Merge pull request Kong#259 from Kong/next

[kong] release 1.14.0
chencivalue · Jan 20, 2021 · ea130a8 · ea130a8
2 parents af2877d + 02445eb
commit ea130a8
Show file tree

Hide file tree

Showing 26 changed files with 411 additions and 680 deletions.
diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -1,5 +1,38 @@
 # Changelog
 
+## 1.14.0
+
+### Breaking changes
+
+1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support
+for Helm 2.x and all deprecated configuration. The chart prints a warning when
+upgrading or installing if it detects any configuration still using an old
+format.
+
+* All Ingress and Service resources now use the same template. This ensures
+  that all chart Ingresses and Services support the same configuration. The
+  proxy previously used a unique Ingress configuration, which is now
+  deprecated. If you use the proxy Ingress, [see the instructions in
+  UPGRADE.md](https://github.com/Kong/charts/blob/kong-1.14.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
+  to update your configuration. No changes are required for other Service and
+  Ingress configurations.
+  ([#251](https://github.com/Kong/charts/pull/251)).
+* The chart now uses the standard Kong status endpoint instead of custom
+  configuration, allowing users to specify their own custom configuration. The
+  status endpoint is no available in versions older than Kong 1.4.0 or Kong
+  Enterprise 1.5.0; if you use an older version, you will need to [add and load
+  the old custom configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#default-custom-server-block-replaced-with-status-listen).
+
+  If you use a newer version and include Kong container readinessProbe and/or
+  livenessProbe configuration in your values.yaml, you must change the port
+  from `metrics` to `status`.
+  ([#255](https://github.com/Kong/charts/pull/255)).
+
+### Fixed
+
+* Correct an issue with migrations Job toggles.
+  ([#231](https://github.com/Kong/charts/pull/231))
+
 ## 1.13.0
 
 ### Improvements

diff --git a/charts/kong/Chart.yaml b/charts/kong/Chart.yaml
@@ -10,5 +10,5 @@ maintainers:
   email: [email protected]
 name: kong
 sources:
-version: 1.13.0
+version: 1.14.0
 appVersion: 2.2
diff --git a/charts/kong/UPGRADE.md b/charts/kong/UPGRADE.md
@@ -17,7 +17,8 @@ upgrading from a previous version.
 ## Table of contents
 
 - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
-- [1.11.0](#1111)
+- [1.14.0](#1140)
+- [1.11.0](#1110)
 - [1.10.0](#1100)
 - [1.9.0](#190)
 - [1.6.0](#160)
@@ -55,6 +56,81 @@ text ending with `field is immutable`. This is typically due to a bug with the
 If you encounter this error, deleting any existing `init-migrations` jobs will
 clear it.
 
+## 1.14.0
+
+### Removal of multi-host proxy Ingress
+
+Most of the chart's Ingress templates support a single hostname and TLS Secret.
+The proxy Ingress template originally differed, and allowed multiple hostnames
+and TLS configurations. As of chart 1.14.0, we have deprecated the unique proxy
+Ingress configuration; it is now identical to all other Kong services. If you
+do not need to configure multiple Ingress rules for your proxy, you will
+change:
+
+```yaml
+ingress:
+  hosts: ["proxy.kong.example"]
+  tls:
+  - hosts:
+    - proxy.kong.example
+    secretName: example-tls-secret
+  path: /
+```
+to:
+
+```yaml
+ingress:
+  tls: example-tls-secret
+  hostname: proxy.kong.example
+  path: /
+```
+We plan to remove support for the multi-host configuration entirely in version
+2.0 of the chart. If you currently use multiple hosts, we recommend that you
+either:
+- Define Ingresses for each application, e.g. if you proxy applicationA at
+  `foo.kong.example` and applicationB at `bar.kong.example`, you deploy those
+  applications with their own Ingress resources that target the proxy.
+- Define a multi-host Ingress manually. Before upgrading, save your current
+  proxy Ingress, delete labels from the saved copy, and set
+  `proxy.ingress.enabled=false`. After upgrading, create your Ingress from the
+  saved copy and edit it directly to add new rules.
+
+We expect that most users do not need a built-in multi-host proxy Ingress or
+even a proxy Ingress at all: the old configuration predates the Kong Ingress
+Controller and is most useful if you place Kong behind some other controller.
+If you are interested in preserving this functionality, please [discuss your
+use case with us](https://github.com/Kong/charts/issues/73). If there is
+sufficient interest, we will explore options for continuing to support the
+original proxy Ingress configuration format.
+
+### Default custom server block replaced with status listen
+
+Earlier versions of the chart included [a custom server block](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/templates/config-custom-server-blocks.yaml)
+to provide `/status` and `/metrics` endpoints. This server block simplified
+RBAC-enabled Enterprise deployments by providing access to these endpoints
+outside the (protected) admin API.
+
+Current versions (Kong 1.4.0+ and Kong Enterprise 1.5.0+) have a built-in
+status listen that provides the same functionality, and chart 1.14.0 uses it
+for readiness/liveness probes and the Prometheus service monitor.
+
+If you are using a version that supports the new status endpoint, you do not
+need to make any changes to your values unless you include `readinessProbe` and
+`livenessProbe` in them. If you do, you must change the port from `metrics` to
+`status`.
+
+If you are using an older version that does not support the status listen, you
+will need to:
+- Create the server block ConfigMap independent of the chart. You will need to
+  set the ConfigMap name and namespace manually and remove the labels block.
+- Add an `extraConfigMaps` values entry for your ConfigMap.
+- Set `env.nginx_http_include` to `/path/to/your/mount/servers.conf`.
+- Add the [old readiness/liveness probe blocks](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/values.yaml#L437-L458)
+  to your values.yaml.
+- If you use the Prometheus service monitor, edit it after installing the chart
+  and set `targetPort` to `9542`. This cannot be set from values.yaml, but Helm
+  3 will preserve the change on subsequent upgrades.
+
 ## 1.11.0
 
 ### `KongCredential` custom resources no longer supported

diff --git a/charts/kong/ci/test1-values.yaml b/charts/kong/ci/test1-values.yaml
@@ -31,14 +31,14 @@ admin:
   type: NodePort
   ingress:
     enabled: true
-    hosts: ["test.com", "test2.com"]
+    hostname: admin.kong.example
     annotations: {}
     path: /
 proxy:
   type: NodePort
   ingress:
     enabled: true
-    hosts: ["test.com", "test2.com"]
+    hostname: proxy.kong.example
     annotations: {}
     path: /
 env:

diff --git a/charts/kong/ci/test2-values.yaml b/charts/kong/ci/test2-values.yaml
@@ -25,10 +25,9 @@ proxy:
   type: NodePort
   ingress:
     enabled: true
-    hosts: []
+    hostname: proxy.kong.example
     annotations: {}
     path: /
-  useTLS: true
 # - add stream listens
   stream:
   - containerPort: 9000

diff --git a/charts/kong/ci/test4-values.yaml b/charts/kong/ci/test4-values.yaml
@@ -12,6 +12,9 @@ admin:
   useTLS: true
   servicePort: 8444
   containerPort: 8444
+  ingress:
+    enabled: true
+    hostname: admin.kong.example
 
 # - disable DB for kong
 env:
@@ -47,3 +50,8 @@ proxy:
     servicePort: 9001
     parameters:
     - ssl
+  ingress:
+    enabled: true
+    hosts:
+    - foo.kong.example
+    - bar.kong.example
diff --git a/charts/kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/charts/kong/example-values/full-k4k8s-with-kong-enterprise.yaml
@@ -69,7 +69,6 @@ proxy:
 
   ingress:
     enabled: false
-    hosts: []
     annotations: {}
     path: /
 

diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt
@@ -25,6 +25,12 @@ Kong: https://bit.ly/k4k8s-get-started
 
 {{- if .Values.runMigrations -}}
 {{/* Legacy migration toggle */}}
-{{- $warnings = append $warnings "You are currently using the legacy runMigrations setting in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-migration job-configuration" -}}
+{{- $warnings = append $warnings "You are currently using the legacy runMigrations setting in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-migration-job-configuration" -}}
 {{- end -}}
+
+{{ if (hasKey .Values "proxy.ingress.hosts") -}}
+{{/* Legacy proxy ingress */}}
+{{- $warnings = append $warnings "You are currently using legacy proxy Ingress configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress" -}}
+{{- end -}}
+
 {{- include "kong.deprecation-warnings" $warnings -}}
diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl
@@ -56,6 +56,122 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create Ingress resource for a Kong service
+*/}}
+{{- define "kong.ingress" -}}
+{{- $servicePort := include "kong.ingress.servicePort" . }}
+{{- $path := .ingress.path -}}
+{{- $hostname := .ingress.hostname -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ .fullName }}-{{ .serviceName }}
+  namespace: {{ .namespace }}
+  labels:
+   {{- .metaLabels | nindent 4 }}
+  {{- if .ingress.annotations }}
+  annotations:
+    {{- range $key, $value := .ingress.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  rules:
+  - host: {{ $hostname }}
+    http:
+      paths:
+        - path: {{ $path }}
+          backend:
+            serviceName: {{ .fullName }}-{{ .serviceName }}
+            servicePort: {{ $servicePort }}
+  {{- if (hasKey .ingress "tls") }}
+  tls:
+  - hosts:
+    - {{ $hostname }}
+    secretName: {{ .ingress.tls }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create Service resource for a Kong service
+*/}}
+{{- define "kong.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .fullName }}-{{ .serviceName }}
+  namespace: {{ .namespace }}
+  {{- if .annotations }}
+  annotations:
+  {{- range $key, $value := .annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+  labels:
+    {{- .metaLabels | nindent 4 }}
+spec:
+  type: {{ .type }}
+  {{- if eq .type "LoadBalancer" }}
+  {{- if .loadBalancerIP }}
+  loadBalancerIP: {{ .loadBalancerIP }}
+  {{- end }}
+  {{- if .loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range $cidr := .loadBalancerSourceRanges }}
+  - {{ $cidr }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- if .externalIPs }}
+  externalIPs:
+  {{- range $ip := .externalIPs }}
+  - {{ $ip }}
+  {{- end -}}
+  {{- end }}
+  ports:
+  {{- if .http }}
+  {{- if .http.enabled }}
+  - name: kong-{{ .serviceName }}
+    port: {{ .http.servicePort }}
+    targetPort: {{ .http.containerPort }}
+  {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }}
+    nodePort: {{ .http.nodePort }}
+  {{- end }}
+    protocol: TCP
+  {{- end }}
+  {{- end }}
+  {{- if .tls.enabled }}
+  - name: kong-{{ .serviceName }}-tls
+    port: {{ .tls.servicePort }}
+    targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }}
+  {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }}
+    nodePort: {{ .tls.nodePort }}
+  {{- end }}
+    protocol: TCP
+  {{- end }}
+  {{- if (hasKey . "stream") }}
+  {{- range .stream }}
+  - name: stream-{{ .containerPort }}
+    port: {{ .servicePort }}
+    targetPort: {{ .containerPort }}
+    {{- if (and (or (eq $.type "LoadBalancer") (eq $.type "NodePort")) (not (empty .nodePort))) }}
+    nodePort: {{ .nodePort }}
+    {{- end }}
+    protocol: TCP
+  {{- end }}
+  {{- end }}
+  {{- if .externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .externalTrafficPolicy }}
+  {{- end }}
+  {{- if .clusterIP }}
+  clusterIP: {{ .clusterIP }}
+  {{- end }}
+  selector:
+    {{- .selectorLabels | nindent 4 }}
+{{- end -}}
+
+
 {{/*
 Create KONG_SERVICE_LISTEN strings
 Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
@@ -273,11 +389,6 @@ The name of the service used for the ingress controller's validation webhook
     secretName: {{ .name }}
 {{- end }}
 {{- end }}
-{{- if .Values.deployment.kong.enabled }}
-- name: custom-nginx-template-volume
-  configMap:
-    name: {{ template "kong.fullname" . }}-default-custom-server-blocks
-{{- end }}
 {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
 - name: kong-custom-dbless-config-volume
   configMap:
@@ -314,10 +425,6 @@ The name of the service used for the ingress controller's validation webhook
   mountPath: /kong_prefix/
 - name: {{ template "kong.fullname" . }}-tmp
   mountPath: /tmp
-{{- if .Values.deployment.kong.enabled }}
-- name: custom-nginx-template-volume
-  mountPath: /kong
-{{- end }}
 {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
 - name: kong-custom-dbless-config-volume
   mountPath: /kong_dbless/
@@ -585,8 +692,6 @@ TODO: remove legacy admin listen behavior at a future date
 
 {{- end }} {{/* End of the Enterprise settings block */}}
 
-{{- $_ := set $autoEnv "KONG_NGINX_HTTP_INCLUDE" "/kong/servers.conf" -}}
-
 {{- if .Values.postgresql.enabled }}
   {{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.postgresql.fullname" .) -}}
   {{- $_ := set $autoEnv "KONG_PG_PORT" .Values.postgresql.service.port -}}

diff --git a/charts/kong/templates/config-custom-server-blocks.yaml b/charts/kong/templates/config-custom-server-blocks.yaml