Release FortiADCIngressController: 2.0.1

Signed-off-by: FTNT-HQCM <[email protected]>

README.md

@@ -33,7 +33,7 @@ FortiADC, as the Ingress-managed load balancer, not only provides flexibility in
     <thead>
         <tr>
             <th>Product</th>
-            <th colspan=4>Version</th>   
+            <th colspan=5>Version</th>   
         </tr>
     </thead>
     <tbody>
@@ -43,27 +43,33 @@ FortiADC, as the Ingress-managed load balancer, not only provides flexibility in
             <td>1.0.1</td>
             <td>1.0.2</td>
             <td>2.0.0</td>
+            <td>2.0.1</td>
         </tr>
         <tr>
             <td>Kubernetes</td>
             <td>1.19.8-1.23.x</td>
             <td>1.19.8-1.24.x</td>
             <td colspan=2>1.19.8-1.27.x</td>
+            <td>1.19.8-1.28.x</td>
         </tr>
         <tr>
             <td>FortiADC</td>
-            <td colspan=4>5.4.5 - 7.4.x*</td>
+            <td colspan=5>5.4.5 - 7.4.x*</td>
         </tr>
 	    <tr>
             <td>Openshift Container platform</td>
             <td colspan=3>Not supported</td>
-            <td> 4.7-4.12.x</td>
+            <td colspan=2> 4.7-4.12.x</td>
         </tr>
     </tbody>
 </table>
 
->**Note** 
+>[!NOTE]
 >Some features for FortiADC Ingress Controller version >= 2.0.0 require FortiADC version >= 7.4.0 to support. Please check the [release notes](https://github.com/fortinet/fortiadc-ingress/blob/main/Release-Notes.md).
+
+>[!WARNING]
+>When using FortiADC Ingress Controller 2.0.x, the Ingress related objects on FortiADC (including virtual servers, content routing, real server pools, and real servers) will be fully managed by the Ingress Controller. This means that any virtual server, content routing, real server pool or real server object that is not deployed by FortiADC Ingress Controller will be removed automatically.
+
 ## Supported Environment
 The FortiADC Ingress Controller has been verified to run in the Openshift Cluster in Openshift Container Platform environment and Kubernetes cluster in the below environments:
 | Environment | Tools for Building |

Release-Notes.md

@@ -1,12 +1,20 @@
 # FortiADC Ingress Controller Release Notes
 
+## 2.0.1
+### What's New
+Support Kubernetes version to 1.28
+### Resolved Issues
+ 1. Fix [issue](https://github.com/fortinet/fortiadc-ingress/issues/10) to allow valid hostname and url.
+
 ## 2.0.0
 ### What's New
 
  1. Support Openshift Container Platform 4 with Kubernetes Ingress and OpenShift Route.
  2. Support ingress to expose service with ClusterIP type. This feature requires FortiADC version >= 7.4.0 to support. FortiADC 7.4.0 and FortiADC Ingress Controller 2.0.0 support Flannel with VXLAN backend as the Kubernetes network model CNI plugin. Via the VXLAN tunnel, FortiADC can forward HTTP/HTTPS requests to the Kubernetes service with ClusterIP type.
  3. Support Virtual server FortiGSLB configuration defined in annotation of Kubernetes Ingress.
  4. Add toleration in FortiADC Ingress Controller Helm deployment template. User can customize the toleration time to wait for FortiADC ingress controller spinning up if the Kubernetes node it locates becomes unreachable or goes into NotReady state. The default toleration time for in FortiADC Ingress Controller is 30 seconds. You can check Kubernetes [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more details.
+ 5. Support declarative api for full synchronization. Be aware of using FortiADC version < 7.4, only 
+ global administrator has the persmssion to call declarative api.
 ### Resolved Issues
  1. Fix [issue](https://github.com/fortinet/fortiadc-ingress/issues/7) to allow non-global administrator to operate the Ingress
 
@@ -23,3 +31,4 @@ Support Kubernetes version to 1.24
 
  FortiADC Ingress Controller combines the capabilities of an Kubernetes Ingress resource with the Ingress-managed loadbalancer, FortiADC. FortiADC, as the Ingress-managed load-balancer, not only provides flexibility in load-balancing, but also guarantees more security with features such as the Web Application Firewall (WAF), Antivirus Scanning, and Denial of Service (DoS) prevention to protect the web server resources in the Kubernetes cluster. 
  Other features such as health check, traffic log management, and FortiView on FortiADC facilitates the management of the Kubernetes ingress resources.
+

charts/fadc-k8s-ctrl-2.0.1/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: fadc-k8s-ctrl
+version: 2.0.1
+kubeVersion: ">= 1.19.8-0, <= 1.28-0"
+description: A Helm chart for FortiADC Ingress Controller
+type: application
+appVersion: "2.0.1"

charts/fadc-k8s-ctrl-2.0.1/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fadc-k8s-ctrl.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fadc-k8s-ctrl.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fadc-k8s-ctrl.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "fadc-k8s-ctrl.labels" -}}
+helm.sh/chart: {{ include "fadc-k8s-ctrl.chart" . }}
+{{ include "fadc-k8s-ctrl.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "fadc-k8s-ctrl.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fadc-k8s-ctrl.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fadc-k8s-ctrl.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "fadc-k8s-ctrl.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/fadc-k8s-ctrl-2.0.1/templates/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "fadc-k8s-ctrl.fullname" . }}
+  labels:
+    {{- include "fadc-k8s-ctrl.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "fadc-k8s-ctrl.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "fadc-k8s-ctrl.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if eq .Values.parameters.openshiftRouteSupport "yes" }}
+          securityContext:
+              allowPrivilegeEscalation: false
+              runAsNonRoot: true
+              seccompProfile:
+                  type: RuntimeDefault
+              capabilities:
+                  drop: ["ALL"]
+          {{- end }}
+          env:
+          - name: VirtualServerNatSrcPool
+            value: {{ .Values.parameters.virtualServerNatSrcPool }}
+          - name: VirtualServerWafProfile
+            value: {{ .Values.parameters.virtualServerWafProfile }}
+          - name: VirtualServerAvProfile
+            value: {{ .Values.parameters.virtualServerAvProfile }}
+          - name: VirtualServerDosProfile
+            value: {{ .Values.parameters.virtualServerDosProfile }}
+          - name: VirtualServerCaptchaProfile
+            value: {{ .Values.parameters.virtualServerCaptchaProfile }}
+          - name: VirtualServerPersistence
+            value: {{ .Values.parameters.virtualServerPersistence }}
+          - name: VirtualServerFortiGSLB
+            value: {{ .Values.parameters.virtualServerFortiGSLB }}
+          - name: OpenShiftRouteSupport
+            value: "{{ .Values.parameters.openshiftRouteSupport }}"
+
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/fadc-k8s-ctrl-2.0.1/templates/ingressclass.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.controller.ingressClassResource.enabled -}}
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: {{ .Values.controller.ingressClassResource.name }}
+{{- if .Values.controller.ingressClassResource.default }}
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+spec:
+  controller: {{ .Values.controller.ingressClassResource.controllerValue }}
+{{- end }}

charts/fadc-k8s-ctrl-2.0.1/templates/rbac.yaml

@@ -0,0 +1,68 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "fadc-k8s-ctrl.serviceAccountName" . }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "nodes", "endpoints", "secrets"]
+  verbs: ["get", "watch", "list", "update"]
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+{{- if eq .Values.parameters.openshiftRouteSupport "yes" }}
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/status
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+{{- end }}
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "fadc-k8s-ctrl.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "fadc-k8s-ctrl.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "fadc-k8s-ctrl.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io

charts/fadc-k8s-ctrl-2.0.1/templates/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "fadc-k8s-ctrl.serviceAccountName" . }}
+  #namespace: kube-system
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fadc-k8s-ctrl.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/fadc-k8s-ctrl-2.0.1/values.yaml

@@ -0,0 +1,61 @@
+# Default values for fadc-k8s-ctrl.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+# FortiADC Ingress Controller image from Dockerhub.com
+image:
+  repository: fortinet/fortiadc-ingress
+  pullPolicy: IfNotPresent
+  tag: "2.0.1"
+
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: "fortiadc-ingress"
+
+podAnnotations: {}
+
+podSecurityContext: {}
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+nodeSelector: {}
+
+tolerations:
+  - effect: "NoExecute"
+    key: "node.kubernetes.io/not-ready"
+    operator: "Exists"
+    tolerationSeconds: 30
+  - effect: "NoExecute"
+    key: "node.kubernetes.io/unreachable"
+    operator: "Exists"
+    tolerationSeconds: 30
+
+affinity: {}
+
+# Define Ingress Class for FortiADC Ingress Controller
+controller:
+  ingressClassResource:
+    name: "fadc-ingress-controller"
+    enabled: true
+    default: true
+    controllerValue: "fortinet.com/fadc-ingress-controller"
+# You can decide parameters defined in annotation of Ingress to be optional or mandatory.
+# FortiADC Ingress Controller will check the parameter if it marks mandatory.
+parameters:
+  virtualServerNatSrcPool : "optional"
+  virtualServerWafProfile : "optional"
+  virtualServerAvProfile : "optional"
+  virtualServerDosProfile : "optional"
+  virtualServerCaptchaProfile : "optional"
+  virtualServerPersistence : "optional"
+  virtualServerFortiGSLB : "optional"
+  openshiftRouteSupport: "no"