This commit adds the flags and config options recommended by the
community in:
https://github.com/kubernetes/ingress-nginx/issues/10570https://github.com/kubernetes/ingress-nginx/issues/10572
CVE-2023-5044 is mitigated with enableAnnotationValidations
CVE-2022-4886 is mitigated with strict-validate-path-type
Test cases:
PASS: Full build, system install, bootstrap and unlock.
PASS: system application-update to this new version
PASS: Create Ingress resource with special character in path /apple$,
Verify it's possible to curl localhost/apple$.
Apply strict-validate-path-type override and verify creating the
same Ingress object is not possible anymore, neither curl works.
PASS: Create Ingress resource with special characters and verify that
it creates successfully.
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: |
https://www.google.com$HOST
Apply enableAnnotationValidations override and verify creating the
same Ingress object is not possible anymore and a validation error
is now returned.
PASS: stx-openstack applies without error.
Closes-Bug: 2042977
Change-Id: I2f2279ebb34094d0a21d4440e48ef890f09a6133
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
nginx v1.9.0 onwards, "allow-snippet-annotations" is disabled
by default due to security vulnerability reported here
https://github.com/kubernetes/ingress-nginx/issues/7837,
openstack failed to apply due to this change since it is using "configuration-snippet" under annotations in its openstack ingress definition.we are changing this default behavior to let openstack apply
successfully until this upstream PR
https://github.com/kubernetes/ingress-nginx/pull/9742 is addressed.
once we upversion the nginx with the fix, we disable
"allow-snippet-annotations" and openstack team will have to change
their configuration.
Test Cases:
PASS: Enable "allow-snippet-annotations" in nginx configmap
and apply the openstack app successfully
PASS: Test stx-openstack with installation and verify openstack is
applied successfully
Closes-bug: 2042957
Change-Id: Ic6c379803f17998ef7f573fa1fffa566b9e74e39
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
Upversioned the nginx app with new images, nginx
controller image to v1.9.3, kube-webhook-certgen to
v20231011-8b53cabe0 and opentelementry to v20230721-3e2062ee5
Test Cases:
PASS: Install system,bootstrap with new images and verify it
is successful
PASS: Deploy kaurd app by exposing service using nginx ingress
controller with cert issued by stepca using ACME protocol
PASS: Test snmp app with nginx overrides, try snmpbulkget with
success with no error on nginx pods
PASS: Test WRO app, upload,apply and deploy WRO without https.
Verify openstack endpoints and check cli, notice there are
no errors in the logs.
PASS: Test WRO app with https, install openstack,openstack_ca
certificate, verify openstack endpoints changed to https
and verify openstack cli with no errors
Story: 2010705
Task: 48992
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/899271
Change-Id: I047b763c529efe482b3f3e90c130ffa56bd01993
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
In addition to staying current with the latest upstream helm-chart,
this version also addresses most of CVE issues reported for v1.1.1.
This version introduces one new image:
registry.k8s.io/ingress-nginx/opentelemetry
One new empty dir pod mount was configured, now for /tmp/nginx.
Because of a change in the docker image where they now store temp files
for nginx in /tmp/nginx dir instead of just /tmp. In stx we need to keep
both mount points, because /tmp is required for the wr-openstack upload
of big images.
Test cases:
PASS: Full build, system install, bootstrap and unlock.
PASS: In a running system update the version with system
application-update.
PASS: Test the integration with cert-manager by creating certificates
and https Ingress resources based on an ACME type ClusterIssuer.
PASS: Test the integration with snmp by applying snmp and configuring
helm overrides to enable the UDP port in nginx. Try snmpbulkget
command and verify it runs successfully. Verify snmp pod logs
for successful login and failures.
PASS: Test the integration with wr-openstack by:
- Apply wro with http only from start and verify it is applied
successfully.
- Enable https and verify wro can be re-applied successfully.
- Apply wro with https enabled from start and verify it is
applied successfully.
- Use the openstack cli and verify it works.
- Try to upload an image (exercises the /tmp dir mount)
Story: 2010705
Task: 47844
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/882462
Change-Id: I72e560d4fe8d94064d0c84e0210f47a6dac7fe71
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Updating the rsa ssh host key based on:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Note: In the future, StarlingX should have a zuul job and
secret setup for all repos so we do not need to do this
for every repo.
Needed to rename the secret, because zuul fails if like-named
secrets have diffent values in different branches of the same
repo.
Partial-Bug: #2015246
Change-Id: I1b4995fafe4f998a59233bfe6ecf6772a783bb24
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
This commit adds the auto update ability to nginx application.
There are no side effects of enabling this.
Test cases:
PASS: build-pkgs -p stx-nginx-ingress-controller-helm
PASS: build-image
PASS: system application-apply nginx-ingress-controller
Story: 2010628
Task: 47877
Change-Id: I280a5429b1bd34fdb7d7562d7cb11fbe214b4dee
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
The Debian packaging meta_data file has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
build packages.
This ensures that any new code submissions under those
directories will increment the versions.
The commit SHA 4b8dd90cbf was choosen to be the SRC_BASE_SRCREV of the
metadata file for python3-k8sapp-nginx-ingress-controller and
stx-nginx-ingress-controller-helm because is the commit that creates
the debian directory with build files structure for those packages.
Test Plan:
PASS: Verify package versions are updated as expected.
PASS: build-pkgs -c -p python3-k8sapp-nginx-ingress-controller
PASS: build-pkgs -c -p stx-nginx-ingress-controller-helm
Story: 2010550
Task: 47497
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I1f79fef0304792eb572a866680cca22ea381d392
This commit removes Python 2.7 jobs from Zuul, since it will no longer
be executed as part of the check and gate steps for nginx ingress
controller repository.
Additionally, this commit updates the package PyYaml to 5.3.1 version
to support oslo-policy 3.5.0 dependency on PyYAML>=5.1. Also, fixes
some lint errors.
Test Plan:
PASS: Verify Zuul check execution and observe the Workflow +1 at the
end of the proccess.
Story: 2010531
Task: 47566
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
Change-Id: Icefa2545c325872129088ff51ddc193bb1f9e135
Currently, the debian build system produces a debian package version
with the format: "1.0-1.stx.<revision>"
The rules file then parses this deb pkg version at build time
to produce the app tarball version, which always comes up to
be "1.0-1" at this time [1]. This commit changes the app tarball
version calculation so that the resulting tarball version will
be "1.0-<revision>" [2].
This correction is necessary because the application framework
cannot update an app between instances with the same version.
This commit is part of a set of commits updating the app tarball
version calculation to all apps based off of [3].
[1]: /usr/local/share/applications/helm/<APPNAME>-1.0-1.tgz
[2]: /usr/local/share/applications/helm/<APPNAME>-1.0-<N>.tgz
[3]: https://review.opendev.org/c/starlingx/cert-manager-armada-app/+/872628
Test Plan:
pass - build-pkg
pass - tarball version updated
Story: 2010542
Task: 47527
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: If7d6a34817a4670463d977010b5e8e1dde0f122f
Fixed versioning and adjusted some build files
to bring them as close to a standard as possible.
- Removed centos files
- Added version tracking via GITREVCOUNT
- Fixed mismatch in plugin name, set to python3-k8sapp-<app>
- Standardized plugin debian files (rules, *.install)
- Plugin wheels saved to /plugin instead of /plugin/<app>
Test Plan:
PASS - Build-pkgs -a
PASS - Build-image
PASS - Install, bootstrap, unlock
PASS - app tarball contains wheel file
PASS - wheel versioning updated properly
Story: 2010542
Task: 47198
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I1ff25e023777ddec6871b16b1dfac51ad8e5c879
This change will allow this repo to pass zuul now
that this has merged:
https://review.opendev.org/c/zuul/zuul-jobs/+/866943
Tox 4 deprecated whitelist_externals.
Replace whitelist_externals with allowlist_externals
Partial-Bug: #2000399
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ic23ceb69bc078839c194a629717654bfd3acf002
Set reconciliation interval for all flux helm resources to 1m
to allow it to manage resources by itself in a reasonable time
interval.
Test Plan (tested as part of [1]):
PASS: bootstrap
PASS: unlocked enabled available
PASS: apps applied
PASS: inspect flux pod logs for errors
PASS: re-test known trigger for 1996747 and 1995748
PASS: re-test known trigger 1997368
[1] https://review.opendev.org/c/starlingx/config/+/866862
Partial-Bug: 1999032
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ie7dc9929e74034ec36c48849d317478445efb117
Move the packages of "nginx-ingress-controller-armada-app"
from stx-std.lst to debian_iso_image.inc
Test Plan:
Pass: build-pkgs -c -a
Pass: build-image
Pass: boot
Story: 2008862
Task: 46906
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I3fb6fe2094d91a0cbc807eac35db3b61906676ba
Upstream has deprecated 'node-role.kubernetes.io/master'
to use 'node-role.kubernetes.io/control-plane' in k8s 1.24.
Platform and applications need to be updated to use 'control-plane'
with nodeSelector/Tolerations so we may upgrade from 'master'.
This updates pod nodeSelector to use
'node-role.kubernetes.io/control-plane' instead of
'node-role.kubernetes.io/master'.
This updates pod Tolerations to support both:
- 'node-role.kubernetes.io/master'
- 'node-role.kubernetes.io/control-plane'
Test Plan:
Apply both taints to controller nodes
PASS: Perform all application lifecycle actions:
upload/apply/remove/delete.
PASS: Ensure that pods are running on the controller nodes.
Story: 2010301
Task: 46675
Signed-off-by: Sachin Gopala Krishna <saching.krishna@windriver.com>
Change-Id: Ie6f951021e0c82310b4a63a095412efc9f6385eb
The ubuntu-jammy nodeset gets selected by default
and is causing problems during setup.
Collecting cffi>=1.1
Failed to build cffi
ubuntu-focal seem to work fine.
Will specify the nodeset to be focal to resolve this.
Need to update a file that is monitored by zuul
in order to trigger the failing zuul jobs.
In order to not require the legacy pip resolver, the
requirements need to be updated.
The upper constraints are also updated. When the
debian upper constraints in the build-tools repo are
updated for the appropriate docker and kubernetes, the
file in this repo can set back to empty.
Partial-Bug: 1994843
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ia76846f827e06a7de2908ae123566706b21a589a
As part of Armada deprecation we need to remove all Armada application
builds for all applications that have been migrated to FluxCD.
This patch removes the armada app build from centos and debian.
TEST PLAN:
PASS: Build centos
PASS: Build debian
PASS: rpm package has no armada tarball
PASS: deb package has no armada tarball
PASS: FluxCD package is unchanged
Story: 2009138
Task: 45960
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Id66f17cc121d7612dfeb48ecdecfdc1a3ad2e404
If a Helm plugin from app (X) has the same name as other plugin from a
different app (Y), app plugins from X is not installed as there is a
plugin with the same name already installed. Internally Sysinv
AppOperator has a HashTable and its key is the plugin name, therefore
preventing adding plugins with same name.
We change nginx plugin name so that other apps with different nginx
pĺugins don't collide and prevent the platform from being able to
apply/reapply nginx-platfrom-app
001_ingres-nginx -> 0001_ks-ingress-nginx
Test Plan:
PASS: Apply Nginx together with an app with previous nginx plugin
name
PASS: Name changed at system overrides, command:
system helm-override-show nginx-ingress-controller
nginx-ingress-controller kube-system
Closes-bug: 1980394
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I2a1b663d3867873d024c108d71ee074da1a39a5e
Updating Nginx's defaultbackend image version from defaultbackend:1.4 to
defaultbackend-amd64:1.5 to align with the upstream version.
Test Plan:
PASS: Done Helm override to enable defaultbackend and verify
defaultbackend pod is running after app re-apply.
PASS: Check defaultbackend-amd64:1.5 version pod is using the right
image version.
PASS: Simple functional test creating ingress resources and
to test the defaultbackend and nginx with curl commands.
PASS: Fresh install and verified nginx pods are running and
defaultbackend-amd64:1.5 is the image being used in default
backend.
Closes-bug: 1980355
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/848165
Change-Id: Ie23c811d8788feda563336af9a7c6a638d4ea862
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
The reference of the stx-nginx-ingress-controller-helm package to
unpack on the centos spec is wrong. If we change the RPM version,
the build fails.
TEST PLAN
PASS build-pkgs stx-nginx-ingress-controller-helm with version changed
Closes-Bug: 1978964
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ibdf432e48a770385209ee689e6d2d91de85336a4
With the upversion of k8s on the platform to 1.23.1, the
kubernetes-client we are using doesn't support getting the
admission-webhooks with the older v1beta1 version. This is a temporary
workaround to get backups working while we evaluate the upversion of the
kubernetes-client library for Stx.8.0.
TEST PLAN
PASS Run backup playbook, no errors
LOGS: https://paste.opendev.org/show/bJaMTRrEBdjwK4XwWm8l/
Closes-Bug: 1978346
Depends-On: https://review.opendev.org/c/starlingx/config/+/845372
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ic57a05d8151a5d498e2422ca53fc0306158d28dc
The helm v3 (FluxCD) release name needs to align with the previous helm
v2 (Armada) release name so that the migrated v2 release (from the helm
2to3 plugin) information allows the helm upgrade to succeed.
Test Plan:
NOTE: Release name change only impacts upgrades so testing only
performed with CentOS
PASS: Fresh install/provision of AIO-SX
PASS: stx 6.0 -> stx 7.0 app upgrade (upgrade-activation)
Change-Id: Icfd151b50d2bb748be5db1d22cd833bd29fee27f
Story: 2009138
Task: 45610
Signed-off-by: Robert Church <robert.church@windriver.com>
Add overrides to remove CPU request by nginx.
Test Plan:
PASS: Check CPU usage request using "kubectl describe node <nodename>"
Closes-Bug: 1977763
Change-Id: Ib54275914da6281edf140c92628aced728f685a1
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
When requests that are going through the stx ingress have big body size
the platform docker-lv is temporally increasing its disk usage due to
a request body buffering on the container /tmp directory. Since the tmp
directory is not mounted to any kubernetes volume it is using the
container file system, limited to where containerd is installed [1]
To avoid docker-lv misuse and any related issue it would be interesting
to mount the controller /tmp directory on a kubernetes volume. It would
also be consistent with what is already done on some application
ingresses (e.g. stx-openstack ingress). This way we also keep consistent
documentation for operational procedures (e.g. instructing user on how
much to increase the lv available size for use cases that required huge
request body buffering).
TEST PLAN:
PASS: Build a stx-platform/ingress-nginx chart and apply it to the
system
PASS: Check that the nginx-ingress-controller pod is up and has it /tmp
directory correctly mounted to a kubernetes volume
PASS: Check that requests with body buffering are using the correct
platform kubelet-lv instead of docker-lv (stx-openstack scenario)
[1] https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L264
Closes-Bug: 1973212
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: Ibb53255e3f533900afa2a1921f76f164bacae437
This commit switches ingress-nginx to use the fluxcd app by default on
Debian and also preserves the armada app on the build for future
tests.
TEST PLAN
PASS Build ISO and install, verify FluxCD is the app loaded
Story: 2009138
Task: 45483
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I029cf5dc1b68182cfec90dfe8f37fa3000f41577
Since on CentOS we are not packaging any armada resources for
nginx-ingress-controller anymore, this commit cleans up the armada
package generation leftovers from the source tree.
TEST PLAN
PASS Removed previous app and tarball
PASS Install new tarball and upload app
PASS Apply app
PASS Check resources created
PASS Debian build
Logs: https://paste.opendev.org/show/bStdjE4JMDpvCnSsQ8MB/
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I643260ac41d047ea2b58a285eb3ba634c2a2140d
Add the fluxcd app for ingress-nginx to the debian build.
Due to a change on the disposition of folder inside the fluxcd-manifests
folder, this was also checked on CentOS.
TEST PLAN
PASS Install new .deb and install FluxCD nginx
PASS Verify created resources
PASS Install .rpm and test on CentOS
PASS Verify created resources
Logs Debian: https://paste.opendev.org/show/bedUKQSoajNuKua6CGh4/
Logs CentOS: https://paste.opendev.org/show/bkFkgvKlgKopsh3tXTxn/
Story: 2009138
Task: 44473
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I3e04fcc1ec0a8392dcb0991d8e2a72fd81706ddc
This commit adds the images and tags for the images used by nginx
in order for the application framework do download them with sysinv
during 'system application-apply'
Test Cases:
PASS: Built application successfully
PASS: Application install successful and pods are Running
PASS: Check that sysinv logs show images being downloaded from
registry.local
Closes-Bug: 1971981
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/841789
Change-Id: I74b7c49ccb4ad87862831cbefcd5a66178b7521a
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This commit renames the helm charts for the fluxcd application from
nginx-ingress to ingress-nginx. This keeps it consistent with the
armada version, for potential upgrade issues, and allows the ipfamily
overrides to be generated properly. It also adds an override for the
service name to keep it consistent with the armada helm chart, to
avoid any upgrade issues.
Story: 2009138
Task: 44452
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/838591
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Change-Id: I0e01214fd91387e313719685447624b0ff5fe7f7
The new version of nginx helm chart has ipFamily value set to IPv4 as
default. When the cluster is IPv6 the helm chart fails to be installed.
This code is adding a system_override to correctly set the ipFamily
according to the system in order to ensure that it works in both IPv4
and IPv6 environments.
This is also correcting a bad helm chart reference in fluxcd
helmrelease.yaml file.
Test Cases:
PASS: Apply app with system application-apply and check it properly
generates ipFamily override for that system (IPV4 or IPV6).
PASS: Apply app with system application-apply and check that it
runs successfully.
PASS: ISO built and installed successfully. Checked that nginx is
working.
PASS: Verify that the fluxcd app is also running.
PASS: Verify that the fluxcd app version is 1.1.1 and armada version
is 0.41.2
PASS: Manually copied the helm overrides generated by the helm plugin
to fluxcd system override and re-installed with success.
PASS: Verify that the app runs successfully in both IPv4 and IPv6
systems.
Story: 2009138
Task: 44697
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: I2187e5a1457d8417fd6bb6b61322fc2923413fd4
The fluxcd version of the app will be added to the debian package in
story 2009138 task 44473.
Test Cases:
PASS: Debian package is built successfully.
Story: 2009836
Task: 44604
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: If591edd61df3129a8447bb415bd38bf31b270ff4
This change updates only the fluxcd version of nginx to 1.1.1.
The armada version remains with version 0.41.2 and is also supported.
Test Cases:
PASS: Verify that there are no changes to the armada rpm generated
PASS: Verify that the armada version of app uses nginx 0.41.2
PASS: Run the rpm build and verify that two packages are generated:
stx-nginx-ingress-controller-helm-<version>.tis.noarch.rpm and
stx-nginx-ingress-controller-helm-fluxcd-<version>.tis.noarch.rpm
PASS: Install the new package with kustomize and verify that nginx pods
are deployed and running with success
PASS: Verify that the fluxcd version of the app uses nginx 1.1.1
Story: 2009836
Task: 44604
Change-Id: Icbabe97720eb7d0e8c8676ae2a18ec5afa62b053
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Add new manifest files to the nginx app to enable FluxCD support.
The new spec will now generate 2 rpms:
- the original one that contains the armada
version of the nginx app
- a new one that contains the new FluxCD
version of nginx app
The FluxCD archive will contain the following:
.
├── charts
│ └── ingress-nginx-3.10.1.tgz
├── checksum.md5
├── fluxcd-manifests
│ ├── base
│ │ ├── helmrepository.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── kustomization.yaml
│ └── nginx-ingress
│ ├── helmrelease.yaml
│ ├── kustomization.yaml
│ ├── nginx-ingress-static-overrides.yaml
│ └── nginx-ingress-system-overrides.yaml
├── metadata.yaml
└── plugins
└── k8sapp_nginx_ingress_controller-1.0-py2.py3-none-any.whl
The archive components are almost the same
as the armada components, only the armada manifest file
is replaced with the fluxcd-manifests directory.
Story: 2009138
Task: 44452
Change-Id: Iab30290a8889a2849e65e7b10869e97203a3bd34
Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
"src_path" replaces the "${SRC}/files/*" in dl_hook
"src_files" replaces the "${SRC}/manifests/*" in dl_hook
"dl_files" replaces the ${NGINX_PKG} in dl_hook
And move the extracting ${NGINX_PKG} into debian/rules
Story: 2009101
Task: 43746
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I51fb22d81c6cc475eab77f6e54f08248d981f219
