feat: update all ingress objects for k8s 1.18+ (#306)

* feat: update all ingress object for k8s 1.18+

* add kubeval validation task

* force validate

* improve ci

* add kratos

* fix docs

* u

* remove replication

* take care of orphans

* fix test url

* Apply suggestions from code review

Co-authored-by: Piotr Mścichowski <[email protected]>

* update docs

* improve validation

* add missing values

Co-authored-by: Piotr Mścichowski <[email protected]>

.circleci/config.yml

@@ -15,6 +15,23 @@ jobs:
       - run: helm lint ./helm/charts/kratos/
       - run: helm lint ./helm/charts/example-idp/
       - run: helm lint ./helm/charts/kratos-selfservice-ui-node/
+
+  validate:
+    docker:
+      - image: circleci/golang:1.16.5
+    working_directory: /go/src/github.com/ory/k8s
+    steps:
+      - checkout
+      - run: curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+      - run: helm plugin install https://github.com/instrumenta/helm-kubeval
+      - run: .circleci/helm-validate.sh oathkeeper
+      - run: .circleci/helm-validate.sh oathkeeper-maester
+      - run: .circleci/helm-validate.sh keto
+      - run: .circleci/helm-validate.sh hydra
+      - run: .circleci/helm-validate.sh hydra-maester
+      - run: .circleci/helm-validate.sh kratos
+      - run: .circleci/helm-validate.sh example-idp
+      - run: .circleci/helm-validate.sh kratos-selfservice-ui-node
 
   test:
     machine:
@@ -63,6 +80,9 @@ jobs:
       - run:
           command: |
             .circleci/helm-test.sh keto
+      - run:
+          command: |
+            .circleci/helm-test.sh kratos-selfservice-ui-node
 
   release:
     docker:
@@ -90,6 +110,10 @@ workflows:
           filters:
             tags:
               only: /.*/
+      - validate:
+          filters:
+            tags:
+              only: /.*/
       - release:
           requires:
             - lint

.circleci/helm-validate.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+cd "$( dirname "${BASH_SOURCE[0]}" )/.."
+
+schema_url="https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/"
+
+helm kubeval "./helm/charts/${1}" --exit-on-error --strict --schema-location "${schema_url}" -f ".circleci/values/${1}.yaml" --force-color

.circleci/values/example-idp.yaml

@@ -0,0 +1,2 @@
+ingress:
+  enabled: true

.circleci/values/keto.yaml

@@ -3,3 +3,8 @@ keto:
   autoMigrate: true
   config:
     dsn: "postgres://ory:[email protected]/ory?sslmode=disable&max_conn_lifetime=10s"
+ingress:
+  read:
+    enabled: true
+  write:
+    enabled: true

.circleci/values/kratos-selfservice-ui-node.yaml

@@ -0,0 +1,2 @@
+ingress:
+  enabled: true

.circleci/values/kratos.yaml

@@ -62,3 +62,8 @@ kratos:
     courier:
       smtp:
         connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+ingress:
+  admin:
+    enabled: true
+  public:
+    enabled: true

.circleci/values/oathkeeper.yaml

@@ -8,19 +8,8 @@ maester:
 #  api:
 #    type: NodePort
 #
-#ingress:
-#  proxy:
-#    enabled: true
-#    annotations:
-#      kubernetes.io/ingress.global-static-ip-name: "oathkeeper-proxy"
-#    hosts:
-#      - host: oathkeeper-k8s-proxy.dev.ory.dev
-#        paths: ["/"]
-#
-#  api:
-#    enabled: true
-#    hosts:
-#      - host: oathkeeper-k8s-api.dev.ory.dev
-#        paths: ["/"]
-#    annotations:
-#      kubernetes.io/ingress.global-static-ip-name: "oathkeeper-api"
+ingress:
+ proxy:
+   enabled: true
+ api:
+   enabled: true

README.md

@@ -6,6 +6,9 @@ This repository contains helm charts for Kubernetes. All charts are in incubatio
 
 Please go to [k8s.ory.sh/helm](https://k8s.ory.sh/helm/) for a list of helm charts and their configuration options.
 
+**NOTE**
+> All charts present in this repository require Kuberentes 1.18+. Please refer to releases [0.18.0](https://github.com/ory/k8s/releases/tag/v0.18.0) and older for versions supporting older releases of Kubernetes.
+
 ## Development
 
 You can test and develop charts locally using [Minikube](https://kubernetes.io/docs/setup/learning-environment/minikube/).

docs/helm/hydra.md

@@ -303,7 +303,7 @@ Should you forget, helm will fail and remind you to.
 Since this version we support only kubernetes >= v1.18 for the ingress definition.
 
 If you enabled ingresses you need to migrate values from:
-```
+```yaml
 ingress:
   public:
     hosts:
@@ -314,8 +314,10 @@ ingress:
       - host: admin.hydra.localhost
         paths: ["/"]
 ```
+
 to
-```
+
+```yaml
 ingress:
   public:
     className: ""
@@ -332,6 +334,7 @@ ingress:
           - path: /
             pathType: ImplementationSpecific
 ```
-where chaanges are on:
- - introduce the `className` for specify the [ingress class documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#extended-configuration-with-ingress-classes) that need to be used
- - change `paths` definition from array of string to array of object, where each object include the `path` and the `pathType` (see [path matching documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types))
+
+where changes are on:
+- introduce the `className` to specify the [ingress class documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#extended-configuration-with-ingress-classes) that need to be used
+- change `paths` definition from an array of strings to an array of objects, where each object include the `path` and the `pathType` (see [path matching documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types))

helm/charts/keto/README.md → docs/helm/keto.md

@@ -77,3 +77,46 @@ $ helm install -f ./path/to/keto-config.yaml ory/keto
 Additionally, the following extra settings are available:
 
 - `autoMigrate` (bool): If enabled, an `initContainer` running `keto migrate sql` will be created.
+
+## Upgrade
+
+### From `0.18.0`
+
+Since this version we support only kubernetes >= v1.18 for the ingress definition.
+
+If you enabled ingresses you need to migrate values from:
+```yaml
+ingress:
+  read:
+    hosts:
+      - host: chart-example.local
+        paths: ["/read"]
+  write:
+    hosts:
+      - host: chart-example.local
+        paths: ["/write"]
+```
+
+to
+
+```yaml
+ingress:
+  read:
+    className: ""
+    hosts:
+      - host: chart-example.local
+        paths:
+          - path: /read
+            pathType: Prefix
+  write:
+    className: ""
+    hosts:
+      - host: chart-example.local
+        paths:
+          - path: /write
+            pathType: Prefix
+```
+
+where changes are on:
+- introduce the `className` to specify the [ingress class documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#extended-configuration-with-ingress-classes) that need to be used
+- change `paths` definition from an array of strings to an array of objects, where each object include the `path` and the `pathType` (see [path matching documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types))

docs/helm/kratos.md

@@ -64,3 +64,46 @@ Additionally, the following extra settings are available:
 - `deployment.environmentSecretsName` (string): Allows you to set arbitrary environment variables from [a secret containing a list of keys and values](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables). (This secret is not created by the Helm chart)
 
 Check values.yaml for more configuration options.
+
+## Upgrade
+
+### From `0.18.0`
+
+Since this version we support only kubernetes >= v1.18 for the ingress definition.
+
+If you enabled ingresses you need to migrate values from:
+```yaml
+ingress:
+  public:
+    hosts:
+      - host: kratos.public.local.com
+        paths: ["/"]
+  admin:
+    hosts:
+      - host: kratos.admin.local.com
+        paths: ["/"]
+```
+
+to
+
+```yaml
+ingress:
+  public:
+    className: ""
+    hosts:
+      - host: kratos.public.local.com
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+  admin:
+    className: ""
+    hosts:
+      - host: kratos.admin.local.com
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+```
+
+where changes are on:
+- introduce the `className` to specify the [ingress class documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#extended-configuration-with-ingress-classes) that need to be used
+- change `paths` definition from an array of strings to an array of objects, where each object include the `path` and the `pathType` (see [path matching documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types))

docs/helm/oathkeeper.md

@@ -109,3 +109,46 @@ This mode requires giving elevated privileges to the Oathkeeper Maestercontrolle
 
 **Sidecar mode**
 In this mode, the Hydra Maester controller runs as an additional container in the Oathkeeper application Pod. All communication is done on the local filesystem, which can be a shared `tempfs`, mounted directory or a persistent volume, and the controller is scaled together with the Oathkeeper application. 
+
+## Upgrade
+
+### From `0.18.0`
+
+Since this version we support only kubernetes >= v1.18 for the ingress definition.
+
+If you enabled ingresses you need to migrate values from:
+```yaml
+ingress:
+  proxy:
+    hosts:
+      - host: proxy.oathkeeper.localhost
+        paths: ["/"]
+  api:
+    hosts:
+      - host: api.oathkeeper.localhost
+        paths: ["/"]
+```
+
+to
+
+```yaml
+ingress:
+  proxy:
+    className: ""
+    hosts:
+      - host: proxy.oathkeeper.localhost
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+  api:
+    className: ""
+    hosts:
+      - host: api.oathkeeper.localhost
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+```
+
+where changes are on:
+- introduce the `className` to specify the [ingress class documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#extended-configuration-with-ingress-classes) that need to be used
+- change `paths` definition from an array of strings to an array of objects, where each object include the `path` and the `pathType` (see [path matching documentation](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types))

helm/charts/example-idp/templates/ingress.yaml

@@ -1,36 +1,52 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "example-idp.fullname" . -}}
-apiVersion: extensions/v1beta1
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
   labels:
-{{ include "example-idp.labels" . | indent 4 }}
+    {{- include "example-idp.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-{{- if .Values.ingress.tls }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
   tls:
-  {{- range .Values.ingress.tls }}
+    {{- range .Values.ingress.tls }}
     - hosts:
-      {{- range .hosts }}
+        {{- range .hosts }}
         - {{ . | quote }}
-      {{- end }}
+        {{- end }}
       secretName: {{ .secretName }}
+    {{- end }}
   {{- end }}
-{{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
+    {{- range .Values.ingress.hosts }}
     - host: {{ .host | quote }}
       http:
         paths:
-        {{- range .paths }}
-          - path: {{ . }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  name: http
+              {{- else }}
               serviceName: {{ $fullName }}
               servicePort: http
-        {{- end }}
-  {{- end }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

helm/charts/example-idp/values.yaml

@@ -22,13 +22,15 @@ service:
 
 ingress:
   enabled: false
+  className: ""
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
     - host: example-idp.localhost
-      paths: ["/"]
-
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:

helm/charts/keto/templates/NOTES.txt

@@ -3,13 +3,13 @@
   Read endpoint available at: 
   {{- range $host := .Values.ingress.read.hosts }}
     {{- range .paths }}
-      http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+      http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
     {{- end }}
   {{- end }}
   Write endpoint available at: 
   {{- range $host := .Values.ingress.write.hosts }}
     {{- range .paths }}
-      http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+      http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
     {{- end }}
  {{- end }}
 {{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }}