From 29128eb316e12798abd9b5c90ebc21cb9ac07c69 Mon Sep 17 00:00:00 2001
From: Michael Shnit <11436882+msh111@users.noreply.github.com>
Date: Mon, 16 Mar 2020 11:58:35 +0200
Subject: [PATCH] Add AWS ALB Ingress Controller (#5489)
* Add AWS ALB Ingress Controller Ansible role
* remove trailing spaces
* update owners
* ALB ingress: update rbac clusterrole and remove role
* Move alb-ingress role to roles/kubernetes-apps/ingress_controller folder
---
docs/ansible.md | 1 +
.../sample/group_vars/k8s-cluster/addons.yml | 9 +++
roles/download/defaults/main.yml | 11 +++
.../alb_ingress_controller/OWNERS | 6 ++
.../alb_ingress_controller/README.md | 42 +++++++++++
.../alb_ingress_controller/defaults/main.yml | 9 +++
.../alb_ingress_controller/tasks/main.yml | 35 +++++++++
.../templates/alb-ingress-clusterrole.yml.j2 | 13 ++++
.../alb-ingress-clusterrolebinding.yml.j2 | 14 ++++
.../templates/alb-ingress-deploy.yml.j2 | 74 +++++++++++++++++++
.../templates/alb-ingress-ns.yml.j2 | 7 ++
.../templates/alb-ingress-sa.yml.j2 | 6 ++
.../ingress_controller/meta/main.yml | 6 ++
roles/kubespray-defaults/defaults/main.yaml | 1 +
14 files changed, 234 insertions(+)
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2
create mode 100644 roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2
diff --git a/docs/ansible.md b/docs/ansible.md
index 00a9f3746..7dbab1e40 100644
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -137,6 +137,7 @@ The following tags are defined in playbooks:
| upgrade | Upgrading, f.e. container images/binaries
| upload | Distributing images/binaries across hosts
| weave | Network plugin Weave
+| ingress_alb | AWS ALB Ingress Controller
Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
tags found in the codebase. New tags will be listed with the empty "Used for"
diff --git a/inventory/sample/group_vars/k8s-cluster/addons.yml b/inventory/sample/group_vars/k8s-cluster/addons.yml
index 97390f3b1..697f09e16 100644
--- a/inventory/sample/group_vars/k8s-cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s-cluster/addons.yml
@@ -101,6 +101,15 @@ ingress_publish_status_address: ""
# ingress_nginx_extra_args:
# - --default-ssl-certificate=default/foo-tls
+# ALB ingress controller deployment
+ingress_alb_enabled: false
+# alb_ingress_aws_region: "us-east-1"
+# alb_ingress_restrict_scheme: "false"
+# alb_ingress_log_level: "WARN"
+# Enables logging on all outbound requests sent to the AWS API.
+# If logging is desired, set to true.
+# alb_ingress_aws_debug: "false"
+
# Cert manager deployment
cert_manager_enabled: false
# cert_manager_namespace: "cert-manager"
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 7972083e8..83a2c1e2e 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -485,6 +485,8 @@ local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-p
local_path_provisioner_image_tag: "v0.0.2"
ingress_nginx_controller_image_repo: "{{ quay_image_repo }}/kubernetes-ingress-controller/nginx-ingress-controller"
ingress_nginx_controller_image_tag: "0.28.0"
+alb_ingress_image_repo: "docker.io/amazon/aws-alb-ingress-controller"
+alb_ingress_image_tag: "v1.1.4"
cert_manager_version: "v0.11.0"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
@@ -991,6 +993,15 @@ downloads:
groups:
- kube-node
+ ingress_alb_controller:
+ enabled: "{{ ingress_alb_enabled }}"
+ container: true
+ repo: "{{ alb_ingress_image_repo }}"
+ tag: "{{ alb_ingress_image_tag }}"
+ sha256: "{{ ingress_alb_controller_digest_checksum|default(None) }}"
+ groups:
+ - kube-node
+
cert_manager_controller:
enabled: "{{ cert_manager_enabled }}"
container: true
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS
new file mode 100644
index 000000000..e8c0fcc26
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS
@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+ - kubespray-approvers
+reviewers:
+ - kubespray-reviewers
\ No newline at end of file
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md
new file mode 100644
index 000000000..bcad19329
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md
@@ -0,0 +1,42 @@
+# AWS ALB Ingress Controller
+
+**NOTE:** The current image version is `v1.1.4`. Please file any issues you find and note the version used.
+
+The AWS ALB Ingress Controller satisfies Kubernetes [ingress resources](https://kubernetes.io/docs/user-guide/ingress) by provisioning [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html).
+
+This project was originated by [Ticketmaster](https://github.com/ticketmaster) and [CoreOS](https://github.com/coreos) as part of Ticketmaster's move to AWS and CoreOS Tectonic. Learn more about Ticketmaster's Kubernetes initiative from Justin Dean's video at [Tectonic Summit](https://www.youtube.com/watch?v=wqXVKneP0Hg).
+
+This project was donated to Kubernetes SIG-AWS to allow AWS, CoreOS, Ticketmaster and other SIG-AWS contributors to officially maintain the project. SIG-AWS reached this consensus on June 1, 2018.
+
+## Documentation
+
+Checkout our [Live Docs](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/)!
+
+## Getting started
+
+To get started with the controller, see our [walkthrough](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/walkthrough/echoserver/).
+
+## Setup
+- See [controller setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/) on how to install ALB ingress controller
+- See [external-dns setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/external-dns/setup/) for how to setup the external-dns to manage route 53 records.
+
+## Building
+
+For details on building this project, see our [building guide](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/BUILDING/).
+
+## Community, discussion, contribution, and support
+
+Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/).
+
+You can reach the maintainers of this project at:
+
+- [Slack channel](https://kubernetes.slack.com/messages/sig-aws)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-aws)
+
+### Code of conduct
+
+Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).
+
+## License
+
+[](https://app.fossa.io/projects/git%2Bgithub.com%2Fcoreos%2Falb-ingress-controller?ref=badge_large)
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml
new file mode 100644
index 000000000..3f1879092
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+alb_ingress_controller_namespace: kube-system
+alb_ingress_aws_region: "us-east-1"
+
+# Enables logging on all outbound requests sent to the AWS API.
+# If logging is desired, set to true.
+alb_ingress_aws_debug: "false"
+
+alb_ingress_log_level: "WARN"
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
new file mode 100644
index 000000000..77f3df4e0
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+
+- name: ALB Ingress Controller | Create addon dir
+ file:
+ path: "{{ kube_config_dir }}/addons/alb_ingress"
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: ALB Ingress Controller | Create manifests
+ template:
+ src: "{{ item.file }}.j2"
+ dest: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.file }}"
+ with_items:
+ - { name: alb-ingress-clusterrole, file: alb-ingress-clusterrole.yml, type: clusterrole }
+ - { name: alb-ingress-clusterrolebinding, file: alb-ingress-clusterrolebinding.yml, type: clusterrolebinding }
+ - { name: alb-ingress-ns, file: alb-ingress-ns.yml, type: ns }
+ - { name: alb-ingress-sa, file: alb-ingress-sa.yml, type: sa }
+ - { name: alb-ingress-deploy, file: alb-ingress-deploy.yml, type: deploy }
+ register: alb_ingress_manifests
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: ALB Ingress Controller | Apply manifests
+ kube:
+ name: "{{ item.item.name }}"
+ namespace: "{{ alb_ingress_controller_namespace }}"
+ kubectl: "{{ bin_dir }}/kubectl"
+ resource: "{{ item.item.type }}"
+ filename: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.item.file }}"
+ state: "latest"
+ with_items: "{{ alb_ingress_manifests.results }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2
new file mode 100644
index 000000000..4522635ef
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: alb-ingress
+ namespace: {{ alb_ingress_controller_namespace }}
+rules:
+ - apiGroups: ["", "extensions"]
+ resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "events", "ingresses", "ingresses/status", "services"]
+ verbs: ["list", "create", "get", "update", "watch", "patch"]
+ - apiGroups: ["", "extensions"]
+ resources: ["nodes", "pods", "secrets", "services", "namespaces"]
+ verbs: ["get", "list", "watch"]
\ No newline at end of file
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2
new file mode 100644
index 000000000..4f14f6a99
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: alb-ingress
+ namespace: {{ alb_ingress_controller_namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: alb-ingress
+ namespace: {{ alb_ingress_controller_namespace }}
+roleRef:
+ kind: ClusterRole
+ name: alb-ingress
+ apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2
new file mode 100644
index 000000000..dc95b1df1
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2
@@ -0,0 +1,74 @@
+# Application Load Balancer (ALB) Ingress Controller Deployment Manifest.
+# This manifest details sensible defaults for deploying an ALB Ingress Controller.
+# GitHub: https://github.com/coreos/alb-ingress-controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: alb-ingress-controller
+ labels:
+ k8s-app: alb-ingress-controller
+ # Namespace the ALB Ingress Controller should run in. Does not impact which
+ # namespaces it's able to resolve ingress resource for. For limiting ingress
+ # namespace scope, see --watch-namespace.
+ namespace: {{ alb_ingress_controller_namespace }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ k8s-app: alb-ingress-controller
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 1
+ type: RollingUpdate
+ template:
+ metadata:
+ creationTimestamp: null
+ labels:
+ k8s-app: alb-ingress-controller
+ spec:
+ containers:
+ - args:
+ # Limit the namespace where this ALB Ingress Controller deployment will
+ # resolve ingress resources. If left commented, all namespaces are used.
+ #- --watch-namespace=your-k8s-namespace
+
+ # Setting the ingress-class flag below will ensure that only ingress resources with the
+ # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may
+ # choose any class you'd like for this controller to respect.
+ - --ingress-class=alb
+ # Name of your cluster. Used when naming resources created
+ # by the ALB Ingress Controller, providing distinction between
+ # clusters.
+ - --cluster-name={{ cluster_name }}
+
+ # Enables logging on all outbound requests sent to the AWS API.
+ # If logging is desired, set to true.
+ # - ---aws-api-debug
+{% if alb_ingress_aws_debug %}
+ - --aws-api-debug
+{% endif %}
+ # Maximum number of times to retry the aws calls.
+ # defaults to 10.
+ # - --aws-max-retries=10
+
+ # AWS region this ingress controller will operate in.
+ # If unspecified, it will be discovered from ec2metadata.
+ # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region
+{% if alb_ingress_aws_region is defined %}
+ - --aws-region={{ alb_ingress_aws_region }}
+{% endif %}
+
+ image: "{{ alb_ingress_image_repo }}:{{ alb_ingress_image_tag }}"
+ imagePullPolicy: {{ k8s_image_pull_policy }}
+ name: server
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext: {}
+ terminationGracePeriodSeconds: 30
+{% if rbac_enabled %}
+ serviceAccountName: alb-ingress
+{% endif %}
\ No newline at end of file
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2
new file mode 100644
index 000000000..9f57537f9
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: {{ alb_ingress_controller_namespace }}
+ labels:
+ name: {{ alb_ingress_controller_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2
new file mode 100644
index 000000000..692e3e31a
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: alb-ingress
+ namespace: {{ alb_ingress_controller_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/meta/main.yml b/roles/kubernetes-apps/ingress_controller/meta/main.yml
index 617e9d9a7..ec6ab89ed 100644
--- a/roles/kubernetes-apps/ingress_controller/meta/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml
@@ -13,3 +13,9 @@ dependencies:
- apps
- cert-manager
- ingress-controller
+
+ - role: kubernetes-apps/ingress_controller/alb_ingress_controller
+ when: ingress_alb_enabled
+ tags:
+ - apps
+ - ingress_alb
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 8b8e2b068..497a00f88 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -308,6 +308,7 @@ persistent_volumes_enabled: false
cephfs_provisioner_enabled: false
rbd_provisioner_enabled: false
ingress_nginx_enabled: false
+ingress_alb_enabled: false
cert_manager_enabled: false
expand_persistent_volumes: false
--
GitLab