From 1b5ece880b2a4315f2ba8982b6cf2b89b2f49ba8 Mon Sep 17 00:00:00 2001 From: Kaustubh Dhokte Date: Sat, 4 Jun 2022 01:28:04 +0000 Subject: [PATCH] Debian: Add missing patches to armada-helm-toolkit This change adds missing patches to debian armada-helm-toolkit package which are already present for its CentOS equivalent. These patches are particularly important because Kubernetes 1.22 deprecated below k8s apiversions that armada-helm-toolkit uses. - 'extensions/v1beta1' for 'Ingress' kind - 'rbac.authorization.k8s.io/v1beta1' for 'Role' and 'RoleBinding' - 'extensions/v1beta1' for kind 'PodSecurityPolicy' 'Ingress' should now use apiversion 'networking.k8s.io/v1'. 'Role' and 'RoleBinding' should now use apiversion 'rbac.authorization.k8s.io/v1'. 'PodSecurityPolicy' should now use apiversion 'policy/v1beta1'. Reference: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#migrate-to-non-deprecated-apis Test Plan: PASS: Package builds successfully PASS: Image builds successfully PASS: Armada helm chart gets installed successfully during ansible bootstrap for k8s 1.23.1 Story: 2009888 Task: 44649 Signed-off-by: Kaustubh Dhokte Change-Id: Ic2b6a982e53b01ec24f4ab1bcf61025c59acf86e --- ...date-apiVersion-to-networking.k8s.io.patch | 219 ++++++++++++++++++ ...pdate-apiVersion-authorization-to-v1.patch | 53 +++++ .../armada-helm-toolkit/debian/patches/series | 2 + 3 files changed, 274 insertions(+) create mode 100644 kubernetes/armada-helm-toolkit/debian/patches/0007-Update-apiVersion-to-networking.k8s.io.patch create mode 100644 kubernetes/armada-helm-toolkit/debian/patches/0008-Update-apiVersion-authorization-to-v1.patch diff --git a/kubernetes/armada-helm-toolkit/debian/patches/0007-Update-apiVersion-to-networking.k8s.io.patch b/kubernetes/armada-helm-toolkit/debian/patches/0007-Update-apiVersion-to-networking.k8s.io.patch new file mode 100644 index 000000000..dc43fcdcc --- /dev/null +++ b/kubernetes/armada-helm-toolkit/debian/patches/0007-Update-apiVersion-to-networking.k8s.io.patch @@ -0,0 +1,219 @@ +From 751dff849dfcd9d68ba065571dc8251dbfc16cb2 Mon Sep 17 00:00:00 2001 +From: Daniel Safta +Date: Wed, 2 Feb 2022 12:07:18 +0000 +Subject: [PATCH 1/2] Update apiVersion to networking.k8s.io/v1 + +These are the changes needed to upgrade +the apiVersion in the resources used by armada. +This is a subset of the upstream commit: +https://github.com/openstack/openstack-helm-infra/commit/f4972121bcb41c8d74748917804d2b239ab757f9 +Signed-off-by: Daniel Safta +--- + helm-toolkit/templates/manifests/_ingress.tpl | 75 +++++++++++++------ + ingress/templates/ingress.yaml | 14 +++- + 2 files changed, 62 insertions(+), 27 deletions(-) + +diff --git a/helm-toolkit/templates/manifests/_ingress.tpl b/helm-toolkit/templates/manifests/_ingress.tpl +index f0c37fd..5c54c34 100644 +--- a/helm-toolkit/templates/manifests/_ingress.tpl ++++ b/helm-toolkit/templates/manifests/_ingress.tpl +@@ -64,7 +64,7 @@ examples: + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}} + return: | + --- +- apiVersion: extensions/v1beta1 ++ apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican +@@ -78,25 +78,34 @@ examples: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + - host: barbican.default + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + --- +- apiVersion: extensions/v1beta1 ++ apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-namespace-fqdn +@@ -114,11 +123,14 @@ examples: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + --- +- apiVersion: extensions/v1beta1 ++ apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-cluster-fqdn +@@ -136,9 +148,12 @@ examples: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + - values: | + network: + api: +@@ -184,7 +199,7 @@ examples: + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}} + return: | + --- +- apiVersion: extensions/v1beta1 ++ apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican +@@ -204,23 +219,32 @@ examples: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + - host: barbican.default + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: barbican-api +- servicePort: b-api ++ service: ++ name: barbican-api ++ port: ++ name: b-api + */}} + + {{- define "helm-toolkit.manifests.ingress._host_rules" -}} +@@ -231,9 +255,12 @@ examples: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: {{ $backendName }} +- servicePort: {{ $backendPort }} ++ service: ++ name: {{ $backendName }} ++ port: ++ name: {{ $backendPort }} + {{- end }} + + {{- define "helm-toolkit.manifests.ingress" -}} +@@ -247,7 +274,7 @@ examples: + {{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + {{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + --- +-apiVersion: extensions/v1beta1 ++apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: {{ $ingressName }} +@@ -282,7 +309,7 @@ spec: + {{- range $key2, $ingressController := tuple "namespace" "cluster" }} + {{- $hostNameFullRules := dict "vHost" $hostNameFull "backendName" $backendName "backendPort" $backendPort }} + --- +-apiVersion: extensions/v1beta1 ++apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }} +diff --git a/ingress/templates/ingress.yaml b/ingress/templates/ingress.yaml +index 16ebaab..10ffac7 100644 +--- a/ingress/templates/ingress.yaml ++++ b/ingress/templates/ingress.yaml +@@ -21,7 +21,7 @@ limitations under the License. + {{- $_ := set .Values.network.ingress.annotations "kubernetes.io/ingress.class" .Values.deployment.cluster.class -}} + {{- end -}} + --- +-apiVersion: extensions/v1beta1 ++apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }} +@@ -33,8 +33,16 @@ spec: + http: + paths: + - path: / ++ pathType: ImplementationSpecific + backend: +- serviceName: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +- servicePort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} ++ service: ++ name: {{ $serviceName }} ++ port: ++{{- if or (kindIs "int" $servicePort) (regexMatch "^[0-9]{1,5}$" $servicePort) }} ++ number: {{ $servicePort | int }} ++{{- else }} ++ name: {{ $servicePort | quote }} ++{{- end }} ++ + {{- end }} + {{- end }} +-- +2.31.1 + diff --git a/kubernetes/armada-helm-toolkit/debian/patches/0008-Update-apiVersion-authorization-to-v1.patch b/kubernetes/armada-helm-toolkit/debian/patches/0008-Update-apiVersion-authorization-to-v1.patch new file mode 100644 index 000000000..be3d6ba85 --- /dev/null +++ b/kubernetes/armada-helm-toolkit/debian/patches/0008-Update-apiVersion-authorization-to-v1.patch @@ -0,0 +1,53 @@ +From d5d3e40baedaba10335bc2f0ea801e9118e05d1c Mon Sep 17 00:00:00 2001 +From: Daniel Safta +Date: Wed, 2 Feb 2022 12:07:51 +0000 +Subject: [PATCH 2/2] Update apiVersion authorization to v1 + +These are the changes needed to upgrade +the apiVersion in the resources used by armada. +This is a subset of the upstream commit: +https://github.com/openstack/openstack-helm-infra/commit/f4972121bcb41c8d74748917804d2b239ab757f9 +Signed-off-by: Daniel Safta +--- + .../templates/snippets/_kubernetes_pod_rbac_roles.tpl | 4 ++-- + podsecuritypolicy/templates/podsecuritypolicy.yaml | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl +index f9f48ef..44a31fd 100644 +--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl ++++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl +@@ -21,7 +21,7 @@ limitations under the License. + {{- $saNamespace := index . 3 -}} + {{- $releaseName := $envAll.Release.Name }} + --- +-apiVersion: rbac.authorization.k8s.io/v1beta1 ++apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: {{ $releaseName }}-{{ $saName }} +@@ -35,7 +35,7 @@ subjects: + name: {{ $saName }} + namespace: {{ $saNamespace }} + --- +-apiVersion: rbac.authorization.k8s.io/v1beta1 ++apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml +index 741c9a8..9e22c6e 100644 +--- a/podsecuritypolicy/templates/podsecuritypolicy.yaml ++++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml +@@ -20,7 +20,7 @@ limitations under the License. + {{/* Create one ClusterRole and PSP per PSP definition in values */}} + {{- range $pspName, $pspDetails := .Values.data }} + --- +-apiVersion: extensions/v1beta1 ++apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: {{ $pspName }} +-- +2.31.1 + diff --git a/kubernetes/armada-helm-toolkit/debian/patches/series b/kubernetes/armada-helm-toolkit/debian/patches/series index 1a31bffa3..c57e57177 100644 --- a/kubernetes/armada-helm-toolkit/debian/patches/series +++ b/kubernetes/armada-helm-toolkit/debian/patches/series @@ -2,3 +2,5 @@ 0002-Add-imagePullSecrets-in-service-account.patch 0004-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch 0006-Fix-pod-restarts-on-all-workers-when-worker-added-re.patch +0007-Update-apiVersion-to-networking.k8s.io.patch +0008-Update-apiVersion-authorization-to-v1.patch