From 6129d117d1ade0a3bf0b64f2949159cb1c08ba92 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Tue, 2 Mar 2021 00:51:56 -0800 Subject: [PATCH 01/16] [kong] clarify terminationGracePeriodSeconds docs (#302) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michał Flendrich Co-authored-by: Michał Flendrich --- charts/kong/README.md | 2 +- charts/kong/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kong/README.md b/charts/kong/README.md index de965975e..96bee9a0c 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -594,7 +594,7 @@ For a complete list of all configuration values you can set in the | readinessProbe | Kong readiness probe | | | livenessProbe | Kong liveness probe | | | lifecycle | Proxy container lifecycle hooks | see `values.yaml` | -| terminationGracePeriodSeconds | Related to lifecycle hook | 30 | +| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | | affinity | Node/pod affinities | | | nodeSelector | Node labels for pod assignment | `{}` | | deploymentAnnotations | Annotations to add to deployment | see `values.yaml` | diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index c4e7f2eb9..bea2589e8 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -483,7 +483,7 @@ lifecycle: # Note kong quit has a default timeout of 10 seconds command: ["/bin/sh", "-c", "/bin/sleep 15 && kong quit"] -# terminationGracePeriodSeconds is closely related to the lifecycle preStop hook +# Sets the termination grace period for pods spawned by the Kubernetes Deployment. # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution terminationGracePeriodSeconds: 30 From 0b0405d4a883cdbc0380bb6466a0970c5ab5e84a Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Tue, 26 Jan 2021 15:51:06 -0800 Subject: [PATCH 02/16] [repo] update CI for Helm 3 Upgrade CI actions for use with Helm 3. The chart-testing action changed significantly in its 2.0.0 release and the workflow is almost completely new. The revision is mostly their current example: https://github.com/helm/chart-testing-action/tree/v2.0.1#upgrading-from-v1xx These changes no longer use the config files and exclude the original timeout override. It doesn't look like we should need that since the current default is longer than the old override (300s vs 200s). --- .github/workflows/main.yaml | 52 +++++++++++++++++++-------------- .github/workflows/non-main.yaml | 39 ++++++++++++++++--------- ct-main.yaml | 8 ----- ct.yaml | 8 ----- 4 files changed, 56 insertions(+), 51 deletions(-) delete mode 100644 ct-main.yaml delete mode 100644 ct.yaml diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 3297b7dc6..16b5f6690 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -11,28 +11,38 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + with: + fetch-depth: 0 - - name: Fetch history - run: git fetch --prune --unshallow + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 - - name: Run chart-testing (lint) - id: lint - uses: helm/chart-testing-action@v1.0.0 + - uses: actions/setup-python@v2 with: - command: lint - config: ct-main.yaml + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --remote origin - name: Create kind cluster - uses: helm/kind-action@v1.0.0-alpha.3 - with: - install_local_path_provisioner: true - if: steps.lint.outputs.changed == 'true' + uses: helm/kind-action@v1.0.0 + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.0.0 - with: - command: install - config: ct-main.yaml + run: ct install release: needs: lint-test runs-on: ubuntu-latest @@ -49,18 +59,16 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # See https://github.com/helm/chart-releaser-action/issues/6 - - name: Install Helm - run: | - curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get - chmod 700 get_helm.sh - ./get_helm.sh - helm init --client-only + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 - name: Add dependency chart repos run: | helm repo add bitnami https://charts.bitnami.com/bitnami - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.0.0-alpha.2 + uses: helm/chart-releaser-action@v1.1.0 env: CR_TOKEN: "${{ secrets.CR_TOKEN }}" diff --git a/.github/workflows/non-main.yaml b/.github/workflows/non-main.yaml index 998fbe8be..d23dd6058 100644 --- a/.github/workflows/non-main.yaml +++ b/.github/workflows/non-main.yaml @@ -4,6 +4,7 @@ on: push: branches-ignore: - 'main' + - 'kong-1.x' pull_request: branches: - '**' @@ -14,23 +15,35 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + with: + fetch-depth: 0 - - name: Fetch history - run: git fetch --prune --unshallow + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 - - name: Run chart-testing (lint) - id: lint - uses: helm/chart-testing-action@v1.0.0 + - uses: actions/setup-python@v2 with: - command: lint + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --check-version-increment false --remote origin - name: Create kind cluster - uses: helm/kind-action@v1.0.0-alpha.3 - with: - install_local_path_provisioner: true - if: steps.lint.outputs.changed == 'true' + uses: helm/kind-action@v1.0.0 + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.0.0 - with: - command: install + run: ct install diff --git a/ct-main.yaml b/ct-main.yaml deleted file mode 100644 index 96c4b069e..000000000 --- a/ct-main.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# See https://github.com/helm/chart-testing#configuration -remote: origin -chart-dirs: - - charts -chart-repos: - - bitnami=https://charts.bitnami.com/bitnami -helm-extra-args: --timeout 200s -check-version-increment: true diff --git a/ct.yaml b/ct.yaml deleted file mode 100644 index ccead6d06..000000000 --- a/ct.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# See https://github.com/helm/chart-testing#configuration -remote: origin -chart-dirs: - - charts -chart-repos: - - bitnami=https://charts.bitnami.com/bitnami -helm-extra-args: --timeout 200s -check-version-increment: false From c8519caa91713dd56094b4ff7f61d2f2187301e4 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Fri, 5 Feb 2021 16:04:15 -0800 Subject: [PATCH 03/16] [repo] use Helm 3.2.4 for CI Revert to an older version of Helm 3. 3.2.4 is the last version that does not raise a linter failure on the older APIs we use with the controller: https://github.com/Kong/kubernetes-ingress-controller/issues/801 --- .github/workflows/main.yaml | 4 ++-- .github/workflows/non-main.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 16b5f6690..d4759e74d 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -17,7 +17,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.2.4 - uses: actions/setup-python@v2 with: @@ -62,7 +62,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.2.4 - name: Add dependency chart repos run: | diff --git a/.github/workflows/non-main.yaml b/.github/workflows/non-main.yaml index d23dd6058..27c9044be 100644 --- a/.github/workflows/non-main.yaml +++ b/.github/workflows/non-main.yaml @@ -21,7 +21,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.2.4 - uses: actions/setup-python@v2 with: From 5e988ac090573b10b969a2fa35f6ef9c2bb0596b Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Fri, 15 Jan 2021 16:39:30 -0500 Subject: [PATCH 04/16] [kong] re-use admission certificates if present If admission webhook certificates are already present on the cluster, use them instead of generating a new certificate. Fix #253 --- charts/kong/templates/admission-webhook.yaml | 35 +++++++++++++++++--- charts/kong/templates/deployment.yaml | 4 ++- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index a9f2e2d76..2d5584d33 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -1,7 +1,20 @@ -{{- if .Values.ingressController.admissionWebhook.enabled }} -{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) }} +{{- if .Values.ingressController.admissionWebhook.enabled -}} +{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}} {{- $ca := genCA "kong-admission-ca" 3650 -}} {{- $cert := genSignedCert $cn nil nil 3650 $ca -}} +{{- $certCert := $cert.Cert -}} +{{- $certKey := $cert.Key -}} +{{- $caCert := $ca.Cert -}} +{{- $caKey := $ca.Key -}} + +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}} +{{- if $certSecret -}} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end -}} kind: ValidatingWebhookConfiguration {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -30,7 +43,7 @@ webhooks: - kongconsumers - kongplugins clientConfig: - caBundle: {{ b64enc $ca.Cert }} + caBundle: {{ b64enc $caCert }} service: name: {{ template "kong.service.validationWebhook" . }} namespace: {{ template "kong.namespace" . }} @@ -54,6 +67,18 @@ spec: --- apiVersion: v1 kind: Secret +metadata: + name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +--- +apiVersion: v1 +kind: Secret metadata: name: {{ template "kong.fullname" . }}-validation-webhook-keypair namespace: {{ template "kong.namespace" . }} @@ -61,6 +86,6 @@ metadata: {{- include "kong.metaLabels" . | nindent 4 }} type: kubernetes.io/tls data: - tls.crt: {{ b64enc $cert.Cert }} - tls.key: {{ b64enc $cert.Key }} + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} {{ end }} diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index d64c192ed..b5e15f506 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -29,7 +29,9 @@ spec: metadata: annotations: {{- if .Values.ingressController.admissionWebhook.enabled }} - checksum/admission-webhook.yaml: {{ include (print $.Template.BasePath "/admission-webhook.yaml") . | sha256sum }} + {{/* Generating a checksum from the entire template causes the checksum to change depending on whether you install or upgrade + even though the resources do not actually change. Not sure why. Extracting the certificates only works around this. */}} + checksum/admission-webhook.yaml: {{ (regexFindAll "tls.crt: .*$" (include (print $.Template.BasePath "/admission-webhook.yaml") .) -1 | join ",") | sha256sum }} {{- end }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} {{- if .Values.dblessConfig.config }} From 5f85ee60899c45a23b45b5243db9649def5d00a9 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Wed, 3 Feb 2021 17:59:21 -0800 Subject: [PATCH 05/16] [kong] remove webhook checksum On review of the history behind this, we don't need this checksum if we don't expect the certificate to change. We added it as a workaround for failures caused by the certificate rotating on update: https://github.com/helm/charts/issues/20050 --- charts/kong/templates/deployment.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index b5e15f506..d15903018 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -28,11 +28,6 @@ spec: template: metadata: annotations: - {{- if .Values.ingressController.admissionWebhook.enabled }} - {{/* Generating a checksum from the entire template causes the checksum to change depending on whether you install or upgrade - even though the resources do not actually change. Not sure why. Extracting the certificates only works around this. */}} - checksum/admission-webhook.yaml: {{ (regexFindAll "tls.crt: .*$" (include (print $.Template.BasePath "/admission-webhook.yaml") .) -1 | join ",") | sha256sum }} - {{- end }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} {{- if .Values.dblessConfig.config }} checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} From e845dd8dfc8a860493cafce43203c3e922967840 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Mon, 1 Mar 2021 12:50:04 -0800 Subject: [PATCH 06/16] [kong] remove support for deprecated Portal auth Removes the following deprecated Portal auth settings from values.yaml: - enterprise.portal.session_conf_secret - enterprise.portal.portal_auth These are now normally set per-workspace via Kong Manager, and are stored in Kong's database. The old environment variable settings are still available, and are used as defaults when the workspace settings are not explicitly set. They can still be set via the environment, by setting portal_session_conf and portal_auth under env in values.yaml. Fix #286 --- charts/kong/templates/NOTES.txt | 5 ----- charts/kong/templates/_helpers.tpl | 6 ------ 2 files changed, 11 deletions(-) diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt index c1df737c2..312200b31 100644 --- a/charts/kong/templates/NOTES.txt +++ b/charts/kong/templates/NOTES.txt @@ -13,11 +13,6 @@ Kong: https://bit.ly/k4k8s-get-started {{ $warnings := list -}} -{{- if and (.Values.enterprise.portal.enabled) (or (.Values.enterprise.portal.portal_auth) (.Values.enterprise.portal.session_conf_secret)) -}} -{{/* Legacy Portal auth handling */}} -{{- $warnings = append $warnings "You are currently using legacy Portal authentication configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters" -}} -{{- end -}} - {{- if .Values.admin.containerPort -}} {{/* Legacy admin API listen */}} {{- $warnings = append $warnings "You are currently using legacy admin API configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-kong-service-configuration" -}} diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 8a2394531..e30f61329 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -647,12 +647,6 @@ TODO: remove legacy admin listen behavior at a future date {{- if .Values.portalapi.ingress.enabled }} {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}} {{- end }} - - {{- if .Values.enterprise.portal.portal_auth }} {{/* TODO: deprecated, remove in a future version */}} - {{- $_ := set $autoEnv "KONG_PORTAL_AUTH" .Values.enterprise.portal.portal_auth -}} - {{- $portalSession := include "secretkeyref" (dict "name" .Values.enterprise.portal.session_conf_secret "key" "portal_session_conf") -}} - {{- $_ := set $autoEnv "KONG_PORTAL_SESSION_CONF" $portalSession -}} - {{- end }} {{- end }} {{- if .Values.enterprise.rbac.enabled }} From 37161af4c555efc2c8e094c02ef950da0aefa08e Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Mon, 1 Mar 2021 13:00:26 -0800 Subject: [PATCH 07/16] [kong] remove deprecated runMigrations setting Removes the runMigrations setting from values.yaml. Migrations are now controlled individually: - migrations.init (runs "kong migrations bootstrap" on install) - migrations.preUpgrade (runs "kong migrations up" during upgrades) - migrations.postUpgrade (runs "kong migrations finish" during upgrades) Fix #288 --- charts/kong/templates/NOTES.txt | 5 ----- charts/kong/templates/migrations-post-upgrade.yaml | 2 +- charts/kong/templates/migrations-pre-upgrade.yaml | 2 +- charts/kong/templates/migrations.yaml | 2 -- 4 files changed, 2 insertions(+), 9 deletions(-) diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt index 312200b31..a996e6f14 100644 --- a/charts/kong/templates/NOTES.txt +++ b/charts/kong/templates/NOTES.txt @@ -18,11 +18,6 @@ Kong: https://bit.ly/k4k8s-get-started {{- $warnings = append $warnings "You are currently using legacy admin API configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-kong-service-configuration" -}} {{- end -}} -{{- if .Values.runMigrations -}} -{{/* Legacy migration toggle */}} -{{- $warnings = append $warnings "You are currently using the legacy runMigrations setting in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-migration-job-configuration" -}} -{{- end -}} - {{ if (hasKey .Values "proxy.ingress.hosts") -}} {{/* Legacy proxy ingress */}} {{- $warnings = append $warnings "You are currently using legacy proxy Ingress configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress" -}} diff --git a/charts/kong/templates/migrations-post-upgrade.yaml b/charts/kong/templates/migrations-post-upgrade.yaml index c3adcd771..25be0d086 100644 --- a/charts/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/templates/migrations-post-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and (or (.Values.runMigrations) (.Values.migrations.postUpgrade)) (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 diff --git a/charts/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/templates/migrations-pre-upgrade.yaml index 7d7e29005..9273becdf 100644 --- a/charts/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/templates/migrations-pre-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and (or (.Values.runMigrations) (.Values.migrations.preUpgrade)) (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 diff --git a/charts/kong/templates/migrations.yaml b/charts/kong/templates/migrations.yaml index 6edd1622c..093fadea1 100644 --- a/charts/kong/templates/migrations.yaml +++ b/charts/kong/templates/migrations.yaml @@ -9,8 +9,6 @@ {{- $runInit := true -}} {{- if (hasKey .Values.migrations "init") -}} {{- $runInit = .Values.migrations.init -}} -{{- else if (hasKey .Values "runMigrations") -}} - {{- $runInit = .Values.runMigrations -}} {{- end -}} {{- if (and ($runInit) (not (eq .Values.env.database "off"))) }} From a9daa3fffe646eee769f6b92772ba2843ae9d496 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Mon, 1 Mar 2021 13:09:06 -0800 Subject: [PATCH 08/16] [kong] remove deprecated admin API configuration The admin API configuration could only set up a single port, either HTTP or HTTPS. https://github.com/Kong/charts/pull/72 added support for dual-stack admin API configuraton using the same templates as other Kong services. Fix #287 --- charts/kong/ci/test4-values.yaml | 10 --- charts/kong/templates/NOTES.txt | 5 -- charts/kong/templates/_helpers.tpl | 34 ++------ charts/kong/templates/deployment.yaml | 9 --- charts/kong/templates/service-kong-admin.yaml | 81 ------------------- 5 files changed, 7 insertions(+), 132 deletions(-) diff --git a/charts/kong/ci/test4-values.yaml b/charts/kong/ci/test4-values.yaml index a9ecbe3fa..8cef2e69e 100644 --- a/charts/kong/ci/test4-values.yaml +++ b/charts/kong/ci/test4-values.yaml @@ -1,20 +1,10 @@ # CI test for testing dbless deployment without ingress controllers using legacy admin listen and stream listens -# TODO: remove legacy admin listen behavior at a future date # - disable ingress controller ingressController: enabled: false installCRDs: false env: anonymous_reports: "false" -# - use legacy admin listen config -admin: - enabled: true - useTLS: true - servicePort: 8444 - containerPort: 8444 - ingress: - enabled: true - hostname: admin.kong.example # - disable DB for kong env: diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt index a996e6f14..02e690d7a 100644 --- a/charts/kong/templates/NOTES.txt +++ b/charts/kong/templates/NOTES.txt @@ -13,11 +13,6 @@ Kong: https://bit.ly/k4k8s-get-started {{ $warnings := list -}} -{{- if .Values.admin.containerPort -}} -{{/* Legacy admin API listen */}} -{{- $warnings = append $warnings "You are currently using legacy admin API configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-kong-service-configuration" -}} -{{- end -}} - {{ if (hasKey .Values "proxy.ingress.hosts") -}} {{/* Legacy proxy ingress */}} {{- $warnings = append $warnings "You are currently using legacy proxy Ingress configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress" -}} diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index e30f61329..d5347c504 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -276,20 +276,12 @@ Create a single listen (IP+port+parameter combo) Return the local admin API URL, preferring HTTPS if available */}} {{- define "kong.adminLocalURL" -}} - {{- if .Values.admin.containerPort -}} {{/* TODO: Remove legacy admin behavior */}} - {{- if .Values.admin.useTLS -}} -https://localhost:{{ .Values.admin.containerPort }} - {{- else -}} -http://localhost:{{ .Values.admin.containerPort }} - {{- end -}} - {{- else -}} - {{- if .Values.admin.tls.enabled -}} + {{- if .Values.admin.tls.enabled -}} https://localhost:{{ .Values.admin.tls.containerPort }} - {{- else if .Values.admin.http.enabled -}} + {{- else if .Values.admin.http.enabled -}} http://localhost:{{ .Values.admin.http.containerPort }} - {{- else -}} + {{- else -}} http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true! - {{- end -}} {{- end -}} {{- end -}} @@ -580,27 +572,15 @@ the template that it itself is using form the above sections. {{- $_ := set $autoEnv "KONG_KIC" "on" -}} {{- end -}} -{{/* -TODO: remove legacy admin listen behavior at a future date -*/}} - {{- with .Values.admin -}} {{- $address := "0.0.0.0" -}} {{- if (not .enabled) -}} {{- $address = "127.0.0.1" -}} {{- end -}} - {{- if .containerPort -}} {{/* Legacy admin listener */}} - {{- if .useTLS -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (printf "%s:%d ssl" $address (int64 .containerPort)) -}} - {{- else -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (printf "%s:%d" $address (int64 .containerPort)) -}} - {{- end -}} - {{- else -}} {{/* Modern admin listener */}} - {{- $listenConfig := dict -}} - {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" $address -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} - {{- end -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig . -}} + {{- $_ := set $listenConfig "address" $address -}} + {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} {{- end -}} {{- if .Values.admin.ingress.enabled }} diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index d15903018..5c155e11e 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -77,15 +77,6 @@ spec: lifecycle: {{- toYaml .Values.lifecycle | nindent 10 }} ports: - {{/* TODO: remove legacy admin port template */}} - {{- if (and .Values.admin.containerPort .Values.admin.enabled) }} - - name: admin - containerPort: {{ .Values.admin.containerPort }} - {{- if .Values.admin.hostPort }} - hostPort: {{ .Values.admin.hostPort }} - {{- end}} - protocol: TCP - {{- end }} {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} - name: admin containerPort: {{ .Values.admin.http.containerPort }} diff --git a/charts/kong/templates/service-kong-admin.yaml b/charts/kong/templates/service-kong-admin.yaml index 854e245e7..c3f292528 100644 --- a/charts/kong/templates/service-kong-admin.yaml +++ b/charts/kong/templates/service-kong-admin.yaml @@ -1,83 +1,3 @@ -{{- if .Values.admin.containerPort -}} {{/* TODO: remove legacy admin handling */}} -{{- if .Values.deployment.kong.enabled }} -{{- if .Values.admin.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kong.fullname" . }}-admin - namespace: {{ template "kong.namespace" . }} - {{- if .Values.admin.annotations }} - annotations: - {{- range $key, $value := .Values.admin.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} -spec: - type: {{ .Values.admin.type }} - {{- if eq .Values.admin.type "LoadBalancer" }} - {{- if .Values.admin.loadBalancerIP }} - loadBalancerIP: {{ .Values.admin.loadBalancerIP }} - {{- end }} - {{- if .Values.admin.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.admin.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} - {{- end }} - {{- end }} - ports: - - name: kong-admin - port: {{ .Values.admin.servicePort }} - targetPort: {{ .Values.admin.containerPort }} - {{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }} - nodePort: {{ .Values.admin.nodePort }} - {{- end }} - protocol: TCP - selector: - {{- include "kong.selectorLabels" . | nindent 4 }} -{{- end -}} -{{- end }} ---- -{{ if .Values.admin.ingress.enabled -}} -{{- $serviceName := include "kong.fullname" . -}} -{{- $servicePort := .Values.admin.servicePort -}} -{{- $path := .Values.admin.ingress.path -}} -{{- $tls := .Values.admin.ingress.tls -}} -{{- $hostname := .Values.admin.ingress.hostname -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "kong.fullname" . }}-admin - namespace: {{ template "kong.namespace" . }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} - {{- if .Values.admin.ingress.annotations }} - annotations: - {{- range $key, $value := .Values.admin.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - rules: - - host: {{ $hostname }} - http: - paths: - - path: {{ $path }} - backend: - serviceName: {{ $serviceName }}-admin - servicePort: {{ $servicePort }} - {{- if $tls }} - tls: - - hosts: - - {{ $hostname }} - secretName: {{ $tls }} - {{- end -}} -{{- end -}} - -{{- else -}} {{/* Modern admin handler */}} - {{- if .Values.deployment.kong.enabled }} {{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}} {{- $serviceConfig := dict -}} @@ -94,4 +14,3 @@ spec: {{- end -}} {{- end -}} {{- end -}} -{{- end -}} From 60f0071213bc878d0902f4c1afaa2cf79b82cf9d Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Mon, 1 Mar 2021 13:34:05 -0800 Subject: [PATCH 09/16] [kong] remove deprecated proxy ingress handling Removes support for proxy ingress configuration with multiple hostnames. https://github.com/Kong/charts/pull/251 added a shared Ingress and Service template for all Kong services, which only supports a single hostname. Fix #289 --- charts/kong/ci/test4-values.yaml | 3 -- charts/kong/templates/NOTES.txt | 5 --- charts/kong/templates/service-kong-proxy.yaml | 34 ------------------- 3 files changed, 42 deletions(-) diff --git a/charts/kong/ci/test4-values.yaml b/charts/kong/ci/test4-values.yaml index 8cef2e69e..6c0cd63ad 100644 --- a/charts/kong/ci/test4-values.yaml +++ b/charts/kong/ci/test4-values.yaml @@ -42,6 +42,3 @@ proxy: - ssl ingress: enabled: true - hosts: - - foo.kong.example - - bar.kong.example diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt index 02e690d7a..1e0bde66b 100644 --- a/charts/kong/templates/NOTES.txt +++ b/charts/kong/templates/NOTES.txt @@ -13,9 +13,4 @@ Kong: https://bit.ly/k4k8s-get-started {{ $warnings := list -}} -{{ if (hasKey .Values "proxy.ingress.hosts") -}} -{{/* Legacy proxy ingress */}} -{{- $warnings = append $warnings "You are currently using legacy proxy Ingress configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress" -}} -{{- end -}} - {{- include "kong.deprecation-warnings" $warnings -}} diff --git a/charts/kong/templates/service-kong-proxy.yaml b/charts/kong/templates/service-kong-proxy.yaml index 688e138df..58a255ea2 100644 --- a/charts/kong/templates/service-kong-proxy.yaml +++ b/charts/kong/templates/service-kong-proxy.yaml @@ -10,41 +10,7 @@ {{- include "kong.service" $serviceConfig }} {{ if .Values.proxy.ingress.enabled }} --- -{{ if (not (hasKey .Values.proxy.ingress "hosts")) -}} {{ include "kong.ingress" $serviceConfig }} -{{ else -}} {{/* TODO remove legacy proxy ingress handling */}} -{{- $serviceName := include "kong.fullname" . -}} -{{- $servicePort := include "kong.ingress.servicePort" .Values.proxy -}} -{{- $path := .Values.proxy.ingress.path -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "kong.fullname" . }}-proxy - namespace: {{ template "kong.namespace" . }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} - {{- if .Values.proxy.ingress.annotations }} - annotations: - {{- range $key, $value := .Values.proxy.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - rules: - {{- range $host := .Values.proxy.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: {{ $path }} - backend: - serviceName: {{ $serviceName }}-proxy - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.proxy.ingress.tls }} - tls: -{{ toYaml .Values.proxy.ingress.tls | indent 2 }} - {{- end -}} -{{- end -}} {{- end -}} {{- end -}} {{- end -}} From 833e8d6bde6584eafb5fbf86367f52a28e89ffd8 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Wed, 3 Mar 2021 14:03:22 -0800 Subject: [PATCH 10/16] [kong] change installCRDs default Change the ingressController.installCRDs default to false. We expect Helm 3 installations to use its built-in CRD management, which creates all resources under crds/ but does not make them part of the release, and will not touch them during release upgrades or deletes. Previously, Helm 3 users had to either override this default or set --skip-crds on install (setting --skip-crds created managed CRDs). Add template logic to handle this default change for existing managed CRD installations. If managed CRDs are already present, setting installCRDs=false does _not_ remove them from the release. This ensures that the default change does not affect existing installations. Without this logic, an upgrade would delete existing managed CRDs unless users were sure to override the new default, and those CRD deletes would also delete any associated custom resources. --- .../custom-resource-definitions.yaml | 37 ++++++++++++++++--- charts/kong/values.yaml | 2 +- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/charts/kong/templates/custom-resource-definitions.yaml b/charts/kong/templates/custom-resource-definitions.yaml index 28321662a..b56039dec 100644 --- a/charts/kong/templates/custom-resource-definitions.yaml +++ b/charts/kong/templates/custom-resource-definitions.yaml @@ -1,9 +1,34 @@ -{{/* -This handles two cases where we should render this template. These map to the two top-level or clauses: -- This is a controller-managed Helm 2 install. The controller is enabled and installCRDs is enabled. -- This is a CRD-only install. Neither the controller nor Kong are enabled (the "not or") and installCRDs is enabled. -*/}} -{{- if (or (and .Values.ingressController.enabled .Values.ingressController.installCRDs) (and (not (or .Values.deployment.kong.enabled .Values.ingressController.enabled )) .Values.ingressController.installCRDs)) -}} +{{- $installCRDs := false -}} +{{- if .Values.ingressController.installCRDs -}} + {{- if .Values.ingressController.enabled -}} + {{/* Managed CRD installation is enabled, and the controller is enabled. + */}} + {{- $installCRDs = true -}} + {{- else if (not .Values.deployment.kong.enabled) -}} + {{/* Managed CRD installation is enabled, and neither the controller nor Kong or enabled. + This is a CRD-only release. + */}} + {{- $installCRDs = true -}} + {{- end -}} +{{- else -}} + {{/* Legacy default handling. CRD installation is _not_ enabled, but CRDs are already present + and are managed by this release. This release previously relied on the <2.0 default + .Values.ingressController.installCRDs=true. The default change would delete CRDs on upgrade, + which would cascade delete all associated CRs. This unexpected loss of configuration is bad, + so this clause pretends the default didn't change if you have an existing release that relied + on it + */}} + {{- $kongPluginCRD := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}} + {{- if $kongPluginCRD -}} + {{- if (hasKey $kongPluginCRD.metadata "annotations") -}} + {{- if (eq .Release.Name (get $kongPluginCRD.metadata.annotations "meta.helm.sh/release-name")) -}} + {{- $installCRDs = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- if $installCRDs -}} {{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} {{ $.Files.Get $path }} --- diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index bea2589e8..b19bb71cb 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -358,7 +358,7 @@ ingressController: # The annotations for service account annotations: {} - installCRDs: true + installCRDs: false # general properties livenessProbe: From 364909f4481020207f64e8b1add02f1ee705d661 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Wed, 3 Mar 2021 14:55:09 -0800 Subject: [PATCH 11/16] [kong] remove Helm 2 instructions from README --- charts/kong/README.md | 73 +++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 44 deletions(-) diff --git a/charts/kong/README.md b/charts/kong/README.md index 96bee9a0c..25648b66f 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -14,17 +14,12 @@ This chart bootstraps all the components needed to run Kong on a $ helm repo add kong https://charts.konghq.com $ helm repo update -# Helm 2 -$ helm install kong/kong - -# Helm 3 -$ helm install kong/kong --generate-name --set ingressController.installCRDs=false +$ helm install kong/kong --generate-name ``` ## Table of contents - [Prerequisites](#prerequisites) -- [Helm 2 vs Helm 3](#important-helm-2-vs-helm-3) - [Install](#install) - [Uninstall](#uninstall) - [Kong Enterprise](#kong-enterprise) @@ -64,30 +59,6 @@ $ helm install kong/kong --generate-name --set ingressController.installCRDs=fal - PV provisioner support in the underlying infrastructure if persistence is needed for Kong datastore. -## Important: Helm 2 vs Helm 3 - -Custom Resource Definitions (CRDs) are handled differently in Helm 2 vs Helm 3. - -#### Helm 2 - -If you want CRDs to be installed, -make sure `ingressController.installCRDs` is set to `true` (the default value). -Set this value to `false` to skip installing CRDs. - -#### Helm 3 - -Make sure `ingressController.installCRDs` is set to `false`, -note that the default is `true`. -You can do so either by passing in a custom `values.yaml` -(`-f` when running helm) -or by passing `--set ingressController.installCRDs=false` -at the command line. - -**If you do not set this value to `false`, the helm chart will not install correctly.** - -Use helm CLI flag `--skip-crds` with `helm install` if you want to skip -CRD creation while creating a release. - ## Install To install Kong: @@ -96,10 +67,6 @@ To install Kong: $ helm repo add kong https://charts.konghq.com $ helm repo update -# Helm 2 -$ helm install kong/kong - -# Helm 3 $ helm install kong/kong --generate-name --set ingressController.installCRDs=false ``` @@ -429,15 +396,33 @@ for more detail. ### CRDs only -For Helm 2 installations, CRDs are managed as part of a release, and are -deleted if the release is. This can cause issues for clusters with multiple -Kong installations, as one release must remain in place for the rest to -function. To avoid this, you can create a CRD-only release by setting -`deployment.kong.enabled: false` and `ingressController.enabled: false`. - -On Helm 3, CRDs are created if necessary, but are not managed along with the -release. Releases can be deleted without affecting CRDs; CRDs are only removed -if you delete them manually. +Earlier iterations of this chart (<2.0) created CRDs associated with the +ingress controller as part of the release. This raised two challenges: + +- Multiple installations of the chart would conflict with one another, as each + would attempt to create its own set of CRDs. +- Because deleting a CRD also deletes any custom resources associated with it, + uninstalling the chart could destroy user configuration without providing any + means to restore it. + +Helm 3 introduced a simplified CRD management method that was safer, but +requires some manual work when a chart added or modified CRDs: CRDs are created +on install if they are not already present, but are not modified during +release upgrades or deletes. Our chart release upgrade instructions call out +when manual action is necessary to update CRDs. This CRD handling strategy is +recommended for most users. + +Some users may wish to manage their CRDs automatically. If you manage your CRDs +this way, we _strongly_ recommend that you back up all associated custom +resources in the event you need to recover from unintended CRD deletion. To +manage CRDs via a Helm release, you can either: + +- Set `ingressController.enabled=true` and + `ingressController.installCRDs=true`. These CRDs will be managed along with + your Kong release. +- Set `ingressController.enabled=false`, `deployment.kong.enabled=false`, and + `ingressController.installCRDs=true`. This creates a CRD-only release that + you can upgrade independent of your Kong release(s). ### Sidecar Containers @@ -564,7 +549,7 @@ section of `values.yaml` file: | image.tag | Version of the ingress controller | 0.9.1 | | readinessProbe | Kong ingress controllers readiness probe | | | livenessProbe | Kong ingress controllers liveness probe | | -| installCRDs | Create CRDs. **FOR HELM3, MAKE SURE THIS VALUE IS SET TO `false`.** Regardless of value of this, Helm v3+ will install the CRDs if those are not present already. Use `--skip-crds` with `helm install` if you want to skip CRD creation. | true | +| installCRDs | Creates managed CRDs. | false | serviceAccount.create | Create Service Account for ingress controller | true | serviceAccount.name | Use existing Service Account, specify its name | "" | serviceAccount.annotations | Annotations for Service Account | {} From f697ec83d483fa0285cff59bf1d3c98e43c65bb0 Mon Sep 17 00:00:00 2001 From: psulowicz Date: Mon, 8 Mar 2021 22:53:07 +0100 Subject: [PATCH 12/16] [kong] support for setting pod topology spread constraints (#308) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michał Flendrich --- charts/kong/README.md | 1 + charts/kong/templates/deployment.yaml | 4 ++++ charts/kong/values.yaml | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/charts/kong/README.md b/charts/kong/README.md index 96bee9a0c..722827acb 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -596,6 +596,7 @@ For a complete list of all configuration values you can set in the | lifecycle | Proxy container lifecycle hooks | see `values.yaml` | | terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | | affinity | Node/pod affinities | | +| topologySpreadConstraints | Control how Pods are spread across cluster among failure-domains | | | nodeSelector | Node labels for pod assignment | `{}` | | deploymentAnnotations | Annotations to add to deployment | see `values.yaml` | | podAnnotations | Annotations to add to each pod | `{}` | diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index 5c155e11e..be2825930 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -216,6 +216,10 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- end }} securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index bea2589e8..bb1d26ea1 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -491,6 +491,10 @@ terminationGracePeriodSeconds: 30 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # affinity: {} +# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) +# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +# topologySpreadConstraints: [] + # Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] From 03c00ad6593b9c45781865af6946aba87ad48faa Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Mon, 8 Mar 2021 16:11:29 -0800 Subject: [PATCH 13/16] [kong] only include license if provided Do not set KONG_LICENSE_DATA if no license Secret is provided. This provides compatibility with Enterprise free mode. --- charts/kong/README.md | 9 ++++++--- charts/kong/templates/_helpers.tpl | 6 ++++-- charts/kong/values.yaml | 5 +++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/charts/kong/README.md b/charts/kong/README.md index 722827acb..488fd3198 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -677,9 +677,12 @@ configuration can be placed under the `.env` key. #### Kong Enterprise License -All Kong Enterprise deployments require a license. If you do not have a copy -of yours, please contact Kong Support. Once you have it, you will need to -store it in a Secret: +Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+ +without a license, you can skip this step and leave `enterprise.license_secret` +unset. Earlier versions require a license. + +If you have paid for a license, but you do not have a copy of yours, please +contact Kong Support. Once you have it, you will need to store it in a Secret: ```bash $ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index d5347c504..0ea629acc 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -663,8 +663,10 @@ the template that it itself is using form the above sections. {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}} {{- end }} - {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}} - {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- if .Values.enterprise.license_secret -}} + {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}} + {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- end }} {{- end }} {{/* End of the Enterprise settings block */}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index bb1d26ea1..22aaba5f9 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -595,8 +595,9 @@ enterprise: enabled: false # Kong Enterprise license secret name # This secret must contain a single 'license' key, containing your base64-encoded license data - # The license secret is required for all Kong Enterprise deployments - license_secret: kong-enterprise-license + # The license secret is required to unlock all Enterprise features. If you omit it, + # Kong will run in free mode, with some Enterprise features disabled. + # license_secret: kong-enterprise-license vitals: enabled: true portal: From bf98a5cbae44af1f30c72f0d0d4f1910a38a0d8c Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Tue, 9 Mar 2021 13:48:05 -0800 Subject: [PATCH 14/16] [kong] remove user-facing installCRDs setting Remove ingressController.installCRDs from values.yaml entirely, and update documentation to cover the automatic legacy behavior handler. We don't want any new releases to use the old system to align our approach with what Helm endorses upstream. While the legacy template must remain in place to avoid configuration loss on upgrade, it is not exposed in user-facing configuration. This also includes several terminology changes to match standard Helm terminology. --- charts/kong/README.md | 36 +++++++++++++++++++----------------- charts/kong/values.yaml | 2 -- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/charts/kong/README.md b/charts/kong/README.md index 25648b66f..beecb36ee 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -31,7 +31,7 @@ $ helm install kong/kong --generate-name - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes) - [Standalone controller nodes](#standalone-controller-nodes) - [Hybrid mode](#hybrid-mode) - - [CRDs only](#crds-only) + - [CRD management](#crd-management) - [Sidecar containers](#sidecar-containers) - [Example configurations](#example-configurations) - [Configuration](#configuration) @@ -394,16 +394,16 @@ documentation on Service DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) for more detail. -### CRDs only +### CRD management -Earlier iterations of this chart (<2.0) created CRDs associated with the -ingress controller as part of the release. This raised two challenges: +Earlier versions of this chart (<2.0) created CRDs associated with the ingress +controller as part of the release. This raised two challenges: -- Multiple installations of the chart would conflict with one another, as each - would attempt to create its own set of CRDs. +- Multiple release of the chart would conflict with one another, as each would + attempt to create its own set of CRDs. - Because deleting a CRD also deletes any custom resources associated with it, - uninstalling the chart could destroy user configuration without providing any - means to restore it. + deleting a release of the chart could destroy user configuration without + providing any means to restore it. Helm 3 introduced a simplified CRD management method that was safer, but requires some manual work when a chart added or modified CRDs: CRDs are created @@ -414,15 +414,17 @@ recommended for most users. Some users may wish to manage their CRDs automatically. If you manage your CRDs this way, we _strongly_ recommend that you back up all associated custom -resources in the event you need to recover from unintended CRD deletion. To -manage CRDs via a Helm release, you can either: - -- Set `ingressController.enabled=true` and - `ingressController.installCRDs=true`. These CRDs will be managed along with - your Kong release. -- Set `ingressController.enabled=false`, `deployment.kong.enabled=false`, and - `ingressController.installCRDs=true`. This creates a CRD-only release that - you can upgrade independent of your Kong release(s). +resources in the event you need to recover from unintended CRD deletion. + +While Helm 3's CRD management system is recommended, there is no simple means +of migrating away from release-managed CRDs if you previously installed your +release with the old system (you would need to back up your existing custom +resources, delete your release, reinstall, and restore your custom resources +after). As such, the chart detects if you currently use release-managed CRDs +and continues to use the old CRD templates when using chart version 2.0+. If +you do (your resources will have a `meta.helm.sh/release-name` annotation), we +_strongly_ recommend that you back up all associated custom resources in the +event you need to recover from unintended CRD deletion. ### Sidecar Containers diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index b19bb71cb..eff28921e 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -358,8 +358,6 @@ ingressController: # The annotations for service account annotations: {} - installCRDs: false - # general properties livenessProbe: httpGet: From ebc92199b6b88d0b17dcb18cc4ad37ce9779f167 Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Thu, 11 Mar 2021 09:32:14 -0800 Subject: [PATCH 15/16] [kong] add SAN to generated webhook certificate (#312) Add a SAN equal to the common name to the generated webhook certificate. As of Go 1.15, certificates that contain a hostname CommonName and no SubjectAlternativeName are considered invalid: https://golang.org/cl/243221 Current versions of KIC use Go 1.15. --- charts/kong/templates/admission-webhook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index 2d5584d33..78e930ab7 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -1,7 +1,7 @@ {{- if .Values.ingressController.admissionWebhook.enabled -}} {{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}} {{- $ca := genCA "kong-admission-ca" 3650 -}} -{{- $cert := genSignedCert $cn nil nil 3650 $ca -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} {{- $certCert := $cert.Cert -}} {{- $certKey := $cert.Key -}} {{- $caCert := $ca.Cert -}} From 887c5d29e37081e1b33e400750a2b0bb4754304f Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Thu, 18 Mar 2021 10:26:48 -0700 Subject: [PATCH 16/16] [kong] release 2.0.0-rc1 (#316) --- charts/kong/CHANGELOG.md | 46 ++++++++++++++++++++++++++++++++++++++++ charts/kong/Chart.yaml | 2 +- charts/kong/UPGRADE.md | 38 +++++++++++++++++++++++++++++++++ 3 files changed, 85 insertions(+), 1 deletion(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index f67f43f81..e299aa497 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -1,5 +1,51 @@ # Changelog +## 2.0.0-rc.1 + +### Breaking changes + +* Helm 2 is no longer supported. You **must** [migrate your Kong chart releases + to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to + this release. +* Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) + are no longer supported. +* The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration) + is no longer supported. +* Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) + is no longer supported. +* Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) + is no longer supported. + +`helm upgrade` with the previous version (1.15.0) will print a warning message +if you still use any of the removed values.yaml configuration. If you do not +see any warnings after the upgrade completes, you are already using the modern +equivalents of these settings and can proceed with upgrading to 2.0.0-rc1. + +### Improvements + +* Admission webhook certificates persist after their initial creation. This + prevents an unnecessary restart of Kong Pods on upgrades that do not actually + modify the deployment. + ([#256](https://github.com/Kong/charts/pull/256)) +* `ingressController.installCRDs` now defaults to `false`, simplifying + installation on Helm 3. Installs now default to using Helm 3's CRD management + system, and do not require changes to values or install flags to install + successfully. + ([#305](https://github.com/Kong/charts/pull/305)) +* Added support for Pod `topologySpreadConstraints`. + ([#308](https://github.com/Kong/charts/pull/308)) + +### Fixed + +* Generated admission webhook certificates now include SANs for compatibility + with Go 1.15 controller builds. + ([#312](https://github.com/Kong/charts/pull/312)). + +### Documentation + +* Clarified use of `terminationGracePeriodSeconds`. + ([#302](https://github.com/Kong/charts/pull/302)) + ## 1.15.0 1.15.0 is an interim release before the planned release of 2.0.0. There were diff --git a/charts/kong/Chart.yaml b/charts/kong/Chart.yaml index dba9bac27..13397bf58 100644 --- a/charts/kong/Chart.yaml +++ b/charts/kong/Chart.yaml @@ -10,5 +10,5 @@ maintainers: email: traines@konghq.com name: kong sources: -version: 1.15.0 +version: 2.0.0-rc.1 appVersion: 2.3 diff --git a/charts/kong/UPGRADE.md b/charts/kong/UPGRADE.md index a42858e0e..8a35f6c73 100644 --- a/charts/kong/UPGRADE.md +++ b/charts/kong/UPGRADE.md @@ -17,6 +17,7 @@ upgrading from a previous version. ## Table of contents - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) +- [2.0.0-rc.1](#200-rc1) - [1.14.0](#1140) - [1.11.0](#1110) - [1.10.0](#1100) @@ -56,6 +57,43 @@ text ending with `field is immutable`. This is typically due to a bug with the If you encounter this error, deleting any existing `init-migrations` jobs will clear it. +## 2.0.0-rc1 + +### Support for Helm 2 dropped + +2.0.0 takes advantage of template functionality that is only available in Helm +3 and reworks values defaults to target Helm 3 CRD handling, and requires Helm +3 as such. If you are not already using Helm 3, you must migrate to it before +updating to 2.0.0 or later: + +https://helm.sh/docs/topics/v2_v3_migration/ + +If desired, you can migrate your Kong chart releases without migrating charts' +releases. + +### Support for deprecated 1.x features removed + +Several previous 1.x chart releases reworked sections of values.yaml while +maintaining support for the older version of those settings. 2.x drops support +for the older versions of these settings entirely: + +* [Portal auth settings](#removal-of-dedicated-portal-authentication-configuration-parameters) +* [The `runMigrations` setting](#changes-to-migration-job-configuration) +* [Single-stack admin API Service configuration](#changes-to-kong-service-configuration) +* [Multi-host proxy configuration](#removal-of-multi-host-proxy-ingress) + +Each deprecated setting is accompanied by a warning that appears at the end of +`helm upgrade` output on a 1.x release: + +``` +WARNING: You are currently using legacy ... +``` + +If you do not see any such warnings when upgrading a release using chart +1.15.0, you are not using deprecated configuration and are ready to upgrade to +2.0.0. If you do see these warnings, follow the linked instructions to migrate +to the current settings format. + ## 1.14.0 ### Removal of multi-host proxy Ingress