diff --git a/.bumpversion.cfg b/.bumpversion.cfg deleted file mode 100644 index f176a50..0000000 --- a/.bumpversion.cfg +++ /dev/null @@ -1,32 +0,0 @@ -[bumpversion] -commit = True -tag = True -current_version = 1.13.1 -parse = (?P\d+)\.(?P\d+)\.(?P\d+)(\-rc(?P\d+))? -serialize = - {major}.{minor}.{patch}-rc{rc} - {major}.{minor}.{patch} - -[bumpversion:file:examples/nginx-config/Furyfile.yml] -search = version: v{current_version} -replace = version: v{new_version} - -[bumpversion:file:examples/nginx-default-ssl-certificate/Furyfile.yml] -search = version: v{current_version} -replace = version: v{new_version} - -[bumpversion:file:katalog/nginx/kustomization.yaml] -search = module.kfd.sighup.io/version: "v{current_version}" -replace = module.kfd.sighup.io/version: "v{new_version}" - -[bumpversion:file:katalog/dual-nginx/kustomization.yaml] -search = module.kfd.sighup.io/version: "v{current_version}" -replace = module.kfd.sighup.io/version: "v{new_version}" - -[bumpversion:file:katalog/cert-manager/kustomization.yaml] -search = module.kfd.sighup.io/version: "v{current_version}" -replace = module.kfd.sighup.io/version: "v{new_version}" - -[bumpversion:file:katalog/forecastle/kustomization.yaml] -search = module.kfd.sighup.io/version: "v{current_version}" -replace = module.kfd.sighup.io/version: "v{new_version}" diff --git a/Makefile b/Makefile deleted file mode 100644 index 5b25eb3..0000000 --- a/Makefile +++ /dev/null @@ -1,104 +0,0 @@ -.DEFAULT_GOAL: help -SHELL := /bin/bash - -PROJECTNAME := "fury-kubernetes-ingress" -VERSION := $(shell (git for-each-ref refs/tags --sort=-taggerdate --format='%(refname)' --count=1 | sed -Ee 's/^refs\/tags\/v|-.*//')) - -.PHONY: help -all: help -help: Makefile - @echo - @echo " Choose a command to run in "$(PROJECTNAME)":" - @echo - @sed -n 's/^##//p' $< | column -t -s ':' | sed -e 's/^/ /' - @echo - -.PHONY: version -## version: lists the latest version of tool -version: - @echo v$(VERSION) - -check-variable-%: # detection of undefined variables. - @[[ "${${*}}" ]] || (echo '*** Please define variable `${*}` ***' && exit 1) - -check-release-file-%: # checks if a release doc exists - $(eval tag := `echo "${*}" | sed -e "s/-rc.//"`) - $(eval release_file := "docs/releases/${tag}.md") - @test -f ${release_file} || (echo "*** Please define file ${release_file} ***" && exit 1) - -bumpversion-requirements: check-docker - @docker build --no-cache --pull --target bumpversion-requirement -f build/builder/Dockerfile -t ${PROJECTNAME}:local-bumpversion-requirements . - -SEMVER_TYPES := major minor patch -BUMP_TARGETS := $(addprefix bump-,$(SEMVER_TYPES)) -.PHONY: $(BUMP_TARGETS) -## bump-major: Bumps the module up by a major version -## bump-minor: Bumps the module up by a minor version -## bump-patch: Bumps the module up by a patch version -$(BUMP_TARGETS): bumpversion-requirements - $(eval bump_type := $(strip $(word 2,$(subst -, ,$@)))) - @echo "Making a ${bump_type} tag" - @docker run --rm -v ~/.gitconfig:/etc/gitconfig -v ${PWD}:/src -w /src ${PROJECTNAME}:local-bumpversion-requirements $(bump_type) - @$(MAKE) clean-bumpversion-requirements - -## bump-rc: Bumps the module up by a release candidate (this only adds a tag, and not bump the version in labels) -.PHONY: -bump-rc: check-variable-TAG check-release-file-$(TAG) - @echo "Making ${TAG} tag" - @git tag ${TAG} - - -check-%: # detection of required software. - @which ${*} > /dev/null || (echo '*** Please install `${*}` ***' && exit 1) - -license-requirements: check-docker - @docker build --no-cache --pull --target add-license-requirement -f build/builder/Dockerfile -t ${PROJECTNAME}:local-license-requirements . - -## add-license: Add license headers in all files in the project -add-license: license-requirements - @docker run --rm -v ${PWD}:/src -w /src ${PROJECTNAME}:local-license-requirements addlicense -c "SIGHUP s.r.l" -v -l bsd . - @$(MAKE) clean-license-requirements - -## check-license: Check license headers are in-place in all files in the project -check-license: check-docker - @docker build --no-cache --pull --target check-license -f build/builder/Dockerfile -t ${PROJECTNAME}:local-license . - @$(MAKE) clean-license - -## check-label: Check if labels are present in all kustomization files -check-label: check-docker - @docker build --no-cache --pull --target checklabel -f build/builder/Dockerfile -t ${PROJECTNAME}:checklabel . - -## lint: Run the policeman over the repository -lint: check-docker - @docker build --no-cache --pull --target linter -f build/builder/Dockerfile -t ${PROJECTNAME}:local-lint . - @$(MAKE) clean-lint - -## deploy-all: Deploys all the components in the ingress module -deploy-all: deploy-nginx deploy-cert-manager deploy-forecastle - -## deploy-nginx: Deploys `nginx` componenet -deploy-nginx: check-kustomize check-kubectl - @kustomize build katalog/nginx | kubectl apply -f- - -## deploy-nginx-dual: Deploys `nginx-dual` componenet -deploy-nginx-dual: check-kustomize check-kubectl - @kustomize build katalog/dual-nginx | kubectl apply -f- - -## deploy-cert-manager: Deploys `cert-manager` componenet -deploy-cert-manager: check-kustomize check-kubectl - @kustomize build katalog/cert-manager | kubectl apply -f- - -## deploy-forecastle: Deploys `forecastle` componenet -deploy-forecastle: check-kustomize check-kubectl - @kustomize build katalog/forecastle | kubectl apply -f- - -## clean-%: Clean the container image resulting from another target. make build clean-build -clean-%: - @docker rmi -f ${PROJECTNAME}:local-${*} - -jsonbuilder: - @docker build --no-cache --pull --target jsonbuilder -f build/builder/Dockerfile -t ${PROJECTNAME}:jsonbuilder . - -## build-canonical-json: Build a canonical JSON for any tag of module, only to be run inside a clean working directory -build-canonical-json: check-docker check-variable-TAG jsonbuilder - @docker run -ti --rm -v $(PWD):/app -w /app ${PROJECTNAME}:jsonbuilder module-json -m=$(PROJECTNAME) -v=${TAG} . diff --git a/README.md b/README.md index 531f95a..8076b5f 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,12 @@ -![Release](https://img.shields.io/badge/Latest%20Release-v2.3.2-blue) +![Release](https://img.shields.io/badge/Latest%20Release-v2.3.3-blue) ![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-ingress?label=License) ![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack) + **Kubernetes Fury Ingress** provides Ingress Controllers to expose services and TLS certificate management solutions for the [Kubernetes Fury Distribution (KFD)][kfd-repo]. If you are new to KFD please refer to the [official documentation][kfd-docs] on how to get started with KFD. @@ -38,8 +39,8 @@ Kubernetes Fury Ingress provides the following packages: | Package | Version | Description | | --------------------------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------- | -| [nginx](katalog/nginx) | `v1.9.6` | The NGINX Ingress Controller for Kubernetes provides delivery services for Kubernetes applications. | -| [dual-nginx](katalog/dual-nginx) | `v1.9.6` | It deploys two identical NGINX ingress controllers but with two different scopes: public/external and private/internal. | +| [nginx](katalog/nginx) | `v1.11.2` | The NGINX Ingress Controller for Kubernetes provides delivery services for Kubernetes applications. | +| [dual-nginx](katalog/dual-nginx) | `v1.11.2` | It deploys two identical NGINX ingress controllers but with two different scopes: public/external and private/internal. | | [cert-manager](katalog/cert-manager) | `v1.14.2` | cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. | | [external-dns](katalog/external-dns) | `v0.14.0` | external-dns allows you to manage DNS records natively from Kubernetes. | | [forecastle](katalog/forecastle) | `v1.0.136` | Forecastle gives you access to a control panel where you can see your ingresses and access them on Kubernetes. | @@ -55,17 +56,16 @@ Kubernetes Fury Ingress provides the following packages: | `1.28.x` | :white_check_mark: | No known issues | | `1.29.x` | :white_check_mark: | No known issues | - Check the [compatibility matrix][compatibility-matrix] for additional information on previous releases of the module. ## Usage ### Prerequisites -| Tool | Version | Description | -| --------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Tool | Version | Description | +| --------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [furyctl][furyctl-repo] | `>=0.25.0` | The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo]. | -| [kustomize][kustomize-repo] | `>=3.5.3` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | +| [kustomize][kustomize-repo] | `>=3.10.0` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | ### Single vs Dual Controller @@ -88,7 +88,7 @@ For both Single and Dual NGINX the Kubernetes Fury Ingress module has the follow - Metrics are scraped by Prometheus every `10s` - Validating Admission webhook that validates an ingress definition does not break NGINX configuration. -Additionally, the following Prometheus [alerts][prometheus-alerts-page] are set up by default: +Additionally, the following Prometheus Rules for [alerts][prometheus-alerts-page] are set up by default: | Parameter | Description | Severity | Interval | | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | :------: | @@ -118,9 +118,9 @@ To deploy the `cert-manager` package: ```yaml bases: - name: ingress/dual-nginx - version: "v2.3.2" + version: "v2.3.3" - name: ingress/cert-manager - version: "v2.3.2" + version: "v2.3.3" ``` 2. Execute `furyctl vendor -H` to download the packages @@ -131,7 +131,7 @@ bases: ```yaml resources: -- ./vendor/katalog/ingress/cert-manager + - ./vendor/katalog/ingress/cert-manager ``` For the `dual-nginx` you will need to patch the `ClusterIssuer` resource with the right ingress class: @@ -139,18 +139,18 @@ For the `dual-nginx` you will need to patch the `ClusterIssuer` resource with th ```yml --- patchesJson6902: - - target: - group: cert-manager.io - version: v1 - kind: ClusterIssuer - name: letsencrypt-staging - path: patches/dual-nginx.yml - - target: - group: cert-manager.io - version: v1 - kind: ClusterIssuer - name: letsencrypt-prod - path: patches/dual-nginx.yml + - target: + group: cert-manager.io + version: v1 + kind: ClusterIssuer + name: letsencrypt-staging + path: patches/dual-nginx.yml + - target: + group: cert-manager.io + version: v1 + kind: ClusterIssuer + name: letsencrypt-prod + path: patches/dual-nginx.yml ``` and in the `patches/dual-nginx.yml`: @@ -179,7 +179,7 @@ Single Ingress: ```yaml bases: - name: ingress/nginx - version: "v2.3.2" + version: "v2.3.3" ``` Dual Ingress: @@ -189,9 +189,9 @@ Dual Ingress: ```yaml bases: - name: ingress/nginx - version: "v2.3.2" + version: "v2.3.3" - name: ingress/dual-nginx - version: "v2.3.2" + version: "v2.3.3" ``` > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. @@ -204,7 +204,7 @@ bases: ```yaml resources: -- ./vendor/katalog/ingress + - ./vendor/katalog/ingress ``` 5. Apply the necessary patches. You can find a list of common customization [here](#common-customizations). @@ -263,11 +263,11 @@ To deploy the `forecastle` package: ```yaml bases: - name: ingress/dual-nginx - version: "v2.3.2" + version: "v2.3.3" - name: ingress/cert-manager - version: "v2.3.2" + version: "v2.3.3" - name: ingress/forecastle - version: "v2.3.2" + version: "v2.3.3" ``` 2. Execute `furyctl legacy vendor -H` to download the packages @@ -278,7 +278,7 @@ bases: ```yaml resources: -- ./vendor/katalog/ingress/forecastle + - ./vendor/katalog/ingress/forecastle ``` 5. Finally, execute the following command to deploy the package: @@ -300,13 +300,14 @@ Add the following annotations to your ingresses to be discovered by Forecastle: | `forecastle.stakater.com/appName` | A custom name for your application. Default is the name of the ingress | `false` | | `forecastle.stakater.com/group` | A custom group name. Use if you want the application to show in a different group than the namespace it belongs to | `false` | | `forecastle.stakater.com/instance` | A comma-separated list of name/s of the forecastle instance/s where you want this application to appear. Use when you have multiple forecastle dashboards | `false` | -| `forecastle.stakater.com/url` | A URL for the forecastle app (This will override the ingress URL). It *must* begin with a scheme i.e. `http://` or `https://` | `false` | +| `forecastle.stakater.com/url` | A URL for the forecastle app (This will override the ingress URL). It _must_ begin with a scheme i.e. `http://` or `https://` | `false` | | `forecastle.stakater.com/properties` | A comma separate list of key-value pairs for the properties. This will appear as an expandable list for the app | `false` | | `forecastle.stakater.com/network-restricted` | Specify whether the application is network restricted or not (true or false) | `false` | > See Forecastle [official repository][forecastle-repository] for more details. + [furyctl-repo]: https://github.com/sighupio/furyctl [sighup-page]: https://sighup.io [kfd-repo]: https://github.com/sighupio/fury-distribution @@ -319,9 +320,11 @@ Add the following annotations to your ingresses to be discovered by Forecastle: [forecastle-repository]: https://github.com/stakater/Forecastle/blob/v1.0.136/README.md [ingress-nginx-docs]: https://github.com/kubernetes/ingress-nginx [prometheus-alerts-page]: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + + ## Contributing Before contributing, please read first the [Contributing Guidelines](docs/CONTRIBUTING.md). @@ -333,4 +336,5 @@ In case you experience any problems with the module, please [open a new issue](h ## License This module is open-source and it's released under the following [LICENSE](LICENSE) + diff --git a/build/builder/Dockerfile b/build/builder/Dockerfile deleted file mode 100644 index 2b5c0cb..0000000 --- a/build/builder/Dockerfile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright (c) 2021 SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -# hadolint ignore=DL3007 -FROM quay.io/sighup/policeman:latest as linter - -ENV VALIDATE_KUBERNETES_KUBEVAL="false" -ENV VALIDATE_JSCPD="false" -ENV VALIDATE_DOCKERFILE="false" - -RUN mkdir /app -WORKDIR /app - -COPY . . - -RUN npm install -g embedme@1.22.0 && /entrypoint.sh && embedme --verify "**/*.md" - -FROM golang:1.16 as add-license-requirement - -RUN go get -u github.com/google/addlicense && addlicense -c "SIGHUP s.r.l" -v -l bsd . - -FROM golang:1.16 as check-license - -RUN go get -u github.com/google/addlicense && mkdir /app - -WORKDIR /app - -COPY . . - -RUN addlicense -c "SIGHUP s.r.l" -v -l bsd --check . - -FROM openpolicyagent/conftest:v0.28.1 as checklabel - -RUN mkdir /app -WORKDIR /app - -COPY . . - -RUN conftest pull https://raw.githubusercontent.com/sighupio/ci-commons/main/conftest/kustomization/kfd-labels.rego && \ - conftest test katalog/**/kustomization.yaml - -FROM registry.sighup.io/poc/fury-repo-automations:v0.0.3 as jsonbuilder - -RUN mkdir /app -WORKDIR /app - -COPY . . - -FROM python:3.9-alpine as bumpversion-requirement - -# hadolint ignore=DL3018 -RUN apk add git --no-cache && pip --no-cache-dir install bump2version==1.0.1 - -ENTRYPOINT ["/usr/local/bin/bumpversion"] diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index 04b2b92..8b845ef 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -1,18 +1,14 @@ # Compatibility Matrix -| Module Version / Kubernetes Version | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | 1.26.X | 1.27.X | 1.28.X | 1.29.X | -| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -| v1.12.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | -| v1.13.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | -| v1.13.1 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | -| v1.14.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | -| v1.14.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | -| v2.0.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | -| v2.1.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | -| v2.2.0 | | | | | | :white_check_mark: | :white_check_mark: |:white_check_mark: | | | -| v2.3.0 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v2.3.1 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v2.3.2 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| Module Version / Kubernetes Version | 1.23.X | 1.24.X | 1.25.X | 1.26.X | 1.27.X | 1.28.X | 1.29.X | +| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | +| v2.0.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | +| v2.1.0 | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | +| v2.2.0 | | | :white_check_mark: | :white_check_mark: |:white_check_mark: | | | +| v2.3.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| v2.3.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| v2.3.2 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| v2.3.3 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: Compatible @@ -35,24 +31,29 @@ because it is not officially supported by [SIGHUP](https://sighup.io). ## Legacy versions -| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | -| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | --------- | ------ | -| v1.1.0 | | | | | | | | | | | -| v1.2.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.3.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.4.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.5.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.6.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.6.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.7.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | -| v1.8.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | -| v1.8.1 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | -| v1.8.2 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | -| v1.9.0 | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | -| v1.9.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | :warning: | | | -| v1.10.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | -| v1.11.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | -| v1.11.1 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | -| v1.11.2 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | -| v1.12.0 | | | | | | | :x: | :x: | :x: | :x: | -| v1.12.1 | | | | | | | :x: | :x: | :x: | :x: | \ No newline at end of file +| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | 1.26.X | +| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | --------- | ------ | ------------------ | ------------------ | ------------------ | +| v1.1.0 | | | | | | | | | | | | | | +| v1.2.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.3.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.4.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.5.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.6.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.6.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | | +| v1.7.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | +| v1.8.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | | +| v1.8.1 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | | +| v1.8.2 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | | +| v1.9.0 | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | +| v1.9.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | :warning: | | | | | | +| v1.10.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | +| v1.11.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | +| v1.11.1 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | +| v1.11.2 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | +| v1.12.0 | | | | | | | :x: | :x: | :x: | :x: | | | | +| v1.12.1 | | | | | | | :x: | :x: | :x: | :x: | | | | +| v1.12.2 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | +| v1.13.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.13.1 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.14.0 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| v1.14.1 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | diff --git a/docs/releases/v2.3.3.md b/docs/releases/v2.3.3.md new file mode 100644 index 0000000..3f79a29 --- /dev/null +++ b/docs/releases/v2.3.3.md @@ -0,0 +1,46 @@ +# Kubernetes Fury Ingress Core Module Release 2.3.3 + +Welcome to the latest release of `Ingress` module of [`Kubernetes Fury Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. + +This release updates the nginx package from v1.9.6 to v1.11.2 that inclues a fix to [CVE-2024-7646](https://github.com/kubernetes/kubernetes/issues/126744) and other bugfixes + +## Important Changes ⚠️ + +Please notice that some [breaking changes have been included in v1.10.0 of the controller](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.10.0): + +- Version v1.10.0 dropped Opentracing and zipkin modules, just Opentelemetry is supported as of this release +- Version v1.10.0 dropped support for PodSecurityPolicy +- Version v1.10.0 dropped support for GeoIP (legacy). Only GeoIP2 is supported + +The breaking changes do not impact default KFD installations, but check that you are not using some of these features before upgrading. + +## Component versions 🚢 + +| Component | Supported Version | Previous Version | +| ------------------ | ---------------------------------------------------------------------------------------- | ---------------- | +| `cert-manager` | [`v1.14.2`](https://github.com/jetstack/cert-manager/releases/tag/v1.14.2) | `No update` | +| `external-dns` | [`v0.14.0`](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.0) | `No update` | +| `forecastle` | [`v1.0.136`](https://github.com/stakater/Forecastle/releases/tag/v1.0.136) | `No update` | +| `nginx` | [`v1.11.2`](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.2) | `v1.9.6` | +| `aws-cert-manager` | N.A. | `No update` | +| `aws-external-dns` | N.A. | `No update` | + +> Please refer the individual release notes to get a more detailed information on each release. + +## Update Guide 🦮 + +> ℹ️ **INFO** +> +> This update guide is for users of the module and not of the Distribution or users still on furyctl legacy. If you are a KFD user, the update is performed auomatically by furyctl. + +### Process + +First, check the [Important Changes](#important-changes-) section above. + +Then, to upgrade this core module from `v2.3.2` to `v2.3.3`, you need to download this new version and apply the instructions below. + +```bash +kustomize build | kubectl apply -f - +``` + +Also for the terraform modules, run `terraform init -upgrade` , then apply the new version. diff --git a/katalog/cert-manager/README.md b/katalog/cert-manager/README.md index b864b03..fffe08b 100644 --- a/katalog/cert-manager/README.md +++ b/katalog/cert-manager/README.md @@ -33,9 +33,9 @@ To deploy the `cert-manager` package: ```yaml resources: - name: ingress/dual-nginx - version: "v2.3.2" + version: "v2.3.3" - name: ingress/cert-manager - version: "v2.3.2" + version: "v2.3.3" ``` 2. Execute `furyctl legacy vendor -H` to download the packages diff --git a/katalog/dual-nginx/README.md b/katalog/dual-nginx/README.md index 59a045d..6aa04f0 100644 --- a/katalog/dual-nginx/README.md +++ b/katalog/dual-nginx/README.md @@ -12,7 +12,7 @@ Ingress NGINX is an Ingress Controller for [NGINX][nginx-page] webserver and rev ## Image repository and tag -- Ingress NGINX image: `k8s.gcr.io/ingress-nginx/controller:v1.9.6` +- Ingress NGINX image: `k8s.gcr.io/ingress-nginx/controller:v1.11.2` - Ingress NGINX repo: [https://github.com/kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx) ## Configuration @@ -48,7 +48,7 @@ bases: ```yaml resources: -- ./vendor/katalog/ingress/dual-nginx + - ./vendor/katalog/ingress/dual-nginx ``` 5. Apply the necessary patches. You can find a list of common customization [here](#common-customizations). @@ -101,7 +101,7 @@ Followings Prometheus [alerts][prometheus-alerts] are already defined for this p ### ingress-nginx.rules | Parameter | Description | Severity | Interval | -|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|----------|:--------:| +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | :------: | | `NginxIngressDown` | This alert fires if Prometheus target discovery was not able to reach ingress-nginx-metrics in the last 15 minutes. | critical | 15m | | `NginxIngressFailureRate` | This alert fires if the failure rate (the rate of 5xx responses) measured on a time window of 2 minutes was higher than 10% in the last 10 minutes. | critical | 10m | | `NginxIngressFailedReload` | This alert fires if the ingress' configuration reload failed in the last 10 minutes. | warning | 10m | @@ -111,6 +111,7 @@ Followings Prometheus [alerts][prometheus-alerts] are already defined for this p | `NginxIngressCertificateExpiration` | This alert fires if the certificate for a given host is expiring in less than 1 day. | critical | | + [furyctl-repo]: https://github.com/sighupio/furyctl [nginx-page]: https://nginx.org [prometheus-alerts]: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ diff --git a/katalog/nginx/MAINTENANCE.md b/katalog/nginx/MAINTENANCE.md index 3c1dcdb..f31a561 100644 --- a/katalog/nginx/MAINTENANCE.md +++ b/katalog/nginx/MAINTENANCE.md @@ -1,23 +1,117 @@ # NGINX ingress controller package maintenance guide +> ⚠️ **WARNING**: this guide is not complete. +> +> You will find differences between the files from upstream to our manifests that are not explained in the instructions. +> Please update this guide if you know how to align them. +> See the [Expected Differences](#expected-differences) section for more details. + To update NGINX ingress controller, follow the next steps: -Go to the [NGINX ingress controller repository](https://github.com/kubernetes/ingress-nginx/) and check the latest release. +## Getting upstream files - option 1 -Controller releases are published as `controller-vX.Y.Z` tags. +1. Go to the [NGINX ingress controller repository](https://github.com/kubernetes/ingress-nginx/) and check the latest release. -From the latest release download the zip file and extract it. +> Controller releases are published as `controller-vX.Y.Z` tags. -Check the folder `charts`, there should be a `ingress-nginx` folder. +2. From the latest release download the zip file and extract it. -Edit the value.yaml file and replace "Deployment" with "Daemonset" +3. Check the folder `charts`, there should be a `ingress-nginx` folder. Helm template the content using the following command: ```bash -helm template ingress-nginx ./charts/ingress-nginx -n ingress-nginx > templated-from-helm.yaml +helm template ingress-nginx ./charts/ingress-nginx \ +--namespace ingress-nginx \ +--set fullNameOverride=ingress-nginx \ +--set controller.kind=DaemonSet \ +--set controller.image.registry=registry.sighup.io \ +--set controller.image.image=fury/ingress-nginx/controller \ +--set controller.image.pullPolicy=Always \ +--set controller.image.allowPrivilegeEscalation=true \ +--set controller.containerPort.http=8080 \ +--set controller.containerPort.https=8443 \ +--set controller.allowSnippetAnnotations=true \ +--set controller.service.type=NodePort \ +--set controller.service.nodePorts.http=31080 \ +--set controller.service.nodePorts.https=31443 \ +--set controller.service.externalTrafficPolicy=Local \ +--set controller.admissionWebhooks.port=9443 \ +--set controller.admissionWebhooks.service.servicePort=9443 \ +--set controller.admissionWebhooks.patch.enabled=false \ +--set controller.admissionWebhooks.certManager.enabled=true \ +--set controller.admissionWebhooks.certManager.enabled=true \ +--set controller.metrics.enabled=true \ +--set controller.metrics.serviceMonitor.enabled=true \ +--set controller.metrics.serviceMonitor.additionalLabels.k8s-app=ingress-nginx \ +--set controller.metrics.serviceMonitor.scrapeInterval=10s \ +--set controller.metrics.serviceMonitor.jobLabel=k8s-app \ +--set controller.metrics.prometheusRule.enabled=true \ +--set controller.metrics.prometheusRule.additionalLabels.prometheus=k8s \ +--set controller.customTemplate.configMapName=nginx-configuration \ +--set controller.config.enable-access-log-for-default-backend=true \ +--set controller.config.http-redirect-code=301 \ +--set controller.config.proxy-body-size=10m \ +--set controller.updateStrategy.type=RollingUpdate \ +--set controller.updateStrategy.rollingUpdate.maxSurge=1 \ +--set controller.updateStrategy.rollingUpdate.maxUnavailable=0 \ +--set controller.podSecurityContext.fsGroup=101 \ +--set controller.ingressClassResource.default=true \ +> templated-from-helm.yaml +``` + +## Getting upstream files - option 2 + +Search for the version of the chart that installs your desired version of the controller (for example, chart v4.11.2 installs the controller v1.11.2) and run the following command: + +> ❗️ change the `--version` flag with the right verison. +> +> You can check the version of the controller in Ingress NGINX Controller's [Supported Versions Table](https://github.com/ralgozino/ingress-nginx?tab=readme-ov-file#supported-versions-table). + +```bash +helm template ingress-nginx ingress-nginx \ + --repo https://kubernetes.github.io/ingress-nginx \ + --version 4.11.2 \ + --namespace ingress-nginx \ + --set fullNameOverride=ingress-nginx \ + --set controller.kind=DaemonSet \ + --set controller.image.registry=registry.sighup.io \ + --set controller.image.image=fury/ingress-nginx/controller \ + --set controller.image.pullPolicy=Always \ + --set controller.image.allowPrivilegeEscalation=true \ + --set controller.containerPort.http=8080 \ + --set controller.containerPort.https=8443 \ + --set controller.allowSnippetAnnotations=true \ + --set controller.service.type=NodePort \ + --set controller.service.nodePorts.http=31080 \ + --set controller.service.nodePorts.https=31443 \ + --set controller.service.externalTrafficPolicy=Local \ + --set controller.admissionWebhooks.port=9443 \ + --set controller.admissionWebhooks.service.servicePort=9443 \ + --set controller.admissionWebhooks.patch.enabled=false \ + --set controller.admissionWebhooks.certManager.enabled=true \ + --set controller.admissionWebhooks.certManager.enabled=true \ + --set controller.metrics.enabled=true \ + --set controller.metrics.serviceMonitor.enabled=true \ + --set controller.metrics.serviceMonitor.additionalLabels.k8s-app=ingress-nginx \ + --set controller.metrics.serviceMonitor.scrapeInterval=10s \ + --set controller.metrics.serviceMonitor.jobLabel=k8s-app \ + --set controller.metrics.prometheusRule.enabled=true \ + --set controller.metrics.prometheusRule.additionalLabels.prometheus=k8s \ + --set controller.customTemplate.configMapName=nginx-configuration \ + --set controller.config.enable-access-log-for-default-backend=true \ + --set controller.config.http-redirect-code=301 \ + --set controller.config.proxy-body-size=10m \ + --set controller.updateStrategy.type=RollingUpdate \ + --set controller.updateStrategy.rollingUpdate.maxSurge=1 \ + --set controller.updateStrategy.rollingUpdate.maxUnavailable=0 \ + --set controller.podSecurityContext.fsGroup=101 \ + --set controller.ingressClassResource.default=true \ + > templated-from-helm.yaml ``` +## Comparing the diff + Create a dummy kustomize project with `templated-from-helm.yaml` as a resource and built it. ```bash @@ -26,11 +120,15 @@ kustomize build dummy-project > templated-from-helm-to-kustomize.yaml Build the current nginx project and compare the output with the previous one. +> 💡 TIP +> Comment out the grafana dashboard resource from the katalog/ngnix/kustomization.yaml file. +> It adds 5000 lines from the JSON that are not needed in the diff and may break your editor. + ```bash kustomize build katalog/nginx > templated-from-katalog.yaml bcompare templated-from-katalog.yaml templated-from-helm-to-kustomize.yaml -# OR +# OR diff templated-from-katalog.yaml templated-from-helm-to-kustomize.yaml ``` @@ -38,8 +136,21 @@ Check the differences and port them to the `bases/controller` and `bases/configs Do the build and compare till there are no important differences. +### Expected differences + +The following differences between our manifests and the upstream ones generated by the helm template command are excpected to be found: + +- Helm labels have been removed. A `app: ingress-nginx` label is used instead. +- The specs for the Prometheus Rules generated by helm template will be empty for simplicity in the command. +- [ ] FIXME: Some resources names won't match with the ones generated by the helm template command. +- [ ] FIXME: Some flags for the controller command have been added. +- [ ] FIXME: SecurityContext for the controller at container and Pod level don't match with upstream. +- [ ] FIXME: certmanager Certificates objects for the AdmissionWebhook don't match between upstream and ours. + +Some of these differences are known issues and we should update the values that we use in the helm template command to align them, or update our manifests to match the upstream one.. + ## CHANGELOG -### ConfigMap Pameters +### ConfigMap Parameters We added `allow-snippet-annotations` and mark it true, from the 1.5.1 release to permit advanced configuration with snippets. diff --git a/katalog/nginx/README.md b/katalog/nginx/README.md index a20eb9e..4c3a003 100644 --- a/katalog/nginx/README.md +++ b/katalog/nginx/README.md @@ -12,7 +12,7 @@ Ingress NGINX is an Ingress Controller for [NGINX][nginx-page] web server and re ## Image repository and tag -- Ingress NGINX image: `k8s.gcr.io/ingress-nginx/controller:v1.9.6` +- Ingress NGINX image: `k8s.gcr.io/ingress-nginx/controller:v1.11.2` - Ingress NGINX repo: [https://github.com/kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx) ## Configuration @@ -46,7 +46,7 @@ bases: ```yaml resources: -- ./vendor/katalog/ingress/nginx + - ./vendor/katalog/ingress/nginx ``` 5. Apply the necessary patches. You can find a list of common customization [here](#common-customizations). @@ -99,6 +99,7 @@ Followings Prometheus [alerts][prometheus-alerts] are already defined for this p | `NginxIngressCertificateExpiration` | This alert fires if the certificate for a given host is expiring in less than 1 day. | critical | | + [furyctl-repo]: https://github.com/sighupio/furyctl [nginx-page]: https://nginx.org [prometheus-alerts]: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ diff --git a/katalog/nginx/bases/controller/kustomization.yaml b/katalog/nginx/bases/controller/kustomization.yaml index 496a08a..efddb86 100644 --- a/katalog/nginx/bases/controller/kustomization.yaml +++ b/katalog/nginx/bases/controller/kustomization.yaml @@ -11,7 +11,7 @@ namespace: ingress-nginx images: - name: k8s.gcr.io/ingress-nginx/controller newName: registry.sighup.io/fury/ingress-nginx/controller - newTag: v1.9.6 + newTag: v1.11.2 resources: - daemonset.yml