Ingress: Move to namespaced ingress controllers and edge VIP

This PS moves to namespace specific ingress controllers, and a
cluster wide ingress controller that acts as the external front
door to the cluster. The cluster ingress controller will also
be able to create a dummy interface that can be announced via the
OpenStack-Helm-Infra Calico chart.

The ability to exercise the edge VIP feature is currently only
demonstrated in the single node gate and guide, as it requires
additional configuration, or hardware to set up the routes in
a multinode env.

Change-Id: I8b823b93465f2e90aaabcca9ec9b783d34539e07

helm-toolkit/templates/utils/_to_k8s_env_vars.tpl

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}

ingress/templates/bin/_ingress-controller.sh.tpl

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
@@ -17,9 +17,26 @@ limitations under the License.
 */}}
 
 set -ex
-exec /usr/bin/dumb-init \
+COMMAND="${@:-start}"
-    /nginx-ingress-controller \
+
-    --default-backend-service=${POD_NAMESPACE}/ingress-error-pages \
+function start () {
-    --configmap=${POD_NAMESPACE}/ingress-conf \
+  exec /usr/bin/dumb-init \
-    --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
+      /nginx-ingress-controller \
-    --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp
+      {{- if eq .Values.deployment.mode "namespace" }}
+      --watch-namespace ${POD_NAMESPACE} \
+      {{- end }}
+      --http-port=${PORT_HTTP} \
+      --https-port=${PORT_HTTPS} \
+      --election-id=${RELEASE_NAME} \
+      --ingress-class=${INGRESS_CLASS} \
+      --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
+      --configmap=${POD_NAMESPACE}/ingress-conf \
+      --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
+      --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND

ingress/templates/bin/_ingress-error-pages.sh.tpl

@@ -17,4 +17,10 @@ limitations under the License.
 */}}
 
 set -ex
-exec /server
+COMMAND="${@:-start}"
+
+if [ "x${COMMAND}" == "xstart" ]; then
+  exec /server
+elif [ "x${COMMAND}" == "xstop" ]; then
+  kill -TERM 1
+fi

ingress/templates/bin/_ingress-vip.sh.tpl

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+COMMAND="${@:-start}"
+
+function kernel_modules () {
+  chroot /mnt/host-rootfs modprobe dummy
+}
+
+function test_vip () {
+  ip addr show ${interface} | \
+    awk "/inet / && /${interface}/{print \$2 }" | \
+    awk -F '/' '{ print $1 }' | \
+    grep -q "${addr%/*}"
+}
+
+function start () {
+  ip link show ${interface} > /dev/null || ip link add ${interface} type dummy
+  if ! test_vip; then
+   ip addr add ${addr} dev ${interface}
+  fi
+  ip link set ${interface} up
+}
+
+function sleep () {
+  exec bash -c "while :; do sleep 2073600; done"
+}
+
+function stop () {
+  ip link show ${interface} > /dev/null || exit 0
+  if test_vip; then
+   ip addr del ${addr} dev ${interface}
+  fi
+  if [ "$(ip address show ${interface} | \
+          awk "/inet / && /${interface}/{print \$2 }" | \
+          wc -l)" -le "0" ]; then
+    ip link set ${interface} down
+    ip link del ${interface}
+  fi
+}
+
+$COMMAND

ingress/templates/configmap-bin.yaml

@@ -22,6 +22,10 @@ kind: ConfigMap
 metadata:
   name: ingress-bin
 data:
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+  ingress-vip.sh: |
+{{ tuple "bin/_ingress-vip.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
   ingress-controller.sh: |+
 {{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   ingress-error-pages.sh: |+

ingress/templates/configmap-conf.yaml

@@ -16,11 +16,18 @@ limitations under the License.
 
 {{- if .Values.manifests.configmap_conf }}
 {{- $envAll := . }}
+
+{{- if and .Values.network.host_namespace .Values.network.vip.manage -}}
+{{- if empty (index .Values.conf.ingress "bind-address") -}}
+{{- set .Values.conf.ingress "bind-address" ( .Values.network.vip.addr | split "/" )._0  | quote | trunc 0 -}}
+{{- end -}}
+{{- end -}}
+
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ingress-conf
 data:
-{{ toYaml .Values.config.controller | indent 2 }}
+{{ toYaml .Values.conf.ingress | indent 2 }}
 {{- end }}

ingress/templates/configmap-services-tcp.yaml

@@ -21,8 +21,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ingress-services-tcp
-{{- if not (empty $envAll.Values.config.services.tcp) }}
+{{- if not (empty $envAll.Values.conf.services.tcp) }}
 data:
-{{ toYaml $envAll.Values.config.services.tcp | indent 2 }}
+{{ toYaml $envAll.Values.conf.services.tcp | indent 2 }}
 {{- end }}
 {{- end }}

ingress/templates/configmap-services-udp.yaml

@@ -21,8 +21,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ingress-services-udp
-{{- if not (empty $envAll.Values.config.services.udp) }}
+{{- if not (empty $envAll.Values.conf.services.udp) }}
 data:
-{{ toYaml $envAll.Values.config.services.udp | indent 2 }}
+{{ toYaml $envAll.Values.conf.services.udp | indent 2 }}
 {{- end }}
 {{- end }}

ingress/templates/deployment-error.yaml

@@ -38,7 +38,7 @@ spec:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
-      terminationGracePeriodSeconds: 60
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }}
       initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
@@ -57,6 +57,13 @@ spec:
             - containerPort: 8080
           command:
             - /tmp/ingress-error-pages.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-error-pages.sh
+                  - stop
           volumeMounts:
             - name: ingress-bin
               mountPath: /tmp/ingress-error-pages.sh

ingress/templates/deployment-ingress.yaml

@@ -18,13 +18,21 @@ limitations under the License.
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ingress }}
 
-{{- $serviceAccountName := "ingress-api"}}
+{{- if empty .Values.conf.controller.INGRESS_CLASS -}}
+{{- if eq .Values.deployment.mode "cluster" }}
+{{- set .Values.conf.controller "INGRESS_CLASS" .Values.deployment.cluster.class | quote | trunc 0 -}}
+{{- else if eq .Values.deployment.mode "namespace" }}
+{{- set .Values.conf.controller "INGRESS_CLASS" "nginx" | quote | trunc 0 -}}
+{{- end }}
+{{- end -}}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: nginx-ingress-clusterrole
+  name: {{ $serviceAccountName }}
 rules:
   - apiGroups:
       - ""
@@ -76,11 +84,11 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: nginx-ingress-clusterrole-nisa-binding
+  name: {{ $serviceAccountName }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: nginx-ingress-clusterrole
+  name: {{ $serviceAccountName }}
 subjects:
   - kind: ServiceAccount
     name: {{ $serviceAccountName }}
@@ -89,7 +97,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
-  name: nginx-ingress-role
+  name: {{ $serviceAccountName }}
   namespace: {{ $envAll.Release.Namespace }}
 rules:
   - apiGroups:
@@ -106,11 +114,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      # Defaults to "<election-id>-<ingress-class>"
+      - {{ printf "%s-%s" .Release.Name .Values.conf.controller.INGRESS_CLASS | quote }}
-      # Here: "<ingress-controller-leader>-<nginx>"
-      # This has to be adapted if you change either parameter
-      # when launching the nginx-ingress-controller.
-      - "ingress-controller-leader-nginx"
     verbs:
       - get
       - update
@@ -132,39 +136,39 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: nginx-ingress-role-nisa-binding
+  name: {{ $serviceAccountName }}
   namespace: {{ $envAll.Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: nginx-ingress-role
+  name: {{ $serviceAccountName }}
 subjects:
   - kind: ServiceAccount
     name: {{ $serviceAccountName }}
     namespace: {{ $envAll.Release.Namespace }}
 ---
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
 apiVersion: apps/v1beta1
 kind: Deployment
-{{- else if eq .Values.deployment_type "DaemonSet" }}
+{{- else if eq .Values.deployment.type "DaemonSet" }}
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 {{- end }}
 metadata:
-  name: ingress-api
+  name: ingress
 spec:
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
   replicas: {{ .Values.pod.replicas.ingress }}
 {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
 {{- end }}
   template:
     metadata:
       labels:
-{{ tuple $envAll "ingress" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
         app: ingress-api
     spec:
       serviceAccountName: {{ $serviceAccountName }}
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
       affinity:
 {{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
 {{- end }}
@@ -174,11 +178,50 @@ spec:
       hostNetwork: true
 {{- end }}
       dnsPolicy: "ClusterFirstWithHostNet"
-      terminationGracePeriodSeconds: 60
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "60" }}
       initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+        - name: ingress-vip-kernel-modules
+          image: {{ .Values.images.tags.ingress }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - SYS_MODULE
+            runAsUser: 0
+          command:
+            - /tmp/ingress-vip.sh
+            - kernel_modules
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              readOnly: true
+        - name: ingress-vip-init
+          image: {{ .Values.images.tags.ingress }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsUser: 0
+          env:
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
+          command:
+            - /tmp/ingress-vip.sh
+            - start
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+{{- end }}
       containers:
-        - name: ingress-api
+        - name: ingress
           image: {{ .Values.images.tags.ingress }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -203,21 +246,72 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: PORT_HTTP
+              value: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: PORT_HTTPS
+              value: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: RELEASE_NAME
+              value: {{ .Release.Name | quote }}
+            - name: ERROR_PAGE_SERVICE
+              value: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controller | indent 12 }}
           ports:
-            - containerPort: 80
+            - containerPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-              hostPort: 80
+            {{- if .Values.network.host_namespace }}
-            - containerPort: 443
+              hostPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-              hostPort: 443
+            {{- end }}
+            - containerPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- if .Values.network.host_namespace }}
+              hostPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- end }}
           command:
             - /tmp/ingress-controller.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-controller.sh
+                  - stop
           volumeMounts:
             - name: ingress-bin
               mountPath: /tmp/ingress-controller.sh
               subPath: ingress-controller.sh
               readOnly: true
-      volumes:
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
-      - name: ingress-bin
+        - name: ingress-vip
-        configMap:
+          image: {{ .Values.images.tags.ingress }}
-          name: ingress-bin
+          imagePullPolicy: {{ .Values.images.pull_policy }}
-          defaultMode: 0555
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsUser: 0
+          env:
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
+          command:
+            - /tmp/ingress-vip.sh
+            - sleep
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-vip.sh
+                  - stop
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: ingress-bin
+          configMap:
+            name: ingress-bin
+            defaultMode: 0555
+      {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+      {{- end }}
 {{- end }}

ingress/templates/endpoints-ingress.yaml

@@ -0,0 +1,53 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.endpoints_ingress }}
+{{- $envAll := . }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage -}}
+---
+apiVersion: "v1"
+kind: "Endpoints"
+metadata:
+  labels:
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+    endpoint: vip
+  name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+subsets:
+ - addresses:
+      - ip: {{ ( .Values.network.vip.addr | split "/" )._0  | quote }}
+   ports:
+    - port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      protocol: TCP
+      name: http
+    - port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      protocol: TCP
+      name: https
+    {{- if not (empty $envAll.Values.conf.services.tcp) }}
+    {{range $key, $value := $envAll.Values.conf.services.tcp -}}
+    - port: {{ $key }}
+      protocol: TCP
+      name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    {{ end -}}
+    {{- end }}
+    {{- if not (empty $envAll.Values.conf.services.udp) }}
+    {{range $key, $value := $envAll.Values.conf.services.udp -}}
+    - port: {{ $key }}
+      protocol: UDP
+      name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    {{ end -}}
+    {{- end }}
+{{- end }}
+{{- end }}

ingress/templates/ingress.yaml

@@ -0,0 +1,40 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.ingress }}
+{{- $envAll := . }}
+{{- if eq .Values.deployment.mode "namespace" }}
+{{- if empty (index .Values.network.ingress.annotations "kubernetes.io/ingress.class") -}}
+{{- set .Values.network.ingress.annotations "kubernetes.io/ingress.class" .Values.deployment.cluster.class | quote | trunc 0 -}}
+{{- end -}}
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Release.Name }}
+  annotations:
+{{ toYaml .Values.network.ingress.annotations | indent 4 }}
+spec:
+  rules:
+  - host: {{ printf "%s.%s.svc.%s" "*" .Release.Namespace .Values.endpoints.cluster_domain_suffix | quote }}
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+          servicePort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}

ingress/templates/service-error.yaml

@@ -22,7 +22,7 @@ kind: Service
 metadata:
   labels:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  name: ingress-error-pages
+  name: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
   clusterIP: None
   ports:

ingress/templates/service-ingress.yaml

@@ -21,18 +21,42 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: ingress-api
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  name: {{ .Values.endpoints.ingress.host }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+    endpoint: vip
+{{- end }}
+  name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+  clusterIP: None
+{{- end }}
   ports:
   - name: http
-    port: {{ .Values.endpoints.ingress.port.http }}
+    port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     protocol: TCP
-    targetPort: 80
+    targetPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
   - name: https
-    port: {{ .Values.endpoints.ingress.port.https }}
+    port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     protocol: TCP
-    targetPort: 443
+    targetPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+  {{- if not (empty $envAll.Values.conf.services.tcp) }}
+  {{range $key, $value := $envAll.Values.conf.services.tcp -}}
+  - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    port: {{ $key }}
+    protocol: TCP
+    targetPort: {{ $key }}
+  {{ end -}}
+  {{- end }}
+  {{- if not (empty $envAll.Values.conf.services.udp) }}
+  {{range $key, $value := $envAll.Values.conf.services.udp -}}
+  - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    port: {{ $key }}
+    protocol: UDP
+    targetPort: {{ $key }}
+  {{ end -}}
+  {{- end }}
+{{- if not (and .Values.network.host_namespace .Values.network.vip.manage) }}
   selector:
-    app: ingress-api
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
 {{- end }}

ingress/values.yaml

@@ -17,6 +17,12 @@
 # Declare name/value pairs to be passed into your templates.
 # name: value
 
+deployment:
+  mode: namespace
+  type: Deployment
+  cluster:
+    class: "nginx-cluster"
+
 images:
   tags:
     entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
@@ -44,6 +50,11 @@ pod:
         rolling_update:
           max_unavailable: 1
           max_surge: 3
+    termination_grace_period:
+      server:
+        timeout: 60
+      error_pages:
+        timeout: 60
   resources:
     enabled: false
     ingress:
@@ -66,7 +77,18 @@ labels:
   node_selector_value: enabled
 
 network:
-  host_namespace: true
+  host_namespace: false
+  vip:
+    manage: false
+    interface: ingress-vip
+    addr: 172.18.0.1/32
+  ingress:
+    annotations:
+      #NOTE(portdirect): if left blank this is populated from
+      # .deployment.cluster.class
+      kubernetes.io/ingress.class: null
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  external_policy_local: false
 
 dependencies:
   error_pages:
@@ -75,21 +97,35 @@ dependencies:
     jobs: null
 
 endpoints:
+  cluster_domain_suffix: cluster.local
   ingress:
-    host: openstack
+    hosts:
+      default: ingress
+      error_pages: ingress-error-pages
+    host_fqdn_override:
+      default: null
     port:
-      http: 80
+      http:
-      https: 443
+        default: 80
+      https:
+        default: 443
 
-deployment_type: DaemonSet
+conf:
-
-config:
   controller:
+    #NOTE(portdirect): if left blank this is populated from
+    # .deployment.cluster.class in cluster mode, or set to
+    # "nginx" in namespace mode
+    INGRESS_CLASS: null
+  ingress:
     enable-underscores-in-headers: "true"
+    #NOTE(portdirect): if left blank this is populated from
+    # .network.vip.addr when running in host networking
+    # and .network.vip.manage=true, otherwise it is left as
+    # an empty string (the default).
+    bind-address: null
   services:
     tcp: null
-    udp:
+    udp: null
-      53: "kube-system/kube-dns:53"
 
 manifests:
   configmap_bin: true
@@ -98,5 +134,7 @@ manifests:
   configmap_services_udp: true
   deployment_error: true
   deployment_ingress: true
+  endpoints_ingress: true
+  ingress: true
   service_error: true
   service_ingress: true

tools/deployment/common/ingress.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Deploy command
-helm install ./ingress \
-  --namespace=openstack \
-  --name=ingress
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh openstack
-
-#NOTE: Display info
-helm status ingress

tools/deployment/developer/03-ingress.sh

@@ -1 +0,0 @@
-../common/ingress.sh

tools/deployment/developer/03-ingress.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Pull images and lint chart
+make pull-images ingress
+
+#NOTE: Deploy global ingress
+helm install ./ingress \
+  --namespace=kube-system \
+  --name=ingress-kube-system \
+  --set deployment.mode=cluster \
+  --set deployment.type=DaemonSet \
+  --set network.host_namespace=true \
+  --set network.vip.manage=true \
+  --set network.vip.addr=172.18.0.1/32 \
+  --set conf.services.udp.53='kube-system/kube-dns:53'
+
+#NOTE: Deploy namespace ingress
+helm install ./ingress \
+  --namespace=openstack \
+  --name=ingress-openstack
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Display info
+helm status ingress-kube-system
+helm status ingress-openstack

tools/deployment/multinode/020-ingress.sh

@@ -1 +0,0 @@
-../common/ingress.sh

tools/deployment/multinode/020-ingress.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Deploy global ingress
+helm install ./ingress \
+  --namespace=kube-system \
+  --name=ingress-kube-system \
+  --set pod.replicas.error_page=2 \
+  --set deployment.mode=cluster \
+  --set deployment.type=DaemonSet \
+  --set network.host_namespace=true \
+  --set conf.services.udp.53='kube-system/kube-dns:53'
+
+#NOTE: Deploy namespace ingress
+helm install ./ingress \
+  --namespace=openstack \
+  --name=ingress-openstack \
+  --set pod.replicas.ingress=2 \
+  --set pod.replicas.error_page=2
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Display info
+helm status ingress-kube-system
+helm status ingress-openstack