Ingress fix (#4024)

* Fixes ingress and kube 1.16 version issue * Update Changelog * More test * Fix ingress tests
cloudfoundry · Nov 28, 2019 · d499609 · d499609
1 parent b9e8bef
commit d499609
Show file tree

Hide file tree

Showing 7 changed files with 94 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,10 +4,13 @@
 
 [Full Changelog](https://github.com/cloudfoundry/stratos/compare/2.6.0...2.6.1)
 
-This release contains two fixes:
+This release contains a few fixes:
 
 **Fixes:**
 
+- Helm Chart does not work with Kubernetes 1.16 [\#4022](https://github.com/cloudfoundry/stratos/issues/4022)
+- Generated Ingress certificates during Kubernetes deployment are empty [\#4006](https://github.com/cloudfoundry/stratos/issues/4006)
+- Kubernetes Ingress certificate is incorrectly set [\#4005](https://github.com/cloudfoundry/stratos/issues/4005)
 - Update metric used for cells [\#4009](https://github.com/cloudfoundry/stratos/pull/4009)
 - Fix incorrect SSO behaviour following 2.4.0 --> 2.6.0 upgrade [\#4015](https://github.com/cloudfoundry/stratos/pull/4015)
 

diff --git a/deploy/kubernetes/build.sh b/deploy/kubernetes/build.sh
@@ -26,8 +26,9 @@ ADD_OFFICIAL_TAG="false"
 TAG_LATEST="false"
 NO_PUSH="true"
 DOCKER_REG_DEFAULTS="true"
+CHART_ONLY="false"
 
-while getopts ":ho:r:t:Tclb:On" opt; do
+while getopts ":ho:r:t:Tclb:Op" opt; do
   case $opt in
     h)
       echo
@@ -64,6 +65,9 @@ while getopts ":ho:r:t:Tclb:On" opt; do
     p)
       NO_PUSH="false"
       ;;      
+    c)
+      CHART_ONLY="true"
+      ;;      
     \?)
       echo "Invalid option: -${OPTARG}" >&2
       exit 1
@@ -175,22 +179,24 @@ cleanup
 
 updateTagForRelease
 
-# Build all of the components that make up the Console
+if [ "${CHART_ONLY}" == "false" ]; then
+  # Build all of the components that make up the Console
 
-log "-- Build & publish the runtime container image for Jetstream (backend)"
-patchAndPushImage stratos-jetstream deploy/Dockerfile.bk "${STRATOS_PATH}" prod-build
+  log "-- Build & publish the runtime container image for Jetstream (backend)"
+  patchAndPushImage stratos-jetstream deploy/Dockerfile.bk "${STRATOS_PATH}" prod-build
 
-# Build the postflight container
-log "-- Build & publish the runtime container image for the postflight job"
-patchAndPushImage stratos-postflight-job deploy/Dockerfile.bk "${STRATOS_PATH}" postflight-job
+  # Build the postflight container
+  log "-- Build & publish the runtime container image for the postflight job"
+  patchAndPushImage stratos-postflight-job deploy/Dockerfile.bk "${STRATOS_PATH}" postflight-job
 
-# Build and push an image based on the mariab db container
-log "-- Building/publishing MariaDB"
-patchAndPushImage stratos-mariadb Dockerfile.mariadb "${STRATOS_PATH}/deploy/db"
+  # Build and push an image based on the mariab db container
+  log "-- Building/publishing MariaDB"
+  patchAndPushImage stratos-mariadb Dockerfile.mariadb "${STRATOS_PATH}/deploy/db"
 
-# Build and push an image based on the nginx container (Front-end)
-log "-- Building/publishing the runtime container image for the Console web server (frontend)"
-patchAndPushImage stratos-console deploy/Dockerfile.ui "${STRATOS_PATH}" prod-build
+  # Build and push an image based on the nginx container (Front-end)
+  log "-- Building/publishing the runtime container image for the Console web server (frontend)"
+  patchAndPushImage stratos-console deploy/Dockerfile.ui "${STRATOS_PATH}" prod-build
+fi
 
 log "-- Building Helm Chart"
 

diff --git a/deploy/kubernetes/console/templates/__helpers.tpl b/deploy/kubernetes/console/templates/__helpers.tpl
@@ -106,6 +106,24 @@ tls.crt: {{ $cert.Cert | b64enc }}
 tls.key: {{ $cert.Key | b64enc }}
 {{- end -}}
 
+{{/*
+Generate self-signed certificate for ingress if needed
+*/}}
+{{- define "console.generateIngressCertificate" -}}
+{{- $altNames := list (printf "%s" .Values.console.service.ingress.host) (printf "%s.%s" (include "console.certName" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "console.certName" .) .Release.Namespace ) -}}
+{{- $ca := genCA "stratos-ca" 365 -}}
+{{- $cert := genSignedCert ( include "console.certName" . ) nil $altNames 365 $ca -}}
+{{- if .Values.console.service.ingress.tls.crt }}
+  tls.crt: {{ .Values.console.service.ingress.tls.crt | b64enc | quote }}
+{{- else }}
+  tls.crt: {{ $cert.Cert | b64enc | quote }}
+{{- end -}}
+{{- if .Values.console.service.ingress.tls.key }}
+  tls.key: {{ .Values.console.service.ingress.tls.key | b64enc | quote }}
+{{- else }}
+  tls.key: {{ $cert.Key | b64enc | quote }}
+{{- end -}}
+{{- end -}}
 
 {{/*
 Ingress Host from .Values.console.service

diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml
@@ -1,5 +1,9 @@
 ---
+{{- if semverCompare ">=1.16" (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor)}}
+apiVersion: apps/v1
+{{- else }}
 apiVersion: apps/v1beta1
+{{- end }}
 kind: StatefulSet
 metadata:
   name: stratos
@@ -309,7 +313,11 @@ spec:
           name: {{ .Values.console.templatesConfigMapName }}
       {{- end }}
 ---
+{{- if semverCompare ">=1.16" (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor)}}
+apiVersion: apps/v1
+{{- else }}
 apiVersion: extensions/v1beta1
+{{- end }}
 kind: Deployment
 metadata:
   name: stratos-db

diff --git a/deploy/kubernetes/console/templates/ingress.yaml b/deploy/kubernetes/console/templates/ingress.yaml
@@ -21,20 +21,26 @@ metadata:
     app.kubernetes.io/component: "console-ingress-tls"
     helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 data:
-  tls.crt: {{ .Values.console.service.ingress.tls.crt | default "" | b64enc | quote }}
-  tls.key: {{ .Values.console.service.ingress.tls.key | default "" | b64enc | quote }}
+{{ template "console.generateIngressCertificate" . }}
 {{- end }}
 
 ---
 # Ingress for the Console UI service
+{{- if semverCompare ">=1.16" (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor) }}
+apiVersion: "networking.k8s.io/v1beta1"
+{{- else }}
 apiVersion: "extensions/v1beta1"
+{{- end }}
 kind: "Ingress"
 metadata:
   name: "{{ .Release.Name }}-ingress"
   annotations:
     {{- if hasKey .Values.console.service.ingress.annotations "kubernetes.io/ingress.class" | not -}}
       {{ $_ := set .Values.console.service.ingress.annotations "kubernetes.io/ingress.class" "nginx" }}
     {{- end }}
+    {{- if hasKey .Values.console.service.ingress.annotations "kubernetes.io/ingress.allow-http" | not -}}
+      {{ $_ := set .Values.console.service.ingress.annotations "kubernetes.io/ingress.allow-http" "false" }}
+    {{- end }}
     {{- if hasKey .Values.console.service.ingress.annotations "nginx.ingress.kubernetes.io/secure-backends" | not -}}
       {{ $_ := set .Values.console.service.ingress.annotations "nginx.ingress.kubernetes.io/secure-backends" "true" }}
     {{- end }}
@@ -60,7 +66,7 @@ metadata:
 {{- end }}    
 spec:
   tls:
-  - secretName: {{ default "{{ .Release.Name }}-ingress-tls" .Values.console.service.ingress.secretName | quote }}
+  - secretName: {{ default (print .Release.Name "-ingress-tls") .Values.console.service.ingress.secretName | quote }}
     hosts:
     - {{ template "ingress.host" . }}
   rules:

diff --git a/deploy/kubernetes/console/tests/ingress_test.yaml b/deploy/kubernetes/console/tests/ingress_test.yaml
@@ -47,10 +47,9 @@ tests:
       - equal:
           path: kind
           value: "Secret"
-      - equal:
+      - isNotEmpty:
           path: data.tls\.crt
-          value: ""
-      - equal:
+      - isNotEmpty:
           path: data.tls\.key
           value: ""
   - it: should create secret with specified values
@@ -147,6 +146,7 @@ tests:
       - equal:
           path: metadata.annotations
           value:
+            kubernetes.io/ingress.allow-http: "false"
             kubernetes.io/ingress.class: "nginx"
             nginx.ingress.kubernetes.io/secure-backends: "true"
             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
@@ -171,6 +171,7 @@ tests:
       - equal:
           path: metadata.annotations
           value:
+            kubernetes.io/ingress.allow-http: "false"
             kubernetes.io/ingress.class: "nginx"
             nginx.ingress.kubernetes.io/secure-backends: "true"
             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
@@ -196,6 +197,7 @@ tests:
           path: metadata.annotations
           value:
             test-annotation: "test"
+            kubernetes.io/ingress.allow-http: "false"
             kubernetes.io/ingress.class: "nginx"
             nginx.ingress.kubernetes.io/secure-backends: "true"
             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

diff --git a/deploy/kubernetes/console/tests/kube_version_test.yaml b/deploy/kubernetes/console/tests/kube_version_test.yaml
@@ -0,0 +1,31 @@
+suite: test stratos deployment with kube versions
+templates:
+  - deployment.yaml
+tests:
+  - it: should use newer API versions when kube >= 1.16
+    capabilities:
+      kubeVersion:
+        major: 1
+        minor: 16
+    asserts:
+      - equal:
+          path: apiVersion
+          value: apps/v1
+  - it: should use newer API versions when kube >= 2
+    capabilities:
+      kubeVersion:
+        major: 2
+        minor: 1
+    asserts:
+      - equal:
+          path: apiVersion
+          value: apps/v1
+  - it: should use older API versions when kube < 1.16
+    capabilities:
+      kubeVersion:
+        major: 1
+        minor: 14
+    asserts:
+      - equal:
+          path: apiVersion
+          value: apps/v1beta1