From 29128eb316e12798abd9b5c90ebc21cb9ac07c69 Mon Sep 17 00:00:00 2001 From: Michael Shnit <11436882+msh111@users.noreply.github.com> Date: Mon, 16 Mar 2020 11:58:35 +0200 Subject: [PATCH] Add AWS ALB Ingress Controller (#5489) * Add AWS ALB Ingress Controller Ansible role * remove trailing spaces * update owners * ALB ingress: update rbac clusterrole and remove role * Move alb-ingress role to roles/kubernetes-apps/ingress_controller folder --- docs/ansible.md | 1 + .../sample/group_vars/k8s-cluster/addons.yml | 9 +++ roles/download/defaults/main.yml | 11 +++ .../alb_ingress_controller/OWNERS | 6 ++ .../alb_ingress_controller/README.md | 42 +++++++++++ .../alb_ingress_controller/defaults/main.yml | 9 +++ .../alb_ingress_controller/tasks/main.yml | 35 +++++++++ .../templates/alb-ingress-clusterrole.yml.j2 | 13 ++++ .../alb-ingress-clusterrolebinding.yml.j2 | 14 ++++ .../templates/alb-ingress-deploy.yml.j2 | 74 +++++++++++++++++++ .../templates/alb-ingress-ns.yml.j2 | 7 ++ .../templates/alb-ingress-sa.yml.j2 | 6 ++ .../ingress_controller/meta/main.yml | 6 ++ roles/kubespray-defaults/defaults/main.yaml | 1 + 14 files changed, 234 insertions(+) create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2 diff --git a/docs/ansible.md b/docs/ansible.md index 00a9f3746..7dbab1e40 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -137,6 +137,7 @@ The following tags are defined in playbooks: | upgrade | Upgrading, f.e. container images/binaries | upload | Distributing images/binaries across hosts | weave | Network plugin Weave +| ingress_alb | AWS ALB Ingress Controller Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all tags found in the codebase. New tags will be listed with the empty "Used for" diff --git a/inventory/sample/group_vars/k8s-cluster/addons.yml b/inventory/sample/group_vars/k8s-cluster/addons.yml index 97390f3b1..697f09e16 100644 --- a/inventory/sample/group_vars/k8s-cluster/addons.yml +++ b/inventory/sample/group_vars/k8s-cluster/addons.yml @@ -101,6 +101,15 @@ ingress_publish_status_address: "" # ingress_nginx_extra_args: # - --default-ssl-certificate=default/foo-tls +# ALB ingress controller deployment +ingress_alb_enabled: false +# alb_ingress_aws_region: "us-east-1" +# alb_ingress_restrict_scheme: "false" +# alb_ingress_log_level: "WARN" +# Enables logging on all outbound requests sent to the AWS API. +# If logging is desired, set to true. +# alb_ingress_aws_debug: "false" + # Cert manager deployment cert_manager_enabled: false # cert_manager_namespace: "cert-manager" diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 7972083e8..83a2c1e2e 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -485,6 +485,8 @@ local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-p local_path_provisioner_image_tag: "v0.0.2" ingress_nginx_controller_image_repo: "{{ quay_image_repo }}/kubernetes-ingress-controller/nginx-ingress-controller" ingress_nginx_controller_image_tag: "0.28.0" +alb_ingress_image_repo: "docker.io/amazon/aws-alb-ingress-controller" +alb_ingress_image_tag: "v1.1.4" cert_manager_version: "v0.11.0" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_tag: "{{ cert_manager_version }}" @@ -991,6 +993,15 @@ downloads: groups: - kube-node + ingress_alb_controller: + enabled: "{{ ingress_alb_enabled }}" + container: true + repo: "{{ alb_ingress_image_repo }}" + tag: "{{ alb_ingress_image_tag }}" + sha256: "{{ ingress_alb_controller_digest_checksum|default(None) }}" + groups: + - kube-node + cert_manager_controller: enabled: "{{ cert_manager_enabled }}" container: true diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS new file mode 100644 index 000000000..e8c0fcc26 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs at https://go.k8s.io/owners + +approvers: + - kubespray-approvers +reviewers: + - kubespray-reviewers \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md new file mode 100644 index 000000000..bcad19329 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md @@ -0,0 +1,42 @@ +# AWS ALB Ingress Controller + +**NOTE:** The current image version is `v1.1.4`. Please file any issues you find and note the version used. + +The AWS ALB Ingress Controller satisfies Kubernetes [ingress resources](https://kubernetes.io/docs/user-guide/ingress) by provisioning [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). + +This project was originated by [Ticketmaster](https://github.com/ticketmaster) and [CoreOS](https://github.com/coreos) as part of Ticketmaster's move to AWS and CoreOS Tectonic. Learn more about Ticketmaster's Kubernetes initiative from Justin Dean's video at [Tectonic Summit](https://www.youtube.com/watch?v=wqXVKneP0Hg). + +This project was donated to Kubernetes SIG-AWS to allow AWS, CoreOS, Ticketmaster and other SIG-AWS contributors to officially maintain the project. SIG-AWS reached this consensus on June 1, 2018. + +## Documentation + +Checkout our [Live Docs](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/)! + +## Getting started + +To get started with the controller, see our [walkthrough](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/walkthrough/echoserver/). + +## Setup +- See [controller setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/) on how to install ALB ingress controller +- See [external-dns setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/external-dns/setup/) for how to setup the external-dns to manage route 53 records. + +## Building + +For details on building this project, see our [building guide](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/BUILDING/). + +## Community, discussion, contribution, and support + +Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/). + +You can reach the maintainers of this project at: + +- [Slack channel](https://kubernetes.slack.com/messages/sig-aws) +- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-aws) + +### Code of conduct + +Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md). + +## License + +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcoreos%2Falb-ingress-controller.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcoreos%2Falb-ingress-controller?ref=badge_large) diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml new file mode 100644 index 000000000..3f1879092 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml @@ -0,0 +1,9 @@ +--- +alb_ingress_controller_namespace: kube-system +alb_ingress_aws_region: "us-east-1" + +# Enables logging on all outbound requests sent to the AWS API. +# If logging is desired, set to true. +alb_ingress_aws_debug: "false" + +alb_ingress_log_level: "WARN" diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml new file mode 100644 index 000000000..77f3df4e0 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: ALB Ingress Controller | Create addon dir + file: + path: "{{ kube_config_dir }}/addons/alb_ingress" + state: directory + owner: root + group: root + mode: 0755 + +- name: ALB Ingress Controller | Create manifests + template: + src: "{{ item.file }}.j2" + dest: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.file }}" + with_items: + - { name: alb-ingress-clusterrole, file: alb-ingress-clusterrole.yml, type: clusterrole } + - { name: alb-ingress-clusterrolebinding, file: alb-ingress-clusterrolebinding.yml, type: clusterrolebinding } + - { name: alb-ingress-ns, file: alb-ingress-ns.yml, type: ns } + - { name: alb-ingress-sa, file: alb-ingress-sa.yml, type: sa } + - { name: alb-ingress-deploy, file: alb-ingress-deploy.yml, type: deploy } + register: alb_ingress_manifests + when: + - inventory_hostname == groups['kube-master'][0] + +- name: ALB Ingress Controller | Apply manifests + kube: + name: "{{ item.item.name }}" + namespace: "{{ alb_ingress_controller_namespace }}" + kubectl: "{{ bin_dir }}/kubectl" + resource: "{{ item.item.type }}" + filename: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.item.file }}" + state: "latest" + with_items: "{{ alb_ingress_manifests.results }}" + when: + - inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 new file mode 100644 index 000000000..4522635ef --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: alb-ingress + namespace: {{ alb_ingress_controller_namespace }} +rules: + - apiGroups: ["", "extensions"] + resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "events", "ingresses", "ingresses/status", "services"] + verbs: ["list", "create", "get", "update", "watch", "patch"] + - apiGroups: ["", "extensions"] + resources: ["nodes", "pods", "secrets", "services", "namespaces"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2 new file mode 100644 index 000000000..4f14f6a99 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2 @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: alb-ingress + namespace: {{ alb_ingress_controller_namespace }} +subjects: + - kind: ServiceAccount + name: alb-ingress + namespace: {{ alb_ingress_controller_namespace }} +roleRef: + kind: ClusterRole + name: alb-ingress + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 new file mode 100644 index 000000000..dc95b1df1 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 @@ -0,0 +1,74 @@ +# Application Load Balancer (ALB) Ingress Controller Deployment Manifest. +# This manifest details sensible defaults for deploying an ALB Ingress Controller. +# GitHub: https://github.com/coreos/alb-ingress-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alb-ingress-controller + labels: + k8s-app: alb-ingress-controller + # Namespace the ALB Ingress Controller should run in. Does not impact which + # namespaces it's able to resolve ingress resource for. For limiting ingress + # namespace scope, see --watch-namespace. + namespace: {{ alb_ingress_controller_namespace }} +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: alb-ingress-controller + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + k8s-app: alb-ingress-controller + spec: + containers: + - args: + # Limit the namespace where this ALB Ingress Controller deployment will + # resolve ingress resources. If left commented, all namespaces are used. + #- --watch-namespace=your-k8s-namespace + + # Setting the ingress-class flag below will ensure that only ingress resources with the + # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may + # choose any class you'd like for this controller to respect. + - --ingress-class=alb + # Name of your cluster. Used when naming resources created + # by the ALB Ingress Controller, providing distinction between + # clusters. + - --cluster-name={{ cluster_name }} + + # Enables logging on all outbound requests sent to the AWS API. + # If logging is desired, set to true. + # - ---aws-api-debug +{% if alb_ingress_aws_debug %} + - --aws-api-debug +{% endif %} + # Maximum number of times to retry the aws calls. + # defaults to 10. + # - --aws-max-retries=10 + + # AWS region this ingress controller will operate in. + # If unspecified, it will be discovered from ec2metadata. + # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region +{% if alb_ingress_aws_region is defined %} + - --aws-region={{ alb_ingress_aws_region }} +{% endif %} + + image: "{{ alb_ingress_image_repo }}:{{ alb_ingress_image_tag }}" + imagePullPolicy: {{ k8s_image_pull_policy }} + name: server + resources: {} + terminationMessagePath: /dev/termination-log + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 30 +{% if rbac_enabled %} + serviceAccountName: alb-ingress +{% endif %} \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2 new file mode 100644 index 000000000..9f57537f9 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2 @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ alb_ingress_controller_namespace }} + labels: + name: {{ alb_ingress_controller_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2 new file mode 100644 index 000000000..692e3e31a --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2 @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: alb-ingress + namespace: {{ alb_ingress_controller_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/meta/main.yml b/roles/kubernetes-apps/ingress_controller/meta/main.yml index 617e9d9a7..ec6ab89ed 100644 --- a/roles/kubernetes-apps/ingress_controller/meta/main.yml +++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml @@ -13,3 +13,9 @@ dependencies: - apps - cert-manager - ingress-controller + + - role: kubernetes-apps/ingress_controller/alb_ingress_controller + when: ingress_alb_enabled + tags: + - apps + - ingress_alb diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 8b8e2b068..497a00f88 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -308,6 +308,7 @@ persistent_volumes_enabled: false cephfs_provisioner_enabled: false rbd_provisioner_enabled: false ingress_nginx_enabled: false +ingress_alb_enabled: false cert_manager_enabled: false expand_persistent_volumes: false