Ingress: Move to namespaced ingress controllers and edge VIP

This PS moves to namespace specific ingress controllers, and a cluster wide ingress controller that acts as the external front door to the cluster. The cluster ingress controller will also be able to create a dummy interface that can be announced via the OpenStack-Helm-Infra Calico chart. The ability to exercise the edge VIP feature is currently only demonstrated in the single node gate and guide, as it requires additional configuration, or hardware to set up the routes in a multinode env. Change-Id: I8b823b93465f2e90aaabcca9ec9b783d34539e07
2018-01-12 13:58:40 -05:00 · 2018-01-12 13:58:40 -05:00 · 35dfb998f4
commit 35dfb998f4
parent 9d40323eb1
18 changed files with 520 additions and 90 deletions
--- a/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
+++ b/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
--- a/ingress/templates/bin/_ingress-controller.sh.tpl
+++ b/ingress/templates/bin/_ingress-controller.sh.tpl
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash

 {{/*
 Copyright 2017 The Openstack-Helm Authors.
@ -17,9 +17,26 @@ limitations under the License.
 */}}

 set -ex
-exec /usr/bin/dumb-init \
-    /nginx-ingress-controller \
-    --default-backend-service=${POD_NAMESPACE}/ingress-error-pages \
-    --configmap=${POD_NAMESPACE}/ingress-conf \
-    --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
-    --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp
+COMMAND="${@:-start}"
+
+function start () {
+  exec /usr/bin/dumb-init \
+      /nginx-ingress-controller \
+      {{- if eq .Values.deployment.mode "namespace" }}
+      --watch-namespace ${POD_NAMESPACE} \
+      {{- end }}
+      --http-port=${PORT_HTTP} \
+      --https-port=${PORT_HTTPS} \
+      --election-id=${RELEASE_NAME} \
+      --ingress-class=${INGRESS_CLASS} \
+      --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
+      --configmap=${POD_NAMESPACE}/ingress-conf \
+      --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
+      --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
--- a/ingress/templates/bin/_ingress-error-pages.sh.tpl
+++ b/ingress/templates/bin/_ingress-error-pages.sh.tpl
@ -17,4 +17,10 @@ limitations under the License.
 */}}

 set -ex
-exec /server
+COMMAND="${@:-start}"
+
+if [ "x${COMMAND}" == "xstart" ]; then
+  exec /server
+elif [ "x${COMMAND}" == "xstop" ]; then
+  kill -TERM 1
+fi
--- a/ingress/templates/bin/_ingress-vip.sh.tpl
+++ b/ingress/templates/bin/_ingress-vip.sh.tpl
@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+COMMAND="${@:-start}"
+
+function kernel_modules () {
+  chroot /mnt/host-rootfs modprobe dummy
+}
+
+function test_vip () {
+  ip addr show ${interface} | \
+    awk "/inet / && /${interface}/{print \$2 }" | \
+    awk -F '/' '{ print $1 }' | \
+    grep -q "${addr%/*}"
+}
+
+function start () {
+  ip link show ${interface} > /dev/null || ip link add ${interface} type dummy
+  if ! test_vip; then
+   ip addr add ${addr} dev ${interface}
+  fi
+  ip link set ${interface} up
+}
+
+function sleep () {
+  exec bash -c "while :; do sleep 2073600; done"
+}
+
+function stop () {
+  ip link show ${interface} > /dev/null || exit 0
+  if test_vip; then
+   ip addr del ${addr} dev ${interface}
+  fi
+  if [ "$(ip address show ${interface} | \
+          awk "/inet / && /${interface}/{print \$2 }" | \
+          wc -l)" -le "0" ]; then
+    ip link set ${interface} down
+    ip link del ${interface}
+  fi
+}
+
+$COMMAND
--- a/ingress/templates/configmap-bin.yaml
+++ b/ingress/templates/configmap-bin.yaml
@ -22,6 +22,10 @@ kind: ConfigMap
 metadata:
  name: ingress-bin
 data:
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+  ingress-vip.sh: |
+{{ tuple "bin/_ingress-vip.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
  ingress-controller.sh: |+
 {{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  ingress-error-pages.sh: |+
--- a/ingress/templates/configmap-conf.yaml
+++ b/ingress/templates/configmap-conf.yaml
@ -16,11 +16,18 @@ limitations under the License.

 {{- if .Values.manifests.configmap_conf }}
 {{- $envAll := . }}
+
+{{- if and .Values.network.host_namespace .Values.network.vip.manage -}}
+{{- if empty (index .Values.conf.ingress "bind-address") -}}
+{{- set .Values.conf.ingress "bind-address" ( .Values.network.vip.addr | split "/" )._0  | quote | trunc 0 -}}
+{{- end -}}
+{{- end -}}
+
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-conf
 data:
-{{ toYaml .Values.config.controller | indent 2 }}
+{{ toYaml .Values.conf.ingress | indent 2 }}
 {{- end }}
--- a/ingress/templates/configmap-services-tcp.yaml
+++ b/ingress/templates/configmap-services-tcp.yaml
@ -21,8 +21,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-services-tcp
-{{- if not (empty $envAll.Values.config.services.tcp) }}
+{{- if not (empty $envAll.Values.conf.services.tcp) }}
 data:
-{{ toYaml $envAll.Values.config.services.tcp | indent 2 }}
+{{ toYaml $envAll.Values.conf.services.tcp | indent 2 }}
 {{- end }}
 {{- end }}
--- a/ingress/templates/configmap-services-udp.yaml
+++ b/ingress/templates/configmap-services-udp.yaml
@ -21,8 +21,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-services-udp
-{{- if not (empty $envAll.Values.config.services.udp) }}
+{{- if not (empty $envAll.Values.conf.services.udp) }}
 data:
-{{ toYaml $envAll.Values.config.services.udp | indent 2 }}
+{{ toYaml $envAll.Values.conf.services.udp | indent 2 }}
 {{- end }}
 {{- end }}
--- a/ingress/templates/deployment-error.yaml
+++ b/ingress/templates/deployment-error.yaml
@ -38,7 +38,7 @@ spec:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
-      terminationGracePeriodSeconds: 60
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
@ -57,6 +57,13 @@ spec:
            - containerPort: 8080
          command:
            - /tmp/ingress-error-pages.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-error-pages.sh
+                  - stop
          volumeMounts:
            - name: ingress-bin
              mountPath: /tmp/ingress-error-pages.sh
--- a/ingress/templates/deployment-ingress.yaml
+++ b/ingress/templates/deployment-ingress.yaml
@ -18,13 +18,21 @@ limitations under the License.
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ingress }}

-{{- $serviceAccountName := "ingress-api"}}
+{{- if empty .Values.conf.controller.INGRESS_CLASS -}}
+{{- if eq .Values.deployment.mode "cluster" }}
+{{- set .Values.conf.controller "INGRESS_CLASS" .Values.deployment.cluster.class | quote | trunc 0 -}}
+{{- else if eq .Values.deployment.mode "namespace" }}
+{{- set .Values.conf.controller "INGRESS_CLASS" "nginx" | quote | trunc 0 -}}
+{{- end }}
+{{- end -}}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: nginx-ingress-clusterrole
+  name: {{ $serviceAccountName }}
 rules:
  - apiGroups:
      - ""
@ -76,11 +84,11 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: nginx-ingress-clusterrole-nisa-binding
+  name: {{ $serviceAccountName }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: nginx-ingress-clusterrole
+  name: {{ $serviceAccountName }}
 subjects:
  - kind: ServiceAccount
    name: {{ $serviceAccountName }}
@ -89,7 +97,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
-  name: nginx-ingress-role
+  name: {{ $serviceAccountName }}
  namespace: {{ $envAll.Release.Namespace }}
 rules:
  - apiGroups:
@ -106,11 +114,7 @@ rules:
    resources:
      - configmaps
    resourceNames:
-      # Defaults to "<election-id>-<ingress-class>"
-      # Here: "<ingress-controller-leader>-<nginx>"
-      # This has to be adapted if you change either parameter
-      # when launching the nginx-ingress-controller.
-      - "ingress-controller-leader-nginx"
+      - {{ printf "%s-%s" .Release.Name .Values.conf.controller.INGRESS_CLASS | quote }}
    verbs:
      - get
      - update
@ -132,39 +136,39 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: nginx-ingress-role-nisa-binding
+  name: {{ $serviceAccountName }}
  namespace: {{ $envAll.Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: nginx-ingress-role
+  name: {{ $serviceAccountName }}
 subjects:
  - kind: ServiceAccount
    name: {{ $serviceAccountName }}
    namespace: {{ $envAll.Release.Namespace }}
 ---
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
 apiVersion: apps/v1beta1
 kind: Deployment
-{{- else if eq .Values.deployment_type "DaemonSet" }}
+{{- else if eq .Values.deployment.type "DaemonSet" }}
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 {{- end }}
 metadata:
-  name: ingress-api
+  name: ingress
 spec:
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
  replicas: {{ .Values.pod.replicas.ingress }}
 {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
 {{- end }}
  template:
    metadata:
      labels:
-{{ tuple $envAll "ingress" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
        app: ingress-api
    spec:
      serviceAccountName: {{ $serviceAccountName }}
-{{- if eq .Values.deployment_type "Deployment" }}
+{{- if eq .Values.deployment.type "Deployment" }}
      affinity:
 {{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
 {{- end }}
@ -174,11 +178,50 @@ spec:
      hostNetwork: true
 {{- end }}
      dnsPolicy: "ClusterFirstWithHostNet"
-      terminationGracePeriodSeconds: 60
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "60" }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+        - name: ingress-vip-kernel-modules
+          image: {{ .Values.images.tags.ingress }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - SYS_MODULE
+            runAsUser: 0
+          command:
+            - /tmp/ingress-vip.sh
+            - kernel_modules
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              readOnly: true
+        - name: ingress-vip-init
+          image: {{ .Values.images.tags.ingress }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsUser: 0
+          env:
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
+          command:
+            - /tmp/ingress-vip.sh
+            - start
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+{{- end }}
      containers:
-        - name: ingress-api
+        - name: ingress
          image: {{ .Values.images.tags.ingress }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -203,21 +246,72 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
+            - name: PORT_HTTP
+              value: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: PORT_HTTPS
+              value: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: RELEASE_NAME
+              value: {{ .Release.Name | quote }}
+            - name: ERROR_PAGE_SERVICE
+              value: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controller | indent 12 }}
          ports:
-            - containerPort: 80
-              hostPort: 80
-            - containerPort: 443
-              hostPort: 443
+            - containerPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- if .Values.network.host_namespace }}
+              hostPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- end }}
+            - containerPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- if .Values.network.host_namespace }}
+              hostPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            {{- end }}
          command:
            - /tmp/ingress-controller.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-controller.sh
+                  - stop
          volumeMounts:
            - name: ingress-bin
              mountPath: /tmp/ingress-controller.sh
              subPath: ingress-controller.sh
              readOnly: true
-      volumes:
-      - name: ingress-bin
-        configMap:
-          name: ingress-bin
-          defaultMode: 0555
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+        - name: ingress-vip
+          image: {{ .Values.images.tags.ingress }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsUser: 0
+          env:
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
+          command:
+            - /tmp/ingress-vip.sh
+            - sleep
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/ingress-vip.sh
+                  - stop
+          volumeMounts:
+            - name: ingress-bin
+              mountPath: /tmp/ingress-vip.sh
+              subPath: ingress-vip.sh
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: ingress-bin
+          configMap:
+            name: ingress-bin
+            defaultMode: 0555
+      {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+      {{- end }}
 {{- end }}
--- a/ingress/templates/endpoints-ingress.yaml
+++ b/ingress/templates/endpoints-ingress.yaml
@ -0,0 +1,53 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.endpoints_ingress }}
+{{- $envAll := . }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage -}}
+---
+apiVersion: "v1"
+kind: "Endpoints"
+metadata:
+  labels:
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+    endpoint: vip
+  name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+subsets:
+ - addresses:
+      - ip: {{ ( .Values.network.vip.addr | split "/" )._0  | quote }}
+   ports:
+    - port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      protocol: TCP
+      name: http
+    - port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      protocol: TCP
+      name: https
+    {{- if not (empty $envAll.Values.conf.services.tcp) }}
+    {{range $key, $value := $envAll.Values.conf.services.tcp -}}
+    - port: {{ $key }}
+      protocol: TCP
+      name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    {{ end -}}
+    {{- end }}
+    {{- if not (empty $envAll.Values.conf.services.udp) }}
+    {{range $key, $value := $envAll.Values.conf.services.udp -}}
+    - port: {{ $key }}
+      protocol: UDP
+      name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    {{ end -}}
+    {{- end }}
+{{- end }}
+{{- end }}
--- a/ingress/templates/ingress.yaml
+++ b/ingress/templates/ingress.yaml
@ -0,0 +1,40 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.ingress }}
+{{- $envAll := . }}
+{{- if eq .Values.deployment.mode "namespace" }}
+{{- if empty (index .Values.network.ingress.annotations "kubernetes.io/ingress.class") -}}
+{{- set .Values.network.ingress.annotations "kubernetes.io/ingress.class" .Values.deployment.cluster.class | quote | trunc 0 -}}
+{{- end -}}
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Release.Name }}
+  annotations:
+{{ toYaml .Values.network.ingress.annotations | indent 4 }}
+spec:
+  rules:
+  - host: {{ printf "%s.%s.svc.%s" "*" .Release.Namespace .Values.endpoints.cluster_domain_suffix | quote }}
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+          servicePort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}
--- a/ingress/templates/service-error.yaml
+++ b/ingress/templates/service-error.yaml
@ -22,7 +22,7 @@ kind: Service
 metadata:
  labels:
 {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  name: ingress-error-pages
+  name: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
  clusterIP: None
  ports:
--- a/ingress/templates/service-ingress.yaml
+++ b/ingress/templates/service-ingress.yaml
@ -21,18 +21,42 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    app: ingress-api
-  name: {{ .Values.endpoints.ingress.host }}
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+    endpoint: vip
+{{- end }}
+  name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
+{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
+  clusterIP: None
+{{- end }}
  ports:
  - name: http
-    port: {{ .Values.endpoints.ingress.port.http }}
+    port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
    protocol: TCP
-    targetPort: 80
+    targetPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  - name: https
-    port: {{ .Values.endpoints.ingress.port.https }}
+    port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
    protocol: TCP
-    targetPort: 443
+    targetPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+  {{- if not (empty $envAll.Values.conf.services.tcp) }}
+  {{range $key, $value := $envAll.Values.conf.services.tcp -}}
+  - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    port: {{ $key }}
+    protocol: TCP
+    targetPort: {{ $key }}
+  {{ end -}}
+  {{- end }}
+  {{- if not (empty $envAll.Values.conf.services.udp) }}
+  {{range $key, $value := $envAll.Values.conf.services.udp -}}
+  - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0  | trunc 8 ) $key | nospace | quote }}
+    port: {{ $key }}
+    protocol: UDP
+    targetPort: {{ $key }}
+  {{ end -}}
+  {{- end }}
+{{- if not (and .Values.network.host_namespace .Values.network.vip.manage) }}
  selector:
-    app: ingress-api
+{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
 {{- end }}
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@ -17,6 +17,12 @@
 # Declare name/value pairs to be passed into your templates.
 # name: value

+deployment:
+  mode: namespace
+  type: Deployment
+  cluster:
+    class: "nginx-cluster"
+
 images:
  tags:
    entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
@ -44,6 +50,11 @@ pod:
        rolling_update:
          max_unavailable: 1
          max_surge: 3
+    termination_grace_period:
+      server:
+        timeout: 60
+      error_pages:
+        timeout: 60
  resources:
    enabled: false
    ingress:
@ -66,7 +77,18 @@ labels:
  node_selector_value: enabled

 network:
-  host_namespace: true
+  host_namespace: false
+  vip:
+    manage: false
+    interface: ingress-vip
+    addr: 172.18.0.1/32
+  ingress:
+    annotations:
+      #NOTE(portdirect): if left blank this is populated from
+      # .deployment.cluster.class
+      kubernetes.io/ingress.class: null
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  external_policy_local: false

 dependencies:
  error_pages:
@ -75,21 +97,35 @@ dependencies:
    jobs: null

 endpoints:
+  cluster_domain_suffix: cluster.local
  ingress:
-    host: openstack
+    hosts:
+      default: ingress
+      error_pages: ingress-error-pages
+    host_fqdn_override:
+      default: null
    port:
-      http: 80
-      https: 443
+      http:
+        default: 80
+      https:
+        default: 443

-deployment_type: DaemonSet
-
-config:
+conf:
  controller:
+    #NOTE(portdirect): if left blank this is populated from
+    # .deployment.cluster.class in cluster mode, or set to
+    # "nginx" in namespace mode
+    INGRESS_CLASS: null
+  ingress:
    enable-underscores-in-headers: "true"
+    #NOTE(portdirect): if left blank this is populated from
+    # .network.vip.addr when running in host networking
+    # and .network.vip.manage=true, otherwise it is left as
+    # an empty string (the default).
+    bind-address: null
  services:
    tcp: null
-    udp:
-      53: "kube-system/kube-dns:53"
+    udp: null

 manifests:
  configmap_bin: true
@ -98,5 +134,7 @@ manifests:
  configmap_services_udp: true
  deployment_error: true
  deployment_ingress: true
+  endpoints_ingress: true
+  ingress: true
  service_error: true
  service_ingress: true
--- a/tools/deployment/common/ingress.sh
+++ b/tools/deployment/common/ingress.sh
@ -1,28 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Deploy command
-helm install ./ingress \
-  --namespace=openstack \
-  --name=ingress
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh openstack
-
-#NOTE: Display info
-helm status ingress
--- a/tools/deployment/developer/03-ingress.sh
+++ b/tools/deployment/developer/03-ingress.sh
@ -1 +0,0 @@
-../common/ingress.sh
--- a/tools/deployment/developer/03-ingress.sh
+++ b/tools/deployment/developer/03-ingress.sh
@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Pull images and lint chart
+make pull-images ingress
+
+#NOTE: Deploy global ingress
+helm install ./ingress \
+  --namespace=kube-system \
+  --name=ingress-kube-system \
+  --set deployment.mode=cluster \
+  --set deployment.type=DaemonSet \
+  --set network.host_namespace=true \
+  --set network.vip.manage=true \
+  --set network.vip.addr=172.18.0.1/32 \
+  --set conf.services.udp.53='kube-system/kube-dns:53'
+
+#NOTE: Deploy namespace ingress
+helm install ./ingress \
+  --namespace=openstack \
+  --name=ingress-openstack
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Display info
+helm status ingress-kube-system
+helm status ingress-openstack
--- a/tools/deployment/multinode/020-ingress.sh
+++ b/tools/deployment/multinode/020-ingress.sh
@ -1 +0,0 @@
-../common/ingress.sh
--- a/tools/deployment/multinode/020-ingress.sh
+++ b/tools/deployment/multinode/020-ingress.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Deploy global ingress
+helm install ./ingress \
+  --namespace=kube-system \
+  --name=ingress-kube-system \
+  --set pod.replicas.error_page=2 \
+  --set deployment.mode=cluster \
+  --set deployment.type=DaemonSet \
+  --set network.host_namespace=true \
+  --set conf.services.udp.53='kube-system/kube-dns:53'
+
+#NOTE: Deploy namespace ingress
+helm install ./ingress \
+  --namespace=openstack \
+  --name=ingress-openstack \
+  --set pod.replicas.ingress=2 \
+  --set pod.replicas.error_page=2
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Display info
+helm status ingress-kube-system
+helm status ingress-openstack