[k8s] Set traefik to stable version v1.7.10

The current magnum traefik deployment will always pull latest traefik
container image. With the new launch of traefik v2
(https://blog.containo.us/back-to-traefik-2-0-2f9aa17be305) this will
have impact on how the ingress is described in k8s.

This patch:
* Sets the traefik version to default tag v1.7.9, stable release
prior to v2.
* Adds a new label <traefik_ingress_controller_tag> to enable user
to specify other than default traefik release.

Task: 30143
Task: 30146
Story: 2005286

Change-Id: I031a594f7b6014d88df055664afcf51b1cd2cd94
Signed-off-by: Diogo Guerra <dy090.guerra@gmail.com>

doc/source/user/index.rst

@@ -311,6 +311,8 @@ the table are linked to more details elsewhere in the user guide.
 |                                       | - binpack          |               |
 |                                       | - random           |               |
 +---------------------------------------+--------------------+---------------+
+| `traefik_ingress_controller_tag`_     | see below          | see below     |
++---------------------------------------+--------------------+---------------+
 | `admission_control_list`_             | see below          | see below     |
 +---------------------------------------+--------------------+---------------+
 | `prometheus_monitoring`_              | - true             | false         |
@@ -1114,26 +1116,31 @@ _`container_infra_prefix`
   all other components used in the cluster will be prefixed with this label,
   which assumes an operator has cloned all expected images in
   myregistry.example.com/mycloud.
+
   Images that must be mirrored:
 
-  * docker.io/coredns/coredns:1.0.1
+  * docker.io/coredns/coredns:1.3.0
-  * docker.io/grafana/grafana:5.1.5
+  * docker.io/openstackmagnum/etcd
+  * docker.io/openstackmagnum/flannel
   * docker.io/openstackmagnum/kubernetes-apiserver
   * docker.io/openstackmagnum/kubernetes-controller-manager
   * docker.io/openstackmagnum/kubernetes-kubelet
   * docker.io/openstackmagnum/kubernetes-proxy
   * docker.io/openstackmagnum/kubernetes-scheduler
-  * docker.io/openstackmagnum/etcd
+  * gcr.io/google_containers/pause:3.0
-  * docker.io/openstackmagnum/flannel
+
+  Images that might be needed:
+
+  * docker.io/grafana/grafana:5.1.5
   * docker.io/prom/node-exporter:latest
   * docker.io/prom/prometheus:latest
+  * docker.io/traefik:v1.7.10
   * gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1
-  * gcr.io/google_containers/pause:3.0
   * gcr.io/google-containers/hyperkube:v1.12.1
-  * quay.io/prometheus/alertmanager:v0.15.3
-  * quay.io/coreos/prometheus-operator:v0.15.3
   * quay.io/coreos/configmap-reload:v0.0.1
   * quay.io/coreos/prometheus-config-reloader:v0.26.0
+  * quay.io/coreos/prometheus-operator:v0.15.3
+  * quay.io/prometheus/alertmanager:v0.15.3
   * quay.io/prometheus/prometheus:v2.5.0
   * k8s.gcr.io/node-problem-detector:v0.6.2
   * docker.io/planetlabs/draino:abf028a
@@ -1375,6 +1382,9 @@ _`octavia_ingress_controller_tag`
 _`nginx_ingress_controller_tag`
   The image tag for nginx-ingress-controller. Stein-default: 0.23.0
 
+_`traefik_ingress_controller_tag`
+  The image tag for traefik_ingress_controller_tag. Stein-default: v1.7.10
+
 DNS
 ---
 

magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh

@@ -58,7 +58,7 @@ spec:
       terminationGracePeriodSeconds: 60
       hostNetwork: true
       containers:
-      - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik
+      - image: ${CONTAINER_INFRA_PREFIX:-docker.io/}traefik:${TRAEFIK_INGRESS_CONTROLLER_TAG}
         name: ingress-traefik-backend
         ports:
         - name: http
@@ -70,7 +70,11 @@ spec:
         - name: admin
           containerPort: 8080
         securityContext:
-          privileged: true
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
         volumeMounts:
         - name: ingress-traefik
           mountPath: /etc/traefik/traefik.toml
@@ -100,7 +104,6 @@ spec:
     - name: admin
       protocol: TCP
       port: 8080
-  type: NodePort
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1

magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml

@@ -12,6 +12,7 @@ write_files:
       KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP"
       KUBE_NODE_IP="$KUBE_NODE_IP"
       KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
+      TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG"
       ENABLE_CINDER="$ENABLE_CINDER"
       ETCD_VOLUME="$ETCD_VOLUME"
       ETCD_VOLUME_SIZE="$ETCD_VOLUME_SIZE"

magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml

@@ -25,6 +25,7 @@ write_files:
       REGISTRY_INSECURE="$REGISTRY_INSECURE"
       REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
       TLS_DISABLED="$TLS_DISABLED"
+      TRAEFIK_INGRESS_CONTROLLER_TAG="$TRAEFIK_INGRESS_CONTROLLER_TAG"
       VERIFY_CA="$VERIFY_CA"
       CLUSTER_UUID="$CLUSTER_UUID"
       MAGNUM_URL="$MAGNUM_URL"

magnum/drivers/heat/k8s_fedora_template_def.py

@@ -128,6 +128,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
                       'tiller_enabled',
                       'tiller_tag',
                       'tiller_namespace',
+                      'traefik_ingress_controller_tag',
                       'node_problem_detector_tag',
                       'nginx_ingress_controller_tag',
                       'auto_healing_enabled', 'auto_scaling_enabled',

magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@@ -161,6 +161,11 @@ parameters:
       the docker cgroup driver.
     default: "cgroupfs"
 
+  traefik_ingress_controller_tag:
+    type: string
+    description: tag of the traefik containers to be used.
+    default: v1.7.10
+
   wait_condition_timeout:
     type: number
     description: >
@@ -820,6 +825,7 @@ resources:
           discovery_url: {get_param: discovery_url}
           cluster_uuid: {get_param: cluster_uuid}
           magnum_url: {get_param: magnum_url}
+          traefik_ingress_controller_tag: {get_param: traefik_ingress_controller_tag}
           volume_driver: {get_param: volume_driver}
           region_name: {get_param: region_name}
           fixed_network: {get_attr: [network, fixed_network]}

magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml

@@ -119,6 +119,10 @@ parameters:
     type: boolean
     description: whether or not to enable TLS
 
+  traefik_ingress_controller_tag:
+    type: string
+    description: tag of the traefik containers to be used.
+
   kube_dashboard_enabled:
     type: boolean
     description: whether or not to disable kubernetes dashboard
@@ -532,6 +536,7 @@ resources:
             "$PASSWORD": {get_param: password}
             "$CLUSTER_SUBNET": {get_param: fixed_subnet}
             "$TLS_DISABLED": {get_param: tls_disabled}
+            "$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag}
             "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
             "$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled}
             "$VERIFY_CA": {get_param: verify_ca}

magnum/tests/unit/drivers/test_template_definition.py

@@ -517,6 +517,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
         tiller_namespace = mock_cluster.labels.get(
             'tiller_namespace')
         npd_tag = mock_cluster.labels.get('node_problem_detector_tag')
+        traefik_ingress_controller_tag = mock_cluster.labels.get(
+            'traefik_ingress_controller_tag')
         auto_healing_enabled = mock_cluster.labels.get(
             'auto_healing_enabled')
         auto_scaling_enabled = mock_cluster.labels.get(
@@ -595,6 +597,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'autoscaler_tag': autoscaler_tag,
             'min_node_count': min_node_count,
             'max_node_count': max_node_count,
+            'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
         }}
         mock_get_params.assert_called_once_with(mock_context,
                                                 mock_cluster_template,
@@ -907,6 +910,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
         tiller_namespace = mock_cluster.labels.get(
             'tiller_namespace')
         npd_tag = mock_cluster.labels.get('node_problem_detector_tag')
+        traefik_ingress_controller_tag = mock_cluster.labels.get(
+            'traefik_ingress_controller_tag')
         auto_healing_enabled = mock_cluster.labels.get(
             'auto_healing_enabled')
         auto_scaling_enabled = mock_cluster.labels.get(
@@ -987,6 +992,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'autoscaler_tag': autoscaler_tag,
             'min_node_count': min_node_count,
             'max_node_count': max_node_count,
+            'traefik_ingress_controller_tag': traefik_ingress_controller_tag,
         }}
         mock_get_params.assert_called_once_with(mock_context,
                                                 mock_cluster_template,

releasenotes/notes/set-traefik-tag-7d4aca5685147970.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added label traefik_ingress_controller_tag to enable specifying traefik container version.
+fixes:
+  - |
+    Traefik container now defaults to a fixed tag (v1.7.10) instead of tag
+    (latest)