From 4807f2c0c6e45e3143b2036a1c12ed103c138520 Mon Sep 17 00:00:00 2001 From: zadjadr Date: Tue, 15 Aug 2023 18:55:59 +0200 Subject: [PATCH 1/4] Implement Cilium Ingress --- k8s/crds/kops.k8s.io_clusters.yaml | 37 ++++ pkg/apis/kops/networking.go | 34 ++++ pkg/apis/kops/v1alpha2/networking.go | 34 ++++ .../kops/v1alpha2/zz_generated.conversion.go | 60 ++++++ .../kops/v1alpha2/zz_generated.deepcopy.go | 36 ++++ pkg/apis/kops/v1alpha3/networking.go | 34 ++++ .../kops/v1alpha3/zz_generated.conversion.go | 60 ++++++ .../kops/v1alpha3/zz_generated.deepcopy.go | 36 ++++ pkg/apis/kops/validation/validation.go | 6 + pkg/apis/kops/validation/validation_test.go | 19 ++ pkg/apis/kops/zz_generated.deepcopy.go | 36 ++++ pkg/model/components/cilium.go | 29 +++ ...s_s3_object_cluster-completed.spec_content | 9 + ...s_s3_object_cluster-completed.spec_content | 9 + ...s_s3_object_cluster-completed.spec_content | 9 + ...s_s3_object_cluster-completed.spec_content | 9 + ...s_s3_object_cluster-completed.spec_content | 9 + ...s_s3_object_cluster-completed.spec_content | 8 + ...ilium.example.com-addons-bootstrap_content | 2 +- ...dons-networking.cilium.io-k8s-1.16_content | 184 ++++++++++++++++++ .../privatecilium2/in-v1alpha2.yaml | 8 + ...s_s3_object_cluster-completed.spec_content | 9 + .../k8s-1.16-v1.13.yaml.template | 147 ++++++++++++++ 23 files changed, 823 insertions(+), 1 deletion(-) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index b90efcedeb4f7..ffc809c6766e9 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -5033,6 +5033,43 @@ spec: description: 'IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. Default: 5s' type: string + ingress: + description: Ingress specifies the configuration for Cilium + Ingress settings. + properties: + defaultLoadBalancerMode: + description: 'DefaultLoadBalancerMode specifies the default + load balancer mode. Possible values: ''shared'' or ''dedicated'' + Default: shared' + type: string + enableSecretsSync: + description: 'EnableSecretsSync specifies whether synchronization + of secrets is enabled. Default: true' + type: boolean + enabled: + description: Enabled specifies whether Cilium Ingress + is enabled. + type: boolean + enforceHttps: + description: 'EnforceHttps specifies whether HTTPS enforcement + is enabled for Ingress traffic. Default: true' + type: boolean + loadBalancerAnnotationPrefixes: + description: 'LoadBalancerAnnotationPrefixes specifies + annotation prefixes for Load Balancer configuration. + Default: "service.beta.kubernetes.io service.kubernetes.io + cloud.google.com"' + type: string + secretsNamespace: + description: 'SecretsNamespace specifies the namespace + where secrets are synchronized. Default: cilium-secrets' + type: string + sharedLoadBalancerServiceName: + description: 'SharedLoadBalancerServiceName specifies + the name of the shared load balancer service. Default: + cilium-ingress' + type: string + type: object ipam: description: 'IPAM specifies the IP address allocation mode to use. Possible values are "crd" and "eni". "eni" will diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index ddacc4077f667..8a637a73e255a 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -493,6 +493,40 @@ type CiliumNetworkingSpec struct { // EnableServiceTopology determine if cilium should use topology aware hints. EnableServiceTopology bool `json:"enableServiceTopology,omitempty"` + + // Ingress specifies the configuration for Cilium Ingress settings. + Ingress *CiliumIngressSpec `json:"ingress,omitempty"` +} + +// CiliumIngressSpec configures Cilium Ingress settings. +type CiliumIngressSpec struct { + // Enabled specifies whether Cilium Ingress is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnforceHttps specifies whether HTTPS enforcement is enabled for Ingress traffic. + // Default: true + EnforceHttps *bool `json:"enforceHttps,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` + + // SecretsNamespace specifies the namespace where secrets are synchronized. + // Default: cilium-secrets + SecretsNamespace string `json:"secretsNamespace,omitempty"` + + // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. + // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" + LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` + + // DefaultLoadBalancerMode specifies the default load balancer mode. + // Possible values: 'shared' or 'dedicated' + // Default: shared + DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` + + // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. + // Default: cilium-ingress + SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } // HubbleSpec configures the Hubble service on the Cilium agent. diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 48e482b81459b..0d5528642fcbe 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -614,6 +614,40 @@ type CiliumNetworkingSpec struct { // EnableServiceTopology determine if cilium should use topology aware hints. EnableServiceTopology bool `json:"enableServiceTopology,omitempty"` + + // Ingress specifies the configuration for Cilium Ingress settings. + Ingress *CiliumIngressSpec `json:"ingress,omitempty"` +} + +// CiliumIngressSpec configures Cilium Ingress settings. +type CiliumIngressSpec struct { + // Enabled specifies whether Cilium Ingress is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnforceHttps specifies whether HTTPS enforcement is enabled for Ingress traffic. + // Default: true + EnforceHttps *bool `json:"enforceHttps,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` + + // SecretsNamespace specifies the namespace where secrets are synchronized. + // Default: cilium-secrets + SecretsNamespace string `json:"secretsNamespace,omitempty"` + + // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. + // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" + LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` + + // DefaultLoadBalancerMode specifies the default load balancer mode. + // Possible values: 'shared' or 'dedicated' + // Default: shared + DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` + + // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. + // Default: cilium-ingress + SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } // HubbleSpec configures the Hubble service on the Cilium agent. diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index be120b757072f..b44a3640d5749 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -214,6 +214,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*kops.CiliumIngressSpec)(nil), (*CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(a.(*kops.CiliumIngressSpec), b.(*CiliumIngressSpec), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ClassicNetworkingSpec)(nil), (*kops.ClassicNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha2_ClassicNetworkingSpec_To_kops_ClassicNetworkingSpec(a.(*ClassicNetworkingSpec), b.(*kops.ClassicNetworkingSpec), scope) }); err != nil { @@ -1907,6 +1917,38 @@ func Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.CertM return autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in, out, s) } +func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnforceHttps = in.EnforceHttps + out.EnableSecretsSync = in.EnableSecretsSync + out.SecretsNamespace = in.SecretsNamespace + out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes + out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode + out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName + return nil +} + +// Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec is an autogenerated conversion function. +func Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { + return autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in, out, s) +} + +func autoConvert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in *kops.CiliumIngressSpec, out *CiliumIngressSpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnforceHttps = in.EnforceHttps + out.EnableSecretsSync = in.EnableSecretsSync + out.SecretsNamespace = in.SecretsNamespace + out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes + out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode + out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName + return nil +} + +// Convert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec is an autogenerated conversion function. +func Convert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in *kops.CiliumIngressSpec, out *CiliumIngressSpec, s conversion.Scope) error { + return autoConvert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in, out, s) +} + func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error { out.Registry = in.Registry out.Version = in.Version @@ -2017,6 +2059,15 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * // INFO: in.CniBinPath opted out of conversion generation out.DisableCNPStatusUpdates = in.DisableCNPStatusUpdates out.EnableServiceTopology = in.EnableServiceTopology + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(kops.CiliumIngressSpec) + if err := Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Ingress = nil + } return nil } @@ -2078,6 +2129,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * } out.DisableCNPStatusUpdates = in.DisableCNPStatusUpdates out.EnableServiceTopology = in.EnableServiceTopology + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(CiliumIngressSpec) + if err := Convert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Ingress = nil + } return nil } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index b7c19dbfc9492..47caff87aec49 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -520,6 +520,37 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnforceHttps != nil { + in, out := &in.EnforceHttps, &out.EnforceHttps + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIngressSpec. +func (in *CiliumIngressSpec) DeepCopy() *CiliumIngressSpec { + if in == nil { + return nil + } + out := new(CiliumIngressSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = *in @@ -636,6 +667,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(bool) **out = **in } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(CiliumIngressSpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index d240f62054f3b..cc3b3b2a27987 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -456,6 +456,40 @@ type CiliumNetworkingSpec struct { // EnableServiceTopology determine if cilium should use topology aware hints. EnableServiceTopology bool `json:"enableServiceTopology,omitempty"` + + // Ingress specifies the configuration for Cilium Ingress settings. + Ingress *CiliumIngressSpec `json:"ingress,omitempty"` +} + +// CiliumIngressSpec configures Cilium Ingress settings. +type CiliumIngressSpec struct { + // Enabled specifies whether Cilium Ingress is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnforceHttps specifies whether HTTPS enforcement is enabled for Ingress traffic. + // Default: true + EnforceHttps *bool `json:"enforceHttps,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` + + // SecretsNamespace specifies the namespace where secrets are synchronized. + // Default: cilium-secrets + SecretsNamespace string `json:"secretsNamespace,omitempty"` + + // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. + // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" + LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` + + // DefaultLoadBalancerMode specifies the default load balancer mode. + // Possible values: 'shared' or 'dedicated' + // Default: shared + DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` + + // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. + // Default: cilium-ingress + SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } // HubbleSpec configures the Hubble service on the Cilium agent. diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index ba769dbbc9eea..2790cb69488f4 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -234,6 +234,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*kops.CiliumIngressSpec)(nil), (*CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(a.(*kops.CiliumIngressSpec), b.(*CiliumIngressSpec), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope) }); err != nil { @@ -2089,6 +2099,38 @@ func Convert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in *kops.CertM return autoConvert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in, out, s) } +func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnforceHttps = in.EnforceHttps + out.EnableSecretsSync = in.EnableSecretsSync + out.SecretsNamespace = in.SecretsNamespace + out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes + out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode + out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName + return nil +} + +// Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec is an autogenerated conversion function. +func Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { + return autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in, out, s) +} + +func autoConvert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in *kops.CiliumIngressSpec, out *CiliumIngressSpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnforceHttps = in.EnforceHttps + out.EnableSecretsSync = in.EnableSecretsSync + out.SecretsNamespace = in.SecretsNamespace + out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes + out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode + out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName + return nil +} + +// Convert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec is an autogenerated conversion function. +func Convert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in *kops.CiliumIngressSpec, out *CiliumIngressSpec, s conversion.Scope) error { + return autoConvert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in, out, s) +} + func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error { out.Registry = in.Registry out.Version = in.Version @@ -2147,6 +2189,15 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * } out.DisableCNPStatusUpdates = in.DisableCNPStatusUpdates out.EnableServiceTopology = in.EnableServiceTopology + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(kops.CiliumIngressSpec) + if err := Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Ingress = nil + } return nil } @@ -2213,6 +2264,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in * } out.DisableCNPStatusUpdates = in.DisableCNPStatusUpdates out.EnableServiceTopology = in.EnableServiceTopology + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(CiliumIngressSpec) + if err := Convert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Ingress = nil + } return nil } diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index 45b2f6bcd2c8a..5ec82fdf5006d 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -581,6 +581,37 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnforceHttps != nil { + in, out := &in.EnforceHttps, &out.EnforceHttps + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIngressSpec. +func (in *CiliumIngressSpec) DeepCopy() *CiliumIngressSpec { + if in == nil { + return nil + } + out := new(CiliumIngressSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = *in @@ -658,6 +689,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(bool) **out = **in } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(CiliumIngressSpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index d2c0ddad09cb9..21b91e0e8d179 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -1338,6 +1338,12 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe } } + if v.Ingress != nil && fi.ValueOf(v.Ingress.Enabled) { + if v.Ingress.DefaultLoadBalancerMode != "" { + allErrs = append(allErrs, IsValidValue(fldPath.Child("ingress", "defaultLoadBalancerMode"), &v.Ingress.DefaultLoadBalancerMode, []string{"shared", "dedicated"})...) + } + } + return allErrs } diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index af9f6a8a5d799..4acb77373e540 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -961,6 +961,25 @@ func Test_Validate_Cilium(t *testing.T) { }, ExpectedErrors: []string{"Forbidden::cilium.hubble.enabled"}, }, + { + Cilium: kops.CiliumNetworkingSpec{ + Version: "v1.13.5", + Ingress: &kops.CiliumIngressSpec{ + Enabled: fi.PtrTo(true), + DefaultLoadBalancerMode: "bad-value", + }, + }, + ExpectedErrors: []string{"Unsupported value::cilium.ingress.defaultLoadBalancerMode"}, + }, + { + Cilium: kops.CiliumNetworkingSpec{ + Version: "v1.13.5", + Ingress: &kops.CiliumIngressSpec{ + Enabled: fi.PtrTo(true), + DefaultLoadBalancerMode: "dedicated", + }, + }, + }, { Cilium: kops.CiliumNetworkingSpec{ Version: "v1.13.5", diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 9dbdea49684aa..fc8950d970249 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -662,6 +662,37 @@ func (in *ChannelSpec) DeepCopy() *ChannelSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnforceHttps != nil { + in, out := &in.EnforceHttps, &out.EnforceHttps + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIngressSpec. +func (in *CiliumIngressSpec) DeepCopy() *CiliumIngressSpec { + if in == nil { + return nil + } + out := new(CiliumIngressSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = *in @@ -739,6 +770,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(bool) **out = **in } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = new(CiliumIngressSpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index 6af6332c11547..c02182cac2c15 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -168,5 +168,34 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { } } + ingress := c.Ingress + if ingress != nil { + if ingress.Enabled == nil { + ingress.Enabled = fi.PtrTo(true) + } + if ingress.EnforceHttps == nil { + ingress.EnforceHttps = fi.PtrTo(true) + } + if ingress.EnableSecretsSync == nil { + ingress.EnableSecretsSync = fi.PtrTo(true) + } + if ingress.SecretsNamespace == "" { + ingress.SecretsNamespace = "cilium-secrets" + } + if ingress.LoadBalancerAnnotationPrefixes == "" { + ingress.LoadBalancerAnnotationPrefixes = "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" + } + if ingress.DefaultLoadBalancerMode == "" { + ingress.DefaultLoadBalancerMode = "shared" + } + if ingress.SharedLoadBalancerServiceName == "" { + ingress.SharedLoadBalancerServiceName = "cilium-ingress" + } + } else { + c.Ingress = &kops.CiliumIngressSpec{ + Enabled: fi.PtrTo(false), + } + } + return nil } diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index 3b29adebbcc94..d9a11cfbda8e2 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -218,6 +218,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 66de8bca22891..6f91cf8a598ac 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -210,6 +210,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index 96be8120aef0a..a187a355e0d99 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -191,6 +191,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index f2eac74e198eb..2976059bce96e 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -212,6 +212,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index 6dd8aba8af441..4bacb1ef6864c 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -216,6 +216,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index a8c67867570ea..d87e85da648f6 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -216,6 +216,14 @@ spec: enabled: true identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: dedicated + enableSecretsSync: false + enabled: true + enforceHttps: false + loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io + secretsNamespace: private-secrets + sharedLoadBalancerServiceName: private-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 29746c1dd3330..0d638141a5c37 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -162,7 +162,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.13.yaml - manifestHash: 41a6598e0f382e210ad03cb13b8f247161399691248fb677f43f78ad25487a3a + manifestHash: 307c72c9cb2732c4a2fcd0a9044ad5809539ac129a9c7793a00557bb5babc384 name: networking.cilium.io needsPKI: true needsRollingUpdate: all diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index 966a97901bab7..5b5c7694b179e 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -58,7 +58,10 @@ data: disable-endpoint-crd: "false" enable-bpf-masquerade: "false" enable-endpoint-health-checking: "true" + enable-envoy-config: "true" enable-hubble: "true" + enable-ingress-controller: "true" + enable-ingress-secrets-sync: "false" enable-ipv4: "true" enable-ipv4-masquerade: "true" enable-ipv6: "false" @@ -68,6 +71,8 @@ data: enable-remote-node-identity: "true" enable-service-topology: "false" enable-unreachable-routes: "false" + enforce-ingress-https: "false" + external-envoy-proxy: "false" hubble-disable-tls: "false" hubble-listen-address: :4244 hubble-socket-path: /var/run/cilium/hubble.sock @@ -76,6 +81,10 @@ data: hubble-tls-key-file: /var/lib/cilium/tls/hubble/tls.key identity-allocation-mode: crd identity-change-grace-period: 5s + ingress-default-lb-mode: dedicated + ingress-lb-annotation-prefixes: service.alpha.kubernetes.io + ingress-secrets-namespace: private-secrets + ingress-shared-lb-service-name: private-ingress install-iptables-rules: "true" ipam: kubernetes kube-proxy-replacement: partial @@ -388,6 +397,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -431,6 +455,166 @@ subjects: --- +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: private-secrets + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: private-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: private-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: private-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: private-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: private-ingress + namespace: kube-system +spec: + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: private-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + apiVersion: v1 kind: Service metadata: diff --git a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml index 1646cfc7672da..3e38a5b2aa9a1 100644 --- a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml @@ -30,6 +30,14 @@ spec: cilium: clusterName: privatecilium.example.com clusterID: 253 + ingress: + enabled: true + defaultLoadBalancerMode: dedicated + enableSecretsSync: false + enforceHttps: false + loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io + secretsNamespace: private-secrets + sharedLoadBalancerServiceName: private-ingress hubble: enabled: true nonMasqueradeCIDR: 100.64.0.0/10 diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index 92f8802b5219a..8490a68dd0f65 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -224,6 +224,15 @@ spec: enabled: false identityAllocationMode: crd identityChangeGracePeriod: 5s + ingress: + defaultLoadBalancerMode: shared + enableSecretsSync: true + enabled: false + enforceHttps: true + loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io + cloud.google.com + secretsNamespace: cilium-secrets + sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi monitorAggregation: medium diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template index ee747b1958ebe..dab6dca6253f0 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template @@ -278,6 +278,18 @@ data: enable-service-topology: "{{ .EnableServiceTopology }}" + {{ if WithDefaultBool .Ingress.Enabled false }} + enable-envoy-config: "true" + external-envoy-proxy: "false" + enable-ingress-controller: "true" + enforce-ingress-https: "{{ .Ingress.EnforceHttps }}" + enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}" + ingress-secrets-namespace: {{ .Ingress.SecretsNamespace }} + ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" + ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} + ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }} + {{ end }} + {{ if WithDefaultBool .Hubble.Enabled false }} # Enable Hubble gRPC service. enable-hubble: "true" @@ -583,6 +595,23 @@ rules: - create - get - update +{{ if WithDefaultBool .Ingress.Enabled false }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status # To update ingress status with load balancer IP. + verbs: + - update +{{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -609,6 +638,124 @@ subjects: - kind: ServiceAccount name: cilium-operator namespace: kube-system +{{ if WithDefaultBool .Ingress.Enabled false }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Ingress.SecretsNamespace }} +--- +# Source: cilium/templates/cilium-agent/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-ingress-secrets + namespace: {{ .Ingress.SecretsNamespace }} + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +# Source: cilium/templates/cilium-agent/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-secrets + namespace: {{ .Ingress.SecretsNamespace }} + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: + - kind: ServiceAccount + name: "cilium" + namespace: kube-system +--- +# Source: cilium/templates/cilium-operator/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-operator-ingress-secrets + namespace: {{ .Ingress.SecretsNamespace }} + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch +--- +# Source: cilium/templates/cilium-operator/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-operator-ingress-secrets + namespace: {{ .Ingress.SecretsNamespace }} + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: + - kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system +--- +# Source: cilium/templates/cilium-ingress-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: {{ .Ingress.SharedLoadBalancerServiceName }} + namespace: kube-system + labels: + cilium.io/ingress: "true" +spec: + ports: + - name: http + port: 80 + protocol: TCP + nodePort: + - name: https + port: 443 + protocol: TCP + nodePort: + type: LoadBalancer +--- +# Source: cilium/templates/cilium-ingress-service.yaml +apiVersion: v1 +kind: Endpoints +metadata: + name: {{ .Ingress.SharedLoadBalancerServiceName }} + namespace: kube-system +subsets: +- addresses: + - ip: "192.192.192.192" + ports: + - port: 9999 +--- +# Source: cilium/templates/cilium-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: cilium +spec: + controller: cilium.io/ingress-controller +{{ end }} {{ if WithDefaultBool .Hubble.Enabled false }} --- # Source: cilium/templates/hubble-relay-service.yaml From 61d036933e45f87808fa41aa33b4e6d74dcfc320 Mon Sep 17 00:00:00 2001 From: zadjadr Date: Wed, 23 Aug 2023 17:57:15 +0200 Subject: [PATCH 2/4] hardcode ingress secrets namespace & lb mode --- k8s/crds/kops.k8s.io_clusters.yaml | 6 +---- pkg/apis/kops/networking.go | 6 +---- pkg/apis/kops/v1alpha2/networking.go | 6 +---- .../kops/v1alpha2/zz_generated.conversion.go | 2 -- pkg/apis/kops/v1alpha3/networking.go | 6 +---- .../kops/v1alpha3/zz_generated.conversion.go | 2 -- pkg/model/components/cilium.go | 5 +---- ...s_s3_object_cluster-completed.spec_content | 3 +-- ...s_s3_object_cluster-completed.spec_content | 3 +-- ...s_s3_object_cluster-completed.spec_content | 3 +-- ...s_s3_object_cluster-completed.spec_content | 3 +-- ...s_s3_object_cluster-completed.spec_content | 3 +-- ...s_s3_object_cluster-completed.spec_content | 1 - ...ilium.example.com-addons-bootstrap_content | 2 +- ...dons-networking.cilium.io-k8s-1.16_content | 22 +++++-------------- .../privatecilium2/in-v1alpha2.yaml | 1 - ...s_s3_object_cluster-completed.spec_content | 3 +-- .../k8s-1.16-v1.13.yaml.template | 15 +++++-------- 18 files changed, 22 insertions(+), 70 deletions(-) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index ffc809c6766e9..81ab6b952443d 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -5040,7 +5040,7 @@ spec: defaultLoadBalancerMode: description: 'DefaultLoadBalancerMode specifies the default load balancer mode. Possible values: ''shared'' or ''dedicated'' - Default: shared' + Default: dedicated' type: string enableSecretsSync: description: 'EnableSecretsSync specifies whether synchronization @@ -5060,10 +5060,6 @@ spec: Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"' type: string - secretsNamespace: - description: 'SecretsNamespace specifies the namespace - where secrets are synchronized. Default: cilium-secrets' - type: string sharedLoadBalancerServiceName: description: 'SharedLoadBalancerServiceName specifies the name of the shared load balancer service. Default: diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 8a637a73e255a..563aa339d84c9 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -511,17 +511,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 0d5528642fcbe..a781bf6d1675d 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -632,17 +632,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index b44a3640d5749..8e2bf472b4072 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1921,7 +1921,6 @@ func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName @@ -1937,7 +1936,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in *kops.C out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index cc3b3b2a27987..0bc057f665513 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -474,17 +474,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 2790cb69488f4..1189b3f96d849 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -2103,7 +2103,6 @@ func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName @@ -2119,7 +2118,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in *kops.C out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index c02182cac2c15..c24b74b855e22 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -179,14 +179,11 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { if ingress.EnableSecretsSync == nil { ingress.EnableSecretsSync = fi.PtrTo(true) } - if ingress.SecretsNamespace == "" { - ingress.SecretsNamespace = "cilium-secrets" - } if ingress.LoadBalancerAnnotationPrefixes == "" { ingress.LoadBalancerAnnotationPrefixes = "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" } if ingress.DefaultLoadBalancerMode == "" { - ingress.DefaultLoadBalancerMode = "shared" + ingress.DefaultLoadBalancerMode = "dedicated" } if ingress.SharedLoadBalancerServiceName == "" { ingress.SharedLoadBalancerServiceName = "cilium-ingress" diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index d9a11cfbda8e2..5a00de74a5b17 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -219,13 +219,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 6f91cf8a598ac..bdad49b1a6f41 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -211,13 +211,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index a187a355e0d99..8b885db03966d 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -192,13 +192,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index 2976059bce96e..4cbe6b455239b 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -213,13 +213,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index 4bacb1ef6864c..ce30a71836f49 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -217,13 +217,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index d87e85da648f6..3bcf34deead6c 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -222,7 +222,6 @@ spec: enabled: true enforceHttps: false loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io - secretsNamespace: private-secrets sharedLoadBalancerServiceName: private-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 0d638141a5c37..4bbed2943d1bf 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -162,7 +162,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.13.yaml - manifestHash: 307c72c9cb2732c4a2fcd0a9044ad5809539ac129a9c7793a00557bb5babc384 + manifestHash: cfa1382b52e49d9df2eac473b74a29641ebf9d52766d7d149e280e7f9f9ae29d name: networking.cilium.io needsPKI: true needsRollingUpdate: all diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index 5b5c7694b179e..a97919d2e234f 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -83,7 +83,7 @@ data: identity-change-grace-period: 5s ingress-default-lb-mode: dedicated ingress-lb-annotation-prefixes: service.alpha.kubernetes.io - ingress-secrets-namespace: private-secrets + ingress-secrets-namespace: kube-system ingress-shared-lb-service-name: private-ingress install-iptables-rules: "true" ipam: kubernetes @@ -455,18 +455,6 @@ subjects: --- -apiVersion: v1 -kind: Namespace -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: private-secrets - ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -477,7 +465,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-ingress-secrets - namespace: private-secrets + namespace: kube-system rules: - apiGroups: - "" @@ -500,7 +488,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-secrets - namespace: private-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -522,7 +510,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-operator-ingress-secrets - namespace: private-secrets + namespace: kube-system rules: - apiGroups: - "" @@ -546,7 +534,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-operator-ingress-secrets - namespace: private-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml index 3e38a5b2aa9a1..925101fdf2fd2 100644 --- a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml @@ -36,7 +36,6 @@ spec: enableSecretsSync: false enforceHttps: false loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io - secretsNamespace: private-secrets sharedLoadBalancerServiceName: private-ingress hubble: enabled: true diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index 8490a68dd0f65..9987d1efef782 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -225,13 +225,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template index dab6dca6253f0..954b6658c1f96 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template @@ -284,7 +284,7 @@ data: enable-ingress-controller: "true" enforce-ingress-https: "{{ .Ingress.EnforceHttps }}" enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}" - ingress-secrets-namespace: {{ .Ingress.SecretsNamespace }} + ingress-secrets-namespace: kube-system ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }} @@ -640,17 +640,12 @@ subjects: namespace: kube-system {{ if WithDefaultBool .Ingress.Enabled false }} --- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Ingress.SecretsNamespace }} ---- # Source: cilium/templates/cilium-agent/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cilium-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium rules: @@ -668,7 +663,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cilium-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium roleRef: @@ -685,7 +680,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cilium-operator-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium rules: @@ -704,7 +699,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cilium-operator-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium roleRef: From 592e84d04240507b472cb0ad80e6a865a7203bd6 Mon Sep 17 00:00:00 2001 From: Zadjad Rezai <121857296+zadjadr@users.noreply.github.com> Date: Wed, 23 Aug 2023 18:51:16 +0200 Subject: [PATCH 3/4] Populate ingress spec values only when needed Co-authored-by: Ciprian Hacman fmt --- pkg/model/components/cilium.go | 15 ------- .../k8s-1.16-v1.13.yaml.template | 39 +++++++++++++------ 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index c24b74b855e22..f7b8274e561d4 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -173,21 +173,6 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { if ingress.Enabled == nil { ingress.Enabled = fi.PtrTo(true) } - if ingress.EnforceHttps == nil { - ingress.EnforceHttps = fi.PtrTo(true) - } - if ingress.EnableSecretsSync == nil { - ingress.EnableSecretsSync = fi.PtrTo(true) - } - if ingress.LoadBalancerAnnotationPrefixes == "" { - ingress.LoadBalancerAnnotationPrefixes = "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" - } - if ingress.DefaultLoadBalancerMode == "" { - ingress.DefaultLoadBalancerMode = "dedicated" - } - if ingress.SharedLoadBalancerServiceName == "" { - ingress.SharedLoadBalancerServiceName = "cilium-ingress" - } } else { c.Ingress = &kops.CiliumIngressSpec{ Enabled: fi.PtrTo(false), diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template index 954b6658c1f96..9fdf97a4e051f 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template @@ -282,14 +282,29 @@ data: enable-envoy-config: "true" external-envoy-proxy: "false" enable-ingress-controller: "true" + ingress-secrets-namespace: kube-system + + {{ if .Ingress.EnforceHttps }} enforce-ingress-https: "{{ .Ingress.EnforceHttps }}" + {{ end }} + + {{ if .Ingress.EnableSecretsSync }} enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}" - ingress-secrets-namespace: kube-system - ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" - ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} + {{ end }} + + {{ if .Ingress.SharedLoadBalancerServiceName }} ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }} {{ end }} + {{ if .Ingress.DefaultLoadBalancerMode }} + ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} + {{ end }} + + {{ if .Ingress.LoadBalancerAnnotationPrefixes }} + ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" + {{ end }} + {{ end }} + {{ if WithDefaultBool .Hubble.Enabled false }} # Enable Hubble gRPC service. enable-hubble: "true" @@ -711,6 +726,15 @@ subjects: name: "cilium-operator" namespace: kube-system --- +# Source: cilium/templates/cilium-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: cilium +spec: + controller: cilium.io/ingress-controller +{{ if or (eq .Ingress.DefaultLoadBalancerMode "shared") (not .Ingress.DefaultLoadBalancerMode) }} +--- # Source: cilium/templates/cilium-ingress-service.yaml apiVersion: v1 kind: Service @@ -742,14 +766,7 @@ subsets: - ip: "192.192.192.192" ports: - port: 9999 ---- -# Source: cilium/templates/cilium-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: cilium -spec: - controller: cilium.io/ingress-controller +{{ end }} {{ end }} {{ if WithDefaultBool .Hubble.Enabled false }} --- From 47919e5727a8d5e05e7f190c6afdf256af7649f5 Mon Sep 17 00:00:00 2001 From: zadjadr Date: Sun, 10 Sep 2023 08:56:38 +0200 Subject: [PATCH 4/4] hack/update-expected.sh --- ...s_s3_object_cluster-completed.spec_content | 6 --- ...s_s3_object_cluster-completed.spec_content | 6 --- ...s_s3_object_cluster-completed.spec_content | 6 --- ...s_s3_object_cluster-completed.spec_content | 6 --- ...s_s3_object_cluster-completed.spec_content | 6 --- ...ilium.example.com-addons-bootstrap_content | 2 +- ...dons-networking.cilium.io-k8s-1.16_content | 43 ------------------- ...s_s3_object_cluster-completed.spec_content | 6 --- 8 files changed, 1 insertion(+), 80 deletions(-) diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index 5a00de74a5b17..92406d3cbc054 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -219,13 +219,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index bdad49b1a6f41..599d2ab743f48 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -211,13 +211,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index 8b885db03966d..33772d3893f11 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -192,13 +192,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index 4cbe6b455239b..dec90d094e3db 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -213,13 +213,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index ce30a71836f49..bf5024fe7639c 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -217,13 +217,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi monitorAggregation: medium diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 4bbed2943d1bf..8270f07a17fa2 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -162,7 +162,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.13.yaml - manifestHash: cfa1382b52e49d9df2eac473b74a29641ebf9d52766d7d149e280e7f9f9ae29d + manifestHash: ba5c764f4ddeb058c0dc7fd9287d445a6a3e8f186dbac9d63daf56770d81c24c name: networking.cilium.io needsPKI: true needsRollingUpdate: all diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index a97919d2e234f..15d23aab410ef 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -546,49 +546,6 @@ subjects: --- -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - cilium.io/ingress: "true" - role.kubernetes.io/networking: "1" - name: private-ingress - namespace: kube-system -spec: - ports: - - name: http - nodePort: null - port: 80 - protocol: TCP - - name: https - nodePort: null - port: 443 - protocol: TCP - type: LoadBalancer - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: private-ingress - namespace: kube-system -subsets: -- addresses: - - ip: 192.192.192.192 - ports: - - port: 9999 - ---- - apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index 9987d1efef782..6cdad8fed99a9 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -225,13 +225,7 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: dedicated - enableSecretsSync: true enabled: false - enforceHttps: true - loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io - cloud.google.com - sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi monitorAggregation: medium