Merge "Ingress: Update image and add UDP/TCP proxying support"

barbican/values.yaml

@@ -136,7 +136,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

ceilometer/values.yaml

@@ -60,7 +60,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     port: 8777
     node_port:
       enabled: false

cinder/values.yaml

@@ -220,7 +220,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

congress/values.yaml

@@ -26,7 +26,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 1789

glance/values.yaml

@@ -276,8 +276,8 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
-        ingress.kubernetes.io/proxy-body-size: "1024M"
+        nginx.ingress.kubernetes.io/proxy-body-size: "1024M"
     external_policy_local: false
     node_port:
       enabled: false
@@ -287,7 +287,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

gnocchi/values.yaml

@@ -29,7 +29,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

heat/values.yaml

@@ -223,7 +223,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false
@@ -233,7 +233,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30800
@@ -242,7 +242,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30003

horizon/values.yaml

@@ -38,7 +38,7 @@ network:
     public: true
     annotations:
       kubernetes.io/ingress.class: "nginx"
-      ingress.kubernetes.io/rewrite-target: /
+      nginx.ingress.kubernetes.io/rewrite-target: /
   external_policy_local: false
   node_port:
     enabled: false

ingress/templates/bin/_ingress-controller.sh.tpl

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec /usr/bin/dumb-init \
+    /nginx-ingress-controller \
+    --default-backend-service=${POD_NAMESPACE}/ingress-error-pages \
+    --configmap=${POD_NAMESPACE}/ingress-conf \
+    --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
+    --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp

ingress/templates/bin/_ingress-error-pages.sh.tpl

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec /server

ingress/templates/configmap-bin.yaml

@@ -14,20 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_bin }}
 {{- $envAll := . }}
-
-{{- $serviceAccountName := "ingress-api" }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: v1
-kind: RoleBinding
+kind: ConfigMap
 metadata:
-  name: nginx-ingress-role-nisa-binding
+  name: ingress-bin
-  namespace: {{ $envAll.Release.Namespace }}
+data:
-roleRef:
+  ingress-controller.sh: |+
-  apiGroup: rbac.authorization.k8s.io
+{{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  kind: Role
+  ingress-error-pages.sh: |+
-  name: nginx-ingress-role
+{{ tuple "bin/_ingress-error-pages.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-subjects:
+{{- end }}
-  - kind: ServiceAccount
-    name: {{ $serviceAccountName }}
-    namespace: {{ $envAll.Release.Namespace }}

ingress/templates/configmap-conf.yaml

@@ -14,12 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_conf }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: nginx-custom-configuration
+  name: ingress-conf
 data:
-{{ toYaml .Values.config | indent 2 }}
+{{ toYaml .Values.config.controller | indent 2 }}
-
+{{- end }}

ingress/templates/configmap-services-tcp.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_services_tcp }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-services-tcp
+{{- if not (empty $envAll.Values.config.services.tcp) }}
+data:
+{{ toYaml $envAll.Values.config.services.tcp | indent 2 }}
+{{- end }}
+{{- end }}

ingress/templates/configmap-services-udp.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_services_udp }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-services-udp
+{{- if not (empty $envAll.Values.config.services.udp) }}
+data:
+{{ toYaml $envAll.Values.config.services.udp | indent 2 }}
+{{- end }}
+{{- end }}

ingress/templates/deployment-error.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_error }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.error_pages }}
 
@@ -54,3 +55,16 @@ spec:
             timeoutSeconds: 5
           ports:
             - containerPort: 8080
+          command:
+            - /tmp/ingress-error-pages.sh
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-error-pages.sh
+              subPath: ingress-error-pages.sh
+              readOnly: true
+      volumes:
+      - name: ingress-bin
+        configMap:
+          name: ingress-bin
+          defaultMode: 0555
+{{- end }}

ingress/templates/deployment-ingress.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_ingress }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ingress }}
 
@@ -85,6 +86,63 @@ subjects:
     name: {{ $serviceAccountName }}
     namespace: {{ $envAll.Release.Namespace }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: nginx-ingress-role
+  namespace: {{ $envAll.Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: nginx-ingress-role-nisa-binding
+  namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nginx-ingress-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
 {{- if eq .Values.deployment_type "Deployment" }}
 apiVersion: apps/v1beta1
 kind: Deployment
@@ -150,7 +208,16 @@ spec:
               hostPort: 80
             - containerPort: 443
               hostPort: 443
-          args:
+          command:
-            - /nginx-ingress-controller
+            - /tmp/ingress-controller.sh
-            - '--default-backend-service=$(POD_NAMESPACE)/ingress-error-pages'
+          volumeMounts:
-            - --configmap=$(POD_NAMESPACE)/nginx-custom-configuration
+            - name: ingress-bin
+              mountPath: /tmp/ingress-controller.sh
+              subPath: ingress-controller.sh
+              readOnly: true
+      volumes:
+      - name: ingress-bin
+        configMap:
+          name: ingress-bin
+          defaultMode: 0555
+{{- end }}

ingress/templates/role.yaml

@@ -1,62 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- $envAll := . }}
-
-{{- $serviceAccountName := "ingress-api" }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: nginx-ingress-role
-  namespace: {{ $envAll.Release.Namespace }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    resourceNames:
-      # Defaults to "<election-id>-<ingress-class>"
-      # Here: "<ingress-controller-leader>-<nginx>"
-      # This has to be adapted if you change either parameter
-      # when launching the nginx-ingress-controller.
-      - "ingress-controller-leader-nginx"
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - create
-      - update

ingress/templates/service-error.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_error }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -30,3 +31,4 @@ spec:
     targetPort: 8080
   selector:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}

ingress/templates/service-ingress.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_ingress }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -34,3 +35,4 @@ spec:
     targetPort: 443
   selector:
     app: ingress-api
+{{- end }}

ingress/values.yaml

@@ -20,8 +20,8 @@
 images:
   tags:
     entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
-    # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/Changelog.md
+    # https://github.com/kubernetes/ingress-nginx/blob/09524cd3363693463da5bf4a9bb3900da435ad05/Changelog.md#090
-    ingress: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.8
+    ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
     error_pages: gcr.io/google_containers/defaultbackend:1.0
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
   pull_policy: "IfNotPresent"
@@ -84,4 +84,19 @@ endpoints:
 deployment_type: DaemonSet
 
 config:
+  controller:
     enable-underscores-in-headers: "true"
+  services:
+    tcp: null
+    udp:
+      53: "kube-system/kube-dns:53"
+
+manifests:
+  configmap_bin: true
+  configmap_conf: true
+  configmap_services_tcp: true
+  configmap_services_udp: true
+  deployment_error: true
+  deployment_ingress: true
+  service_error: true
+  service_ingress: true

keystone/values.yaml

@@ -55,7 +55,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

magnum/values.yaml

@@ -117,7 +117,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

mistral/values.yaml

@@ -45,7 +45,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 28989

neutron/values.yaml

@@ -93,7 +93,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false

nova/values.yaml

@@ -116,7 +116,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false
@@ -129,7 +129,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     external_policy_local: false
     node_port:
       enabled: false
@@ -140,7 +140,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30778

rally/templates/ingress-api.yaml

@@ -31,8 +31,8 @@ metadata:
   name: {{ $ingressName }}
   annotations:
     kubernetes.io/ingress.class: "nginx"
-    ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/rewrite-target: /
-    ingress.kubernetes.io/proxy-body-size: {{ .Values.network.rally.ingress.proxy_body_size }}
+    nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.network.rally.ingress.proxy_body_size }}
 spec:
   rules:
 {{ if ne $hostNameNamespaced $hostNameFull }}

senlin/values.yaml

@@ -130,7 +130,7 @@ network:
       public: true
       annotations:
         kubernetes.io/ingress.class: "nginx"
-        ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30778