diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 579cfb323e..99cd9a9528 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -311,6 +311,8 @@ the table are linked to more details elsewhere in the user guide. | | - binpack | | | | - random | | +---------------------------------------+--------------------+---------------+ +| `traefik_ingress_controller_tag`_ | see below | see below | ++---------------------------------------+--------------------+---------------+ | `admission_control_list`_ | see below | see below | +---------------------------------------+--------------------+---------------+ | `prometheus_monitoring`_ | - true | false | @@ -1114,26 +1116,31 @@ _`container_infra_prefix` all other components used in the cluster will be prefixed with this label, which assumes an operator has cloned all expected images in myregistry.example.com/mycloud. + Images that must be mirrored: - * docker.io/coredns/coredns:1.0.1 - * docker.io/grafana/grafana:5.1.5 + * docker.io/coredns/coredns:1.3.0 + * docker.io/openstackmagnum/etcd + * docker.io/openstackmagnum/flannel * docker.io/openstackmagnum/kubernetes-apiserver * docker.io/openstackmagnum/kubernetes-controller-manager * docker.io/openstackmagnum/kubernetes-kubelet * docker.io/openstackmagnum/kubernetes-proxy * docker.io/openstackmagnum/kubernetes-scheduler - * docker.io/openstackmagnum/etcd - * docker.io/openstackmagnum/flannel + * gcr.io/google_containers/pause:3.0 + + Images that might be needed: + + * docker.io/grafana/grafana:5.1.5 * docker.io/prom/node-exporter:latest * docker.io/prom/prometheus:latest + * docker.io/traefik:v1.7.10 * gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1 - * gcr.io/google_containers/pause:3.0 * gcr.io/google-containers/hyperkube:v1.12.1 - * quay.io/prometheus/alertmanager:v0.15.3 - * quay.io/coreos/prometheus-operator:v0.15.3 * quay.io/coreos/configmap-reload:v0.0.1 * quay.io/coreos/prometheus-config-reloader:v0.26.0 + * quay.io/coreos/prometheus-operator:v0.15.3 + * quay.io/prometheus/alertmanager:v0.15.3 * quay.io/prometheus/prometheus:v2.5.0 * k8s.gcr.io/node-problem-detector:v0.6.2 * docker.io/planetlabs/draino:abf028a @@ -1375,6 +1382,9 @@ _`octavia_ingress_controller_tag` _`nginx_ingress_controller_tag` The image tag for nginx-ingress-controller. Stein-default: 0.23.0 +_`traefik_ingress_controller_tag` + The image tag for traefik_ingress_controller_tag. Stein-default: v1.7.10 + DNS --- diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh index dfce1d34f8..d5df11e986 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh @@ -58,7 +58,7 @@ spec: terminationGracePeriodSeconds: 60 hostNetwork: true containers: - - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik + - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik:${TRAEFIK_INGRESS_CONTROLLER_TAG} name: ingress-traefik-backend ports: - name: http @@ -70,7 +70,11 @@ spec: - name: admin containerPort: 8080 securityContext: - privileged: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE volumeMounts: - name: ingress-traefik mountPath: /etc/traefik/traefik.toml @@ -100,7 +104,6 @@ spec: - name: admin protocol: TCP port: 8080 - type: NodePort --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index 718e69eb17..a17ebb4270 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -12,6 +12,7 @@ write_files: KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP" KUBE_NODE_IP="$KUBE_NODE_IP" KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" + TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG" ENABLE_CINDER="$ENABLE_CINDER" ETCD_VOLUME="$ETCD_VOLUME" ETCD_VOLUME_SIZE="$ETCD_VOLUME_SIZE" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml index 126c27481e..2461990145 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml @@ -25,6 +25,7 @@ write_files: REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" TLS_DISABLED="$TLS_DISABLED" + TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG" VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index a0ca491735..94c7a99aa2 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -128,6 +128,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'tiller_enabled', 'tiller_tag', 'tiller_namespace', + 'traefik_ingress_controller_tag', 'node_problem_detector_tag', 'nginx_ingress_controller_tag', 'auto_healing_enabled', 'auto_scaling_enabled', diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 40bb5c1120..281c54e446 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -161,6 +161,11 @@ parameters: the docker cgroup driver. default: "cgroupfs" + traefik_ingress_controller_tag: + type: string + description: tag of the traefik containers to be used. + default: v1.7.10 + wait_condition_timeout: type: number description: > @@ -820,6 +825,7 @@ resources: discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} + traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag} volume_driver: {get_param: volume_driver} region_name: {get_param: region_name} fixed_network: {get_attr: [network, fixed_network]} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index b5ee5e7daa..a420f3e00a 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -119,6 +119,10 @@ parameters: type: boolean description: whether or not to enable TLS + traefik_ingress_controller_tag: + type: string + description: tag of the traefik containers to be used. + kube_dashboard_enabled: type: boolean description: whether or not to disable kubernetes dashboard @@ -532,6 +536,7 @@ resources: "$PASSWORD": {get_param: password} "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} + "$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled} "$VERIFY_CA": {get_param: verify_ca} diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index a9f18c93c4..d1731f4860 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -517,6 +517,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): tiller_namespace = mock_cluster.labels.get( 'tiller_namespace') npd_tag = mock_cluster.labels.get('node_problem_detector_tag') + traefik_ingress_controller_tag = mock_cluster.labels.get( + 'traefik_ingress_controller_tag') auto_healing_enabled = mock_cluster.labels.get( 'auto_healing_enabled') auto_scaling_enabled = mock_cluster.labels.get( @@ -595,6 +597,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'autoscaler_tag': autoscaler_tag, 'min_node_count': min_node_count, 'max_node_count': max_node_count, + 'traefik_ingress_controller_tag': traefik_ingress_controller_tag, }} mock_get_params.assert_called_once_with(mock_context, mock_cluster_template, @@ -907,6 +910,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): tiller_namespace = mock_cluster.labels.get( 'tiller_namespace') npd_tag = mock_cluster.labels.get('node_problem_detector_tag') + traefik_ingress_controller_tag = mock_cluster.labels.get( + 'traefik_ingress_controller_tag') auto_healing_enabled = mock_cluster.labels.get( 'auto_healing_enabled') auto_scaling_enabled = mock_cluster.labels.get( @@ -987,6 +992,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'autoscaler_tag': autoscaler_tag, 'min_node_count': min_node_count, 'max_node_count': max_node_count, + 'traefik_ingress_controller_tag': traefik_ingress_controller_tag, }} mock_get_params.assert_called_once_with(mock_context, mock_cluster_template, diff --git a/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml b/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml new file mode 100644 index 0000000000..5c3e97bb5b --- /dev/null +++ b/releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Added label traefik_ingress_controller_tag to enable specifying traefik container version. +fixes: + - | + Traefik container now defaults to a fixed tag (v1.7.10) instead of tag + (latest)