Opening apiserver Via Ingress

- Adding ingress charts to the kubernetes apiserver. - Works with using Airship in a Bottle: curl -H 'Host: kubernetes-apiserver.kube-system.svc.cluster.local' http://HOST_IP/healthz -v - Defaulting the apiserver ingress to off (false). Change-Id: I9341c4c281ae993991bfcda09026ab477fdff8fe
2018-07-24 15:01:59 -05:00 · 2018-07-24 15:01:59 -05:00 · 4059b11a42
commit 4059b11a42
parent 12b3c4627e
5 changed files with 106 additions and 1 deletions
--- a/charts/apiserver/templates/ingress-api.yaml
+++ b/charts/apiserver/templates/ingress-api.yaml
@ -0,0 +1,21 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}}
+{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
+{{- end }}
--- a/charts/apiserver/templates/secret-ingress-tls.yaml
+++ b/charts/apiserver/templates/secret-ingress-tls.yaml
@ -0,0 +1,19 @@
+{{/*
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
+{{- end }}
--- a/charts/apiserver/templates/service-apiserver-ingress.yaml
+++ b/charts/apiserver/templates/service-apiserver-ingress.yaml
@ -0,0 +1,33 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ingress }}
+{{- $envAll := . }}
+{{- if .Values.network.kubernetes_apiserver.ingress.public }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubernetes-apiserver-ingress
+spec:
+  ports:
+  - name: https
+    port: {{ .Values.network.kubernetes_apiserver.port }}
+  selector:
+    app: ingress-apiserver
+{{- end }}
+{{- end }}
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@ -65,9 +65,21 @@ apiserver:

 network:
  kubernetes_apiserver:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx-cluster"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/secure-backends: "true"
    name: kubernetes-apiserver
    port: 6443
-    enable_node_port: false
+    node_port:
+      enabled: false
+      port: 31943

 service:
  name: kubernetes-apiserver
@ -95,8 +107,24 @@ endpoints:
    name: kubernetes-apiserver
    hosts:
      default: kubernetes-apiserver
+    port:
+      https:
+        default: 6443
+        public: 443
+    path:
+      default: /
+    scheme:
+      default: https
+      public: https
    host_fqdn_override:
      default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null

 pod:
  mounts:
@ -137,6 +165,9 @@ manifests:
  configmap_bin: true
  configmap_certs: true
  configmap_etc: true
+  ingress_api: false
  kubernetes_apiserver: true
  secret: true
+  secret_ingress_tls: false
  service: true
+  service_ingress: false
--- a/tools/gate/config-templates/bootstrap-armada-config.yaml
+++ b/tools/gate/config-templates/bootstrap-armada-config.yaml
@ -542,6 +542,7 @@ metadata:
  layeringDefinition:
    abstract: false
    layer: site
+  storagePolicy: cleartext
 data:
  chart_name: haproxy
  release: haproxy