Merge pull request #7116 from zalando-incubator/beta-to-stable

beta to stable
zalando-incubator · Mar 11, 2024 · 7678111 · 7678111
2 parents dd3a5f9 + 94722cc
commit 7678111
Show file tree

Hide file tree

Showing 11 changed files with 84 additions and 127 deletions.
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -1141,6 +1141,9 @@ Resources:
               - Action: 'acm:DescribeCertificate'
                 Effect: Allow
                 Resource: '*'
+              - Action: 'acm:ListTagsForCertificate'
+                Effect: Allow
+                Resource: '*'
               - Action: 'autoscaling:DescribeAutoScalingGroups'
                 Effect: Allow
                 Resource: '*'
@@ -1189,6 +1192,9 @@ Resources:
               - Action: 'iam:ListServerCertificates'
                 Effect: Allow
                 Resource: '*'
+              - Action: 'iam:ListServerCertificateTags'
+                Effect: Allow
+                Resource: '*'
               - Action: 'waf-regional:ListWebACLs'
                 Effect: Allow
                 Resource: '*'
@@ -1224,7 +1230,7 @@ Resources:
       RoleName: "{{.Cluster.LocalID}}-app-ingr-ctrl"
     Type: 'AWS::IAM::Role'
 {{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
-  # Note: this is not strictly specific to Open Policy Agent and can be extend 
+  # Note: this is not strictly specific to Open Policy Agent and can be extend
   # if Skipper Ingress needs to access other AWS resources
   SkipperIngressIAMRole:
     Properties:

diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -46,6 +46,12 @@ kube_aws_ingress_controller_nlb_cross_zone: "true"
 kube_aws_ingress_controller_cert_polling_interval: "2m"
 # sets the default LB type: "network" or "application" are valid choices (overwritten by nlb_switch)
 kube_aws_ingress_default_lb_type: "application"
+# cert filter
+{{if eq .Cluster.Environment "production"}}
+kube_aws_ingress_controller_cert_filter_tag: ""
+{{else}}
+kube_aws_ingress_controller_cert_filter_tag: "kubernetes=enabled"
+{{end}}
 
 # ALB to NLB switch
 # "pre":
@@ -77,6 +83,7 @@ skipper_ingress_memory: "1500Mi"
 
 # Enables deployment of canary version
 skipper_ingress_canary_enabled: "true"
+skipper_ingress_test_single_pod: "false"
 
 # When set to true (and dedicated node pool for skipper is also true) the
 # daemonset overhead will be subtracted from the cpu settings such

diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -4,6 +4,20 @@ pre_apply:
   namespace: kube-system
   kind: Deployment
 
+# TODO: remove after rollout
+- kind: CronJob
+  name: secret-combiner
+  namespace: kube-system
+- kind: RoleBinding
+  name: secret-combiner
+  namespace: kube-system
+- kind: Role
+  name: secret-combiner
+  namespace: kube-system
+- kind: ServiceAccount
+  name: secret-combiner
+  namespace: kube-system
+
 # everything defined under here will be deleted after applying the manifests
 post_apply:
 - name: cronjob-monitor
@@ -75,7 +89,6 @@ post_apply:
 {{ end }}
 
 {{- if ne .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
-# hostname-credentials-controller
 - kind: CronJob
   name: hostname-credentials-controller
   namespace: kube-system
@@ -91,20 +104,6 @@ post_apply:
   labels:
     application: skipper-ingress
     component: hostname-credentials
-
-# secret-combiner
-- kind: CronJob
-  name: secret-combiner
-  namespace: kube-system
-- kind: RoleBinding
-  name: secret-combiner
-  namespace: kube-system
-- kind: Role
-  name: secret-combiner
-  namespace: kube-system
-- kind: ServiceAccount
-  name: secret-combiner
-  namespace: kube-system
 - kind: Secret
   name: hostname-credentials
   namespace: kube-system

diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml
@@ -56,6 +56,9 @@ spec:
             - --load-balancer-type={{ .Cluster.ConfigItems.kube_aws_ingress_default_lb_type }}
             # {{ end }}
             - --cert-polling-interval={{ .Cluster.ConfigItems.kube_aws_ingress_controller_cert_polling_interval }}
+            # {{ if .Cluster.ConfigItems.kube_aws_ingress_controller_cert_filter_tag }}
+            - --cert-filter-tag={{ .Cluster.ConfigItems.kube_aws_ingress_controller_cert_filter_tag }}
+            # {{ end }}
           env:
             - name: CUSTOM_FILTERS
               value: "tag:kubernetes.io/cluster/{{ .Cluster.ID }}=owned tag:node.kubernetes.io/role=worker tag:zalando.org/ingress-enabled=true"

diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml
@@ -39,6 +39,8 @@ metadata:
 spec:
 {{ if index . "replicas" }}
   replicas: {{ .replicas }}
+{{ else if eq .Cluster.ConfigItems.skipper_ingress_test_single_pod "true" }}
+  replicas: 0
 {{ end }}
   strategy:
     rollingUpdate:

diff --git a/cluster/manifests/skipper/hostname-credentials-controller.yaml b/cluster/manifests/skipper/hostname-credentials-controller.yaml
@@ -1,5 +1,5 @@
 # {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
-# {{ $version := "main-11" }}
+# {{ $version := "main-12" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -56,6 +56,42 @@ subjects:
     name: hostname-credentials-controller
     namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hostname-credentials-controller
+subjects:
+  - kind: ServiceAccount
+    name: hostname-credentials-controller
+    namespace: kube-system
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -91,10 +127,12 @@ spec:
               args:
                 - -ingress-selector=application
                 - -credentials-namespace=kube-system
-                - -credentials-name-template={hostname}-grant-credentials
+                - -credentials-name-template={host}-grant-credentials
                 - -credentials-selector=application=skipper-ingress,component=hostname-credentials
                 - -credentials-labels=application=skipper-ingress,component=hostname-credentials
                 - -credentials-redirect-uri-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}
+                - -combined-secret-name=hostname-credentials
+                - -combined-secret-labels=application=skipper-ingress,component=hostname-credentials-combined
               resources:
                 limits:
                   cpu: 10m

diff --git a/cluster/manifests/skipper/secret-combiner.yaml b/cluster/manifests/skipper/secret-combiner.yaml
diff --git a/cluster/manifests/stackset-controller/deployment.yaml b/cluster/manifests/stackset-controller/deployment.yaml
@@ -1,4 +1,4 @@
-{{ $version := "v1.4.45" }}
+{{ $version := "v1.4.49" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/cluster/node-pools/worker-karpenter/provisioners.yaml b/cluster/node-pools/worker-karpenter/provisioners.yaml
@@ -57,7 +57,7 @@ spec:
 #  {{ end}}
 #{{ end}}
   userData: |
-{{.UserData | indent 4}}
+{{ .Values.UserData | indent 4 }}
 ---
 apiVersion: karpenter.sh/v1beta1
 kind: NodePool

diff --git a/test/e2e/stackset/go.mod b/test/e2e/stackset/go.mod
@@ -4,7 +4,7 @@ go 1.22
 
 toolchain go1.22.0
 
-require github.com/zalando-incubator/stackset-controller v1.4.45
+require github.com/zalando-incubator/stackset-controller v1.4.49
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -31,9 +31,9 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.18.0 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.46.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect

diff --git a/test/e2e/stackset/go.sum b/test/e2e/stackset/go.sum
@@ -421,8 +421,8 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
+github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -435,8 +435,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y=
-github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ=
+github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
+github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -506,8 +506,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zalando-incubator/stackset-controller v1.4.45 h1:oQvWhC80vyrMLvcZOjVqmdFCou/StLqHS18XxaTSmbc=
-github.com/zalando-incubator/stackset-controller v1.4.45/go.mod h1:cs6DeHcxl4xAAXl5pK1oAoxjKbmp10PBLKqYqw21VxI=
+github.com/zalando-incubator/stackset-controller v1.4.49 h1:nkq9d9QwIPTiZmautcgGnZX5ACgbcM+KgoKMXhSralI=
+github.com/zalando-incubator/stackset-controller v1.4.49/go.mod h1:HJ9bcBTgGl4bUA10mqC5/7TuvXOuC/Qh77WbOxU3LHY=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=