints-ingress.yaml new file mode 100644 index 000000000..92977e13e --- /dev/null +++ b/ingress/templates/endpoints-ingress.yaml @@ -0,0 +1,53 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.endpoints_ingress }} +{{- $envAll := . }} +{{- if and .Values.network.host_namespace .Values.network.vip.manage -}} +--- +apiVersion: "v1" +kind: "Endpoints" +metadata: + labels: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + endpoint: vip + name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +subsets: + - addresses: + - ip: {{ ( .Values.network.vip.addr | split "/" )._0 | quote }} + ports: + - port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + name: http + - port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + name: https + {{- if not (empty $envAll.Values.conf.services.tcp) }} + {{range $key, $value := $envAll.Values.conf.services.tcp -}} + - port: {{ $key }} + protocol: TCP + name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} + {{ end -}} + {{- end }} + {{- if not (empty $envAll.Values.conf.services.udp) }} + {{range $key, $value := $envAll.Values.conf.services.udp -}} + - port: {{ $key }} + protocol: UDP + name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} + {{ end -}} + {{- end }} +{{- end }} +{{- end }} diff --git a/ingress/templates/ingress.yaml b/ingress/templates/ingress.yaml new file mode 100644 index 000000000..16ebaab3d --- /dev/null +++ b/ingress/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.ingress }} +{{- $envAll := . }} +{{- if eq .Values.deployment.mode "namespace" }} +{{- if empty (index .Values.network.ingress.annotations "kubernetes.io/ingress.class") -}} +{{- $_ := set .Values.network.ingress.annotations "kubernetes.io/ingress.class" .Values.deployment.cluster.class -}} +{{- end -}} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }} + annotations: +{{ toYaml .Values.network.ingress.annotations | indent 4 }} +spec: + rules: + - host: {{ printf "%s.%s.svc.%s" "*" .Release.Namespace .Values.endpoints.cluster_domain_suffix | quote }} + http: + paths: + - path: / + backend: + serviceName: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + servicePort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} +{{- end }} diff --git a/ingress/templates/job-image-repo-sync.yaml b/ingress/templates/job-image-repo-sync.yaml new file mode 100644 index 000000000..c332e8c7e --- /dev/null +++ b/ingress/templates/job-image-repo-sync.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ingress" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/ingress/templates/service-error.yaml b/ingress/templates/service-error.yaml new file mode 100644 index 000000000..b17d4d2ec --- /dev/null +++ b/ingress/templates/service-error.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_error }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + name: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + clusterIP: None + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: +{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/ingress/templates/service-ingress-metrics-exporter.yaml b/ingress/templates/service-ingress-metrics-exporter.yaml new file mode 100644 index 000000000..3637e13b9 --- /dev/null +++ b/ingress/templates/service-ingress-metrics-exporter.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.monitoring.prometheus.service_exporter }} +{{- if .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} +{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.ingress_exporter }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "ingress_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + labels: +{{ tuple $envAll "ingress_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: +{{- if .Values.monitoring.prometheus.enabled }} +{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} +{{- end }} +spec: + ports: + - name: metrics + port: {{ .Values.endpoints.ingress_exporter.port.metrics.default }} + selector: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}{{- end }} +{{- end }} \ No newline at end of file diff --git a/ingress/templates/service-ingress.yaml b/ingress/templates/service-ingress.yaml new file mode 100644 index 000000000..ca9af8ce2 --- /dev/null +++ b/ingress/templates/service-ingress.yaml @@ -0,0 +1,62 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_ingress }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if and .Values.network.host_namespace .Values.network.vip.manage }} + endpoint: vip +{{- end }} + name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: +{{- if and .Values.network.host_namespace .Values.network.vip.manage }} + clusterIP: None +{{- end }} + ports: + - name: http + port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + targetPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: https + port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + targetPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- if not (empty $envAll.Values.conf.services.tcp) }} + {{range $key, $value := $envAll.Values.conf.services.tcp -}} + - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} + port: {{ $key }} + protocol: TCP + targetPort: {{ $key }} + {{ end -}} + {{- end }} + {{- if not (empty $envAll.Values.conf.services.udp) }} + {{range $key, $value := $envAll.Values.conf.services.udp -}} + - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} + port: {{ $key }} + protocol: UDP + targetPort: {{ $key }} + {{ end -}} + {{- end }} +{{- if not (and .Values.network.host_namespace .Values.network.vip.manage) }} + selector: +{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} +{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml new file mode 100644 index 000000000..74a890565 --- /dev/null +++ b/ingress/values.yaml @@ -0,0 +1,211 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for ingress. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +deployment: + mode: namespace + type: Deployment + cluster: + class: "nginx-cluster" + +images: + tags: + entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + # https://github.com/kubernetes/ingress-nginx/blob/09524cd3363693463da5bf4a9bb3900da435ad05/Changelog.md#090 + ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0 + error_pages: gcr.io/google_containers/defaultbackend:1.0 + keepalived: osixia/keepalived:1.4.5 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: "IfNotPresent" + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +pod: + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + replicas: + ingress: 1 + error_page: 1 + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + termination_grace_period: + server: + timeout: 60 + error_pages: + timeout: 60 + resources: + enabled: false + ingress: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + error_pages: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +labels: + server: + node_selector_key: openstack-control-plane + node_selector_value: enabled + error_server: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +network: + host_namespace: false + vip: + manage: false + # what type of vip manage machanism will be used + # possible options: routed, keepalived + mode: routed + interface: ingress-vip + addr: 172.18.0.1/32 + ingress: + annotations: + #NOTE(portdirect): if left blank this is populated from + # .deployment.cluster.class + kubernetes.io/ingress.class: null + nginx.ingress.kubernetes.io/proxy-body-size: "0" + external_policy_local: false + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - ingress-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + error_pages: + jobs: null + ingress: + jobs: null + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +monitoring: + prometheus: + enabled: true + ingress_exporter: + scrape: true + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + ingress: + hosts: + default: ingress + error_pages: ingress-error-pages + host_fqdn_override: + default: null + port: + http: + default: 80 + https: + default: 443 + ingress_exporter: + namespace: null + hosts: + default: ingress-exporter + host_fqdn_override: + default: null + path: + default: null + scheme: + default: 'http' + port: + metrics: + default: 10254 + +conf: + controller: + #NOTE(portdirect): if left blank this is populated from + # .deployment.cluster.class in cluster mode, or set to + # "nginx" in namespace mode + INGRESS_CLASS: null + ingress: + enable-underscores-in-headers: "true" + #NOTE(portdirect): if left blank this is populated from + # .network.vip.addr when running in host networking + # and .network.vip.manage=true, otherwise it is left as + # an empty string (the default). + bind-address: null + enable-vts-status: "true" + services: + tcp: null + udp: null + +manifests: + configmap_bin: true + configmap_conf: true + configmap_services_tcp: true + configmap_services_udp: true + deployment_error: true + deployment_ingress: true + endpoints_ingress: true + ingress: true + service_error: true + service_ingress: true + job_image_repo_sync: true + monitoring: + prometheus: + service_exporter: true