From 9493f4db27668a4b1fa0a9889ef9d3a932cd79aa Mon Sep 17 00:00:00 2001 From: Diogo Guerra Date: Fri, 22 Mar 2019 16:35:16 +0100 Subject: [PATCH] [k8s] Set traefik to stable version v1.7.10 The current magnum traefik deployment will always pull latest traefik container image. With the new launch of traefik v2 (https://blog.containo.us/back-to-traefik-2-0-2f9aa17be305) this will have impact on how the ingress is described in k8s. This patch: * Sets the traefik version to default tag v1.7.9, stable release prior to v2. * Adds a new label to enable user to specify other than default traefik release. Task: 30143 Task: 30146 Story: 2005286 Change-Id: I031a594f7b6014d88df055664afcf51b1cd2cd94 Signed-off-by: Diogo Guerra (cherry picked from commit b3ceb252ef044f09496429e2663220c24c5d0f38) --- doc/source/user/index.rst | 24 +++++++++++++------ .../fragments/enable-ingress-traefik.sh | 23 +++++++++++------- .../fragments/write-heat-params-master.yaml | 1 + .../fragments/write-heat-params.yaml | 1 + .../drivers/heat/k8s_fedora_template_def.py | 1 + .../templates/kubecluster.yaml | 6 +++++ .../templates/kubemaster.yaml | 5 ++++ .../unit/drivers/test_template_definition.py | 6 +++++ .../set-traefik-tag-7d4aca5685147970.yaml | 8 +++++++ 9 files changed, 59 insertions(+), 16 deletions(-) create mode 100644 releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 4e2cba4a23..3f4f77a685 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -311,6 +311,8 @@ the table are linked to more details elsewhere in the user guide. | | - binpack | | | | - random | | +---------------------------------------+--------------------+---------------+ +| `traefik_ingress_controller_tag`_ | see below | see below | ++---------------------------------------+--------------------+---------------+ | `admission_control_list`_ | see below | see below | +---------------------------------------+--------------------+---------------+ | `prometheus_monitoring`_ | - true | false | @@ -1114,26 +1116,31 @@ _`container_infra_prefix` all other components used in the cluster will be prefixed with this label, which assumes an operator has cloned all expected images in myregistry.example.com/mycloud. + Images that must be mirrored: - * docker.io/coredns/coredns:1.0.1 - * docker.io/grafana/grafana:5.1.5 + * docker.io/coredns/coredns:1.3.0 + * docker.io/openstackmagnum/etcd + * docker.io/openstackmagnum/flannel * docker.io/openstackmagnum/kubernetes-apiserver * docker.io/openstackmagnum/kubernetes-controller-manager * docker.io/openstackmagnum/kubernetes-kubelet * docker.io/openstackmagnum/kubernetes-proxy * docker.io/openstackmagnum/kubernetes-scheduler - * docker.io/openstackmagnum/etcd - * docker.io/openstackmagnum/flannel + * gcr.io/google_containers/pause:3.0 + + Images that might be needed: + + * docker.io/grafana/grafana:5.1.5 * docker.io/prom/node-exporter:latest * docker.io/prom/prometheus:latest + * docker.io/traefik:v1.7.10 * gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1 - * gcr.io/google_containers/pause:3.0 * gcr.io/google-containers/hyperkube:v1.12.1 - * quay.io/prometheus/alertmanager:v0.15.3 - * quay.io/coreos/prometheus-operator:v0.15.3 * quay.io/coreos/configmap-reload:v0.0.1 * quay.io/coreos/prometheus-config-reloader:v0.26.0 + * quay.io/coreos/prometheus-operator:v0.15.3 + * quay.io/prometheus/alertmanager:v0.15.3 * quay.io/prometheus/prometheus:v2.5.0 * k8s.gcr.io/node-problem-detector:v0.6.2 * docker.io/planetlabs/draino:abf028a @@ -1378,6 +1385,9 @@ _`octavia_ingress_controller_tag` _`nginx_ingress_controller_tag` The image tag for nginx-ingress-controller. Stein-default: 0.23.0 +_`traefik_ingress_controller_tag` + The image tag for traefik_ingress_controller_tag. Stein-default: v1.7.10 + DNS --- diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh index 6751b67701..2fbf328fa6 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh @@ -19,7 +19,7 @@ spec: terminationGracePeriodSeconds: 60 hostNetwork: true containers: - - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik + - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik:${TRAEFIK_INGRESS_CONTROLLER_TAG} name: ingress-traefik-backend ports: - name: http @@ -31,13 +31,19 @@ spec: - name: admin containerPort: 8080 securityContext: - privileged: true - args: - - --api - - --logLevel=INFO - - --kubernetes - - --entrypoints=Name:http Address::80 - - --entrypoints=Name:https Address::443 TLS + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + volumeMounts: + - name: ingress-traefik + mountPath: /etc/traefik/traefik.toml + subPath: traefik.toml + volumes: + - name: ingress-traefik + configMap: + name: ingress-traefik nodeSelector: role: ${INGRESS_CONTROLLER_ROLE} --- @@ -59,7 +65,6 @@ spec: - name: admin protocol: TCP port: 8080 - type: NodePort --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index dd98cba9c6..8177719deb 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -12,6 +12,7 @@ write_files: KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP" KUBE_NODE_IP="$KUBE_NODE_IP" KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" + TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG" ENABLE_CINDER="$ENABLE_CINDER" ETCD_VOLUME="$ETCD_VOLUME" ETCD_VOLUME_SIZE="$ETCD_VOLUME_SIZE" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml index 126c27481e..2461990145 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml @@ -25,6 +25,7 @@ write_files: REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" TLS_DISABLED="$TLS_DISABLED" + TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG" VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index 7f8ec702b2..ec5c18abe2 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -124,6 +124,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'tiller_enabled', 'tiller_tag', 'tiller_namespace', + 'traefik_ingress_controller_tag', 'node_problem_detector_tag', 'auto_healing_enabled', 'auto_scaling_enabled', 'draino_tag', 'autoscaler_tag', diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 166337298f..f45888a6ce 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -161,6 +161,11 @@ parameters: the docker cgroup driver. default: "cgroupfs" + traefik_ingress_controller_tag: + type: string + description: tag of the traefik containers to be used. + default: v1.7.10 + wait_condition_timeout: type: number description: > @@ -821,6 +826,7 @@ resources: discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} + traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag} volume_driver: {get_param: volume_driver} region_name: {get_param: region_name} fixed_network: {get_attr: [network, fixed_network]} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index 5b1ab15eff..bc1f97a911 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -119,6 +119,10 @@ parameters: type: boolean description: whether or not to enable TLS + traefik_ingress_controller_tag: + type: string + description: tag of the traefik containers to be used. + kube_dashboard_enabled: type: boolean description: whether or not to disable kubernetes dashboard @@ -532,6 +536,7 @@ resources: "$PASSWORD": {get_param: password} "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} + "$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled} "$VERIFY_CA": {get_param: verify_ca} diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index 67ab510bfd..781fdb9723 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -497,6 +497,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): tiller_namespace = mock_cluster.labels.get( 'tiller_namespace') npd_tag = mock_cluster.labels.get('node_problem_detector_tag') + traefik_ingress_controller_tag = mock_cluster.labels.get( + 'traefik_ingress_controller_tag') auto_healing_enabled = mock_cluster.labels.get( 'auto_healing_enabled') auto_scaling_enabled = mock_cluster.labels.get( @@ -575,6 +577,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'autoscaler_tag': autoscaler_tag, 'min_node_count': min_node_count, 'max_node_count': max_node_count, + 'traefik_ingress_controller_tag': traefik_ingress_controller_tag, }} mock_get_params.assert_called_once_with(mock_context, mock_cluster_template, @@ -887,6 +890,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): tiller_namespace = mock_cluster.labels.get( 'tiller_namespace') npd_tag = mock_cluster.labels.get('node_problem_detector_tag') + traefik_ingress_controller_tag = mock_cluster.labels.get( + 'traefik_ingress_controller_tag') auto_healing_enabled = mock_cluster.labels.get( 'auto_healing_enabled') auto_scaling_enabled = mock_cluster.labels.get( @@ -967,6 +972,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'autoscaler_tag': autoscaler_tag, 'min_node_count': min_node_count, 'max_node_count': max_node_count, + 'traefik_ingress_controller_tag': traefik_ingress_controller_tag, }} mock_get_params.assert_called_once_with(mock_context, mock_cluster_template, diff --git a/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml b/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml new file mode 100644 index 0000000000..5c3e97bb5b --- /dev/null +++ b/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Added label traefik_ingress_controller_tag to enable specifying traefik container version. +fixes: + - | + Traefik container now defaults to a fixed tag (v1.7.10) instead of tag + (latest)