openstack
/
magnum
Code Issues Proposed changes

Install traefik with helm 

Upgrade to traefik helm chart tag v10.0.0

task: 37707
story: 2005286

Change-Id: I8195e9e0edaa3d587142c770f9fad3405416ab2f
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
This commit is contained in:
Diogo Guerra 2021-07-19 10:29:34 +00:00
parent ba75dce28a
commit 6a612e8625
12 changed files with 194 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/source/user/index.rst
View File

@ -348,8 +348,6 @@ the table are linked to more details elsewhere in the user guide.
| | - binpack | |
| | - random | |
+---------------------------------------+--------------------+---------------+
| `traefik_ingress_controller_tag`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `admission_control_list`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `prometheus_monitoring` (deprecated) | - true | false |
@ -411,6 +409,10 @@ the table are linked to more details elsewhere in the user guide.
+---------------------------------------+--------------------+---------------+
| `nginx_ingress_controller_chart_tag`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `traefik_ingress_controller_tag`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `traefik_chart_tag`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `kubelet_options`_ | extra kubelet args | "" |
+---------------------------------------+--------------------+---------------+
| `kubeapi_options`_ | extra kubeapi args | "" |
@ -1249,7 +1251,7 @@ _`container_infra_prefix`
* docker.io/grafana/grafana:5.1.5
* docker.io/prom/node-exporter:latest
* docker.io/prom/prometheus:latest
* docker.io/traefik:v1.7.28
* docker.io/traefik:2.4.9
* gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1
* gcr.io/google_containers/metrics-server-amd64:v0.3.6
* k8s.gcr.io/node-problem-detector:v0.6.2
@ -1723,6 +1725,11 @@ _`nginx_ingress_controller_chart_tag`
_`traefik_ingress_controller_tag`
The image tag for traefik_ingress_controller_tag.
Stein-default: v1.7.10
Xena: v2.4.9
_`traefik_chart_tag`
The chart version for traefik_ingress_controller_tag.
Xena: 10.0.2
DNS
---

4
magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-controller.sh
View File

@ -22,7 +22,9 @@ case "$ingress_controller" in
echo "No ingress controller configured."
;;
"traefik")
$enable-ingress-traefik
if [ "$(echo $TRAEFIK_INGRESS_CONTROLLER_TAG | grep '^v1.*')" != "" ]; then
$enable-ingress-traefik
fi
;;
"octavia")
$enable-ingress-octavia

3
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
View File

@ -31,7 +31,6 @@ KUBE_API_PORT="$KUBE_API_PORT"
KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP"
KUBE_NODE_IP="$KUBE_NODE_IP"
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG"
ENABLE_CINDER="$ENABLE_CINDER"
ETCD_VOLUME="$ETCD_VOLUME"
ETCD_VOLUME_SIZE="$ETCD_VOLUME_SIZE"
@ -129,6 +128,8 @@ HELM_CLIENT_TAG="$HELM_CLIENT_TAG"
NODE_PROBLEM_DETECTOR_TAG="$NODE_PROBLEM_DETECTOR_TAG"
NGINX_INGRESS_CONTROLLER_TAG="$NGINX_INGRESS_CONTROLLER_TAG"
NGINX_INGRESS_CONTROLLER_CHART_TAG="$NGINX_INGRESS_CONTROLLER_CHART_TAG"
TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG"
TRAEFIK_CHART_TAG="$TRAEFIK_CHART_TAG"
AUTO_HEALING_ENABLED="$AUTO_HEALING_ENABLED"
AUTO_HEALING_CONTROLLER="$AUTO_HEALING_CONTROLLER"
AUTO_SCALING_ENABLED="$AUTO_SCALING_ENABLED"

99
magnum/drivers/common/templates/kubernetes/helm/ingress-traefik.sh Executable file
View File

@ -0,0 +1,99 @@
set +x
. /etc/sysconfig/heat-params
set -ex
CHART_NAME="traefik"
if [ "$(echo ${INGRESS_CONTROLLER} | tr '[:upper:]' '[:lower:]')" == "traefik" ] && \
[ "$(echo $TRAEFIK_INGRESS_CONTROLLER_TAG | grep '^v2.*')" != "" ]; then
echo "Writing ${CHART_NAME} config"
HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum"
mkdir -p ${HELM_CHART_DIR}
cat << EOF >> ${HELM_CHART_DIR}/requirements.yaml
- name: ${CHART_NAME}
version: ${TRAEFIK_CHART_TAG}
repository: https://helm.traefik.io/traefik
EOF
cat << EOF >> ${HELM_CHART_DIR}/values.yaml
traefik:
image:
name: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik
tag: ${TRAEFIK_INGRESS_CONTROLLER_TAG:-null}
deployment:
kind: DaemonSet
podDisruptionBudget:
enabled: true
ingressClass:
enabled: true
isDefaultClass: true
logs:
general:
format: json
level: INFO
access:
enabled: true
format: json
globalArguments: {}
ports:
web:
port: 80
exposedPort: 80
nodePort: 32080
websecure:
port: 443
exposedPort: 443
nodePort: 32443
tlsOptions:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
service:
type: NodePort
hostNetwork: true
podSecurityPolicy:
enabled: true
nodeSelector:
role: ${INGRESS_CONTROLLER_ROLE}
priorityClassName: system-node-critical
# ISSUE: https://github.com/traefik/traefik-helm-chart/issues/336
securityContext:
capabilities:
drop: [ALL]
add: [NET_BIND_SERVICE]
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
EOF
if [ "$(echo ${MONITORING_ENABLED} | tr '[:upper:]' '[:lower:]')" = "true" ]; then
cat << EOF >> ${HELM_CHART_DIR}/values.yaml
globalArguments:
- --metrics.prometheus=true
- --metrics.prometheus.entryPoint=metrics
- --entryPoints.metrics.address=:8082
EOF
fi
fi

27
magnum/drivers/common/templates/kubernetes/helm/prometheus-operator.sh
View File

@ -376,31 +376,32 @@ EOF
fi #END PERSISTENT STORAGE CONFIG
#######################
# Set up definitions for ingress objects
# Set up definitions for extra monitoring
# Ensure name conformity
INGRESS_CONTROLLER=$(echo ${INGRESS_CONTROLLER} | tr '[:upper:]' '[:lower:]')
if [ "${INGRESS_CONTROLLER}" == "nginx" ]; then
:
elif [ "${INGRESS_CONTROLLER}" == "traefik" ]; then
if [ "$(echo ${AUTO_SCALING_ENABLED} | tr '[:upper:]' '[:lower:]')" == "true" ] ||
[ "$(echo ${INGRESS_CONTROLLER} | tr '[:upper:]' '[:lower:]')" == "traefik" ]; then
cat << EOF >> ${HELM_CHART_DIR}/values.yaml
additionalPodMonitors:
EOF
fi
if [ "${INGRESS_CONTROLLER}" == "traefik" ]; then
cat << EOF >> ${HELM_CHART_DIR}/values.yaml
additionalServiceMonitors:
- name: prometheus-traefik-metrics
selector:
matchLabels:
k8s-app: traefik
podMetricsEndpoints:
- port: metrics
scheme: http
namespaceSelector:
matchNames:
- kube-system
endpoints:
- path: /metrics
port: metrics
selector:
matchLabels:
app.kubernetes.io/name: traefik
EOF
fi #END INGRESS
if [ "$(echo ${AUTO_SCALING_ENABLED} | tr '[:upper:]' '[:lower:]')" == "true" ]; then
cat << EOF >> ${HELM_CHART_DIR}/values.yaml
additionalPodMonitors:
- name: prometheus-cluster-autoscaler
podMetricsEndpoints:
- port: metrics

1
magnum/drivers/heat/k8s_fedora_template_def.py
View File

@ -117,6 +117,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'helm_client_url', 'helm_client_sha256',
'helm_client_tag',
'traefik_ingress_controller_tag',
'traefik_chart_tag',
'node_problem_detector_tag',
'nginx_ingress_controller_tag',
'nginx_ingress_controller_chart_tag',

19
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
View File

@ -278,11 +278,6 @@ parameters:
the docker cgroup driver.
default: "cgroupfs"
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
default: v1.7.28
wait_condition_timeout:
type: number
description: >
@ -872,6 +867,16 @@ parameters:
description: nginx ingress controller helm chart tag
default: v1.36.3
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
default: v2.4.9
traefik_chart_tag:
type: string
description: tag of the traefik helm chart to be used.
default: 10.0.2
draino_tag:
type: string
description: tag of the draino container
@ -1208,7 +1213,6 @@ resources:
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag}
volume_driver: {get_param: volume_driver}
region_name: {get_param: region_name}
fixed_network: {get_attr: [network, fixed_network]}
@ -1294,6 +1298,8 @@ resources:
node_problem_detector_tag: {get_param: node_problem_detector_tag}
nginx_ingress_controller_tag: {get_param: nginx_ingress_controller_tag}
nginx_ingress_controller_chart_tag: {get_param: nginx_ingress_controller_chart_tag}
traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag}
traefik_chart_tag: {get_param: traefik_chart_tag}
auto_healing_enabled: {get_param: auto_healing_enabled}
auto_healing_controller: {get_param: auto_healing_controller}
magnum_auto_healer_tag: {get_param: magnum_auto_healer_tag}
@ -1365,6 +1371,7 @@ resources:
"${KUBE_MASTERS_PRIVATE}": {get_attr: [kube_masters, kube_master_external_ip]}
- get_file: ../../common/templates/kubernetes/helm/prometheus-adapter.sh
- get_file: ../../common/templates/kubernetes/helm/ingress-nginx.sh
- get_file: ../../common/templates/kubernetes/helm/ingress-traefik.sh
- get_file: ../../common/templates/kubernetes/fragments/install-helm-modules.sh
kube_cluster_deploy:

15
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
View File

@ -155,10 +155,6 @@ parameters:
type: boolean
description: whether or not to enable TLS
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
kube_dashboard_enabled:
type: boolean
description: whether or not to disable kubernetes dashboard
@ -608,6 +604,14 @@ parameters:
type: string
description: nginx ingress controller helm chart tag
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
traefik_chart_tag:
type: string
description: tag of the traefik helm chart to be used.
draino_tag:
type: string
description: tag of the draino container
@ -780,7 +784,6 @@ resources:
"$CLUSTER_NETWORK_NAME": {get_param: fixed_network_name}
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
@ -854,6 +857,8 @@ resources:
"$NODE_PROBLEM_DETECTOR_TAG": {get_param: node_problem_detector_tag}
"$NGINX_INGRESS_CONTROLLER_TAG": {get_param: nginx_ingress_controller_tag}
"$NGINX_INGRESS_CONTROLLER_CHART_TAG": {get_param: nginx_ingress_controller_chart_tag}
"$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag}
"$TRAEFIK_CHART_TAG": {get_param: traefik_chart_tag}
"$AUTO_HEALING_ENABLED": {get_param: auto_healing_enabled}
"$AUTO_HEALING_CONTROLLER": {get_param: auto_healing_controller}
"$MAGNUM_AUTO_HEALER_TAG": {get_param: magnum_auto_healer_tag}

19
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
View File

@ -280,11 +280,6 @@ parameters:
the docker cgroup driver.
default: "cgroupfs"
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
default: v1.7.28
wait_condition_timeout:
type: number
description: >
@ -886,6 +881,16 @@ parameters:
description: nginx ingress controller helm chart tag
default: v1.36.3
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
default: v2.4.9
traefik_chart_tag:
type: string
description: tag of the traefik helm chart to be used.
default: 10.0.2
draino_tag:
type: string
description: tag of the draino container
@ -1236,7 +1241,6 @@ resources:
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag}
volume_driver: {get_param: volume_driver}
region_name: {get_param: region_name}
fixed_network: {get_attr: [network, fixed_network]}
@ -1322,6 +1326,8 @@ resources:
node_problem_detector_tag: {get_param: node_problem_detector_tag}
nginx_ingress_controller_tag: {get_param: nginx_ingress_controller_tag}
nginx_ingress_controller_chart_tag: {get_param: nginx_ingress_controller_chart_tag}
traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag}
traefik_chart_tag: {get_param: traefik_chart_tag}
auto_healing_enabled: {get_param: auto_healing_enabled}
auto_healing_controller: {get_param: auto_healing_controller}
magnum_auto_healer_tag: {get_param: magnum_auto_healer_tag}
@ -1395,6 +1401,7 @@ resources:
"${KUBE_MASTERS_PRIVATE}": {get_attr: [kube_masters, kube_master_ip]}
- get_file: ../../common/templates/kubernetes/helm/prometheus-adapter.sh
- get_file: ../../common/templates/kubernetes/helm/ingress-nginx.sh
- get_file: ../../common/templates/kubernetes/helm/ingress-traefik.sh
- get_file: ../../common/templates/kubernetes/fragments/install-helm-modules.sh
kube_cluster_deploy:

15
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
View File

@ -159,10 +159,6 @@ parameters:
type: boolean
description: whether or not to enable TLS
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
kube_dashboard_enabled:
type: boolean
description: whether or not to disable kubernetes dashboard
@ -612,6 +608,14 @@ parameters:
type: string
description: nginx ingress controller helm chart tag
traefik_ingress_controller_tag:
type: string
description: tag of the traefik containers to be used.
traefik_chart_tag:
type: string
description: tag of the traefik helm chart to be used.
draino_tag:
type: string
description: tag of the draino container
@ -799,7 +803,6 @@ resources:
"$CLUSTER_NETWORK_NAME": {get_param: fixed_network_name}
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
@ -873,6 +876,8 @@ resources:
"$NODE_PROBLEM_DETECTOR_TAG": {get_param: node_problem_detector_tag}
"$NGINX_INGRESS_CONTROLLER_TAG": {get_param: nginx_ingress_controller_tag}
"$NGINX_INGRESS_CONTROLLER_CHART_TAG": {get_param: nginx_ingress_controller_chart_tag}
"$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag}
"$TRAEFIK_CHART_TAG": {get_param: traefik_chart_tag}
"$AUTO_HEALING_ENABLED": {get_param: auto_healing_enabled}
"$AUTO_HEALING_CONTROLLER": {get_param: auto_healing_controller}
"$MAGNUM_AUTO_HEALER_TAG": {get_param: magnum_auto_healer_tag}

18
magnum/tests/unit/drivers/test_template_definition.py
View File

@ -512,6 +512,10 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'nginx_ingress_controller_tag')
nginx_ingress_controller_chart_tag = mock_cluster.labels.get(
'nginx_ingress_controller_chart_tag')
traefik_ingress_controller_tag = mock_cluster.labels.get(
'traefik_ingress_controller_tag')
traefik_chart_tag = mock_cluster.labels.get(
'traefik_chart_tag')
kubelet_options = mock_cluster.labels.get(
'kubelet_options')
kubeapi_options = mock_cluster.labels.get(
@ -576,8 +580,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
helm_client_tag = mock_cluster.labels.get(
'helm_client_tag')
npd_tag = mock_cluster.labels.get('node_problem_detector_tag')
traefik_ingress_controller_tag = mock_cluster.labels.get(
'traefik_ingress_controller_tag')
auto_healing_enabled = mock_cluster.labels.get(
'auto_healing_enabled')
auto_healing_controller = mock_cluster.labels.get(
@ -680,6 +682,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'nginx_ingress_controller_tag': nginx_ingress_controller_tag,
'nginx_ingress_controller_chart_tag':
nginx_ingress_controller_chart_tag,
'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
'traefik_chart_tag': traefik_chart_tag,
'octavia_enabled': False,
'kube_service_account_key': 'public_key',
'kube_service_account_private_key': 'private_key',
@ -725,7 +729,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'autoscaler_tag': autoscaler_tag,
'min_node_count': min_node_count,
'max_node_count': max_node_count,
'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
'npd_enabled': npd_enabled,
'kube_version': kube_tag,
'master_kube_tag': kube_tag,
@ -1066,6 +1069,10 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'nginx_ingress_controller_tag')
nginx_ingress_controller_chart_tag = mock_cluster.labels.get(
'nginx_ingress_controller_chart_tag')
traefik_ingress_controller_tag = mock_cluster.labels.get(
'traefik_ingress_controller_tag')
traefik_chart_tag = mock_cluster.labels.get(
'traefik_chart_tag')
kubelet_options = mock_cluster.labels.get(
'kubelet_options')
kubeapi_options = mock_cluster.labels.get(
@ -1130,8 +1137,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
helm_client_tag = mock_cluster.labels.get(
'helm_client_tag')
npd_tag = mock_cluster.labels.get('node_problem_detector_tag')
traefik_ingress_controller_tag = mock_cluster.labels.get(
'traefik_ingress_controller_tag')
auto_healing_enabled = mock_cluster.labels.get(
'auto_healing_enabled')
auto_healing_controller = mock_cluster.labels.get(
@ -1237,6 +1242,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'nginx_ingress_controller_tag': nginx_ingress_controller_tag,
'nginx_ingress_controller_chart_tag':
nginx_ingress_controller_chart_tag,
'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
'traefik_chart_tag': traefik_chart_tag,
'octavia_enabled': False,
'kube_service_account_key': 'public_key',
'kube_service_account_private_key': 'private_key',
@ -1282,7 +1289,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'autoscaler_tag': autoscaler_tag,
'min_node_count': min_node_count,
'max_node_count': max_node_count,
'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
'npd_enabled': npd_enabled,
'kube_version': kube_tag,
'master_kube_tag': kube_tag,

7
releasenotes/notes/traefik-helm-install-bba0afea10efd2a4.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Traefik upgrade from v1.7.28 to v2.4.9.
upgrade:
- |
Traefik ingress is installed by helm for version 2