hardcode ingress secrets namespace & lb mode

2023-08-23 17:57:15 +02:00 · 2023-08-23 17:57:15 +02:00 · 61d036933e
parent 4807f2c0c6
commit 61d036933e
18 changed files with 22 additions and 70 deletions
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@ -5040,7 +5040,7 @@ spec:
                          defaultLoadBalancerMode:
                            description: 'DefaultLoadBalancerMode specifies the default
                              load balancer mode. Possible values: ''shared'' or ''dedicated''
-                              Default: shared'
+                              Default: dedicated'
                            type: string
                          enableSecretsSync:
                            description: 'EnableSecretsSync specifies whether synchronization
@ -5060,10 +5060,6 @@ spec:
                              Default: "service.beta.kubernetes.io service.kubernetes.io
                              cloud.google.com"'
                            type: string
-                          secretsNamespace:
-                            description: 'SecretsNamespace specifies the namespace
-                              where secrets are synchronized. Default: cilium-secrets'
-                            type: string
                          sharedLoadBalancerServiceName:
                            description: 'SharedLoadBalancerServiceName specifies
                              the name of the shared load balancer service. Default:
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@ -511,17 +511,13 @@ type CiliumIngressSpec struct {
 	// Default: true
 	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`

-	// SecretsNamespace specifies the namespace where secrets are synchronized.
-	// Default: cilium-secrets
-	SecretsNamespace string `json:"secretsNamespace,omitempty"`
-
 	// LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration.
 	// Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"
 	LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"`

 	// DefaultLoadBalancerMode specifies the default load balancer mode.
 	// Possible values: 'shared' or 'dedicated'
-	// Default: shared
+	// Default: dedicated
 	DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"`

 	// SharedLoadBalancerServiceName specifies the name of the shared load balancer service.
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@ -632,17 +632,13 @@ type CiliumIngressSpec struct {
 	// Default: true
 	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`

-	// SecretsNamespace specifies the namespace where secrets are synchronized.
-	// Default: cilium-secrets
-	SecretsNamespace string `json:"secretsNamespace,omitempty"`
-
 	// LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration.
 	// Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"
 	LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"`

 	// DefaultLoadBalancerMode specifies the default load balancer mode.
 	// Possible values: 'shared' or 'dedicated'
-	// Default: shared
+	// Default: dedicated
 	DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"`

 	// SharedLoadBalancerServiceName specifies the name of the shared load balancer service.
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -1921,7 +1921,6 @@ func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
 	out.EnableSecretsSync = in.EnableSecretsSync
-	out.SecretsNamespace = in.SecretsNamespace
 	out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes
 	out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode
 	out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName
@ -1937,7 +1936,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in *kops.C
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
 	out.EnableSecretsSync = in.EnableSecretsSync
-	out.SecretsNamespace = in.SecretsNamespace
 	out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes
 	out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode
 	out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName
--- a/pkg/apis/kops/v1alpha3/networking.go
+++ b/pkg/apis/kops/v1alpha3/networking.go
@ -474,17 +474,13 @@ type CiliumIngressSpec struct {
 	// Default: true
 	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`

-	// SecretsNamespace specifies the namespace where secrets are synchronized.
-	// Default: cilium-secrets
-	SecretsNamespace string `json:"secretsNamespace,omitempty"`
-
 	// LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration.
 	// Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"
 	LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"`

 	// DefaultLoadBalancerMode specifies the default load balancer mode.
 	// Possible values: 'shared' or 'dedicated'
-	// Default: shared
+	// Default: dedicated
 	DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"`

 	// SharedLoadBalancerServiceName specifies the name of the shared load balancer service.
--- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
@ -2103,7 +2103,6 @@ func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
 	out.EnableSecretsSync = in.EnableSecretsSync
-	out.SecretsNamespace = in.SecretsNamespace
 	out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes
 	out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode
 	out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName
@ -2119,7 +2118,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in *kops.C
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
 	out.EnableSecretsSync = in.EnableSecretsSync
-	out.SecretsNamespace = in.SecretsNamespace
 	out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes
 	out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode
 	out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName
--- a/pkg/model/components/cilium.go
+++ b/pkg/model/components/cilium.go
@ -179,14 +179,11 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 		if ingress.EnableSecretsSync == nil {
 			ingress.EnableSecretsSync = fi.PtrTo(true)
 		}
-		if ingress.SecretsNamespace == "" {
-			ingress.SecretsNamespace = "cilium-secrets"
-		}
 		if ingress.LoadBalancerAnnotationPrefixes == "" {
 			ingress.LoadBalancerAnnotationPrefixes = "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"
 		}
 		if ingress.DefaultLoadBalancerMode == "" {
-			ingress.DefaultLoadBalancerMode = "shared"
+			ingress.DefaultLoadBalancerMode = "dedicated"
 		}
 		if ingress.SharedLoadBalancerServiceName == "" {
 			ingress.SharedLoadBalancerServiceName = "cilium-ingress"
--- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content
@ -219,13 +219,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: kubernetes
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content
@ -211,13 +211,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: kubernetes
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content
@ -192,13 +192,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: kubernetes
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content
@ -213,13 +213,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: eni
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content
@ -217,13 +217,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: kubernetes
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content
@ -222,7 +222,6 @@ spec:
        enabled: true
        enforceHttps: false
        loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io
-        secretsNamespace: private-secrets
        sharedLoadBalancerServiceName: private-ingress
      ipam: kubernetes
      memoryRequest: 128Mi
--- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
+++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
@ -162,7 +162,7 @@ spec:
    version: 9.99.0
  - id: k8s-1.16
    manifest: networking.cilium.io/k8s-1.16-v1.13.yaml
-    manifestHash: 307c72c9cb2732c4a2fcd0a9044ad5809539ac129a9c7793a00557bb5babc384
+    manifestHash: cfa1382b52e49d9df2eac473b74a29641ebf9d52766d7d149e280e7f9f9ae29d
    name: networking.cilium.io
    needsPKI: true
    needsRollingUpdate: all
--- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
+++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
@ -83,7 +83,7 @@ data:
  identity-change-grace-period: 5s
  ingress-default-lb-mode: dedicated
  ingress-lb-annotation-prefixes: service.alpha.kubernetes.io
-  ingress-secrets-namespace: private-secrets
+  ingress-secrets-namespace: kube-system
  ingress-shared-lb-service-name: private-ingress
  install-iptables-rules: "true"
  ipam: kubernetes
@ -455,18 +455,6 @@ subjects:

 ---

-apiVersion: v1
-kind: Namespace
-metadata:
-  creationTimestamp: null
-  labels:
-    addon.kops.k8s.io/name: networking.cilium.io
-    app.kubernetes.io/managed-by: kops
-    role.kubernetes.io/networking: "1"
-  name: private-secrets
-
---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -477,7 +465,7 @@ metadata:
    app.kubernetes.io/part-of: cilium
    role.kubernetes.io/networking: "1"
  name: cilium-ingress-secrets
-  namespace: private-secrets
+  namespace: kube-system
 rules:
 - apiGroups:
  - ""
@ -500,7 +488,7 @@ metadata:
    app.kubernetes.io/part-of: cilium
    role.kubernetes.io/networking: "1"
  name: cilium-secrets
-  namespace: private-secrets
+  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -522,7 +510,7 @@ metadata:
    app.kubernetes.io/part-of: cilium
    role.kubernetes.io/networking: "1"
  name: cilium-operator-ingress-secrets
-  namespace: private-secrets
+  namespace: kube-system
 rules:
 - apiGroups:
  - ""
@ -546,7 +534,7 @@ metadata:
    app.kubernetes.io/part-of: cilium
    role.kubernetes.io/networking: "1"
  name: cilium-operator-ingress-secrets
-  namespace: private-secrets
+  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml
+++ b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml
@ -36,7 +36,6 @@ spec:
        enableSecretsSync: false
        enforceHttps: false
        loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io
-        secretsNamespace: private-secrets
        sharedLoadBalancerServiceName: private-ingress
      hubble:
        enabled: true
--- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content
@ -225,13 +225,12 @@ spec:
      identityAllocationMode: crd
      identityChangeGracePeriod: 5s
      ingress:
-        defaultLoadBalancerMode: shared
+        defaultLoadBalancerMode: dedicated
        enableSecretsSync: true
        enabled: false
        enforceHttps: true
        loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io
          cloud.google.com
-        secretsNamespace: cilium-secrets
        sharedLoadBalancerServiceName: cilium-ingress
      ipam: eni
      memoryRequest: 128Mi
--- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template
@ -284,7 +284,7 @@ data:
  enable-ingress-controller: "true"
  enforce-ingress-https: "{{ .Ingress.EnforceHttps }}"
  enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}"
-  ingress-secrets-namespace: {{ .Ingress.SecretsNamespace }}
+  ingress-secrets-namespace: kube-system
  ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}"
  ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }}
  ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }}
@ -640,17 +640,12 @@ subjects:
  namespace: kube-system
 {{ if WithDefaultBool .Ingress.Enabled false }}
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ .Ingress.SecretsNamespace }}
---
 # Source: cilium/templates/cilium-agent/role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: cilium-ingress-secrets
-  namespace: {{ .Ingress.SecretsNamespace }}
+  namespace: kube-system
  labels:
    app.kubernetes.io/part-of: cilium
 rules:
@ -668,7 +663,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: cilium-secrets
-  namespace: {{ .Ingress.SecretsNamespace }}
+  namespace: kube-system
  labels:
    app.kubernetes.io/part-of: cilium
 roleRef:
@ -685,7 +680,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: cilium-operator-ingress-secrets
-  namespace: {{ .Ingress.SecretsNamespace }}
+  namespace: kube-system
  labels:
    app.kubernetes.io/part-of: cilium
 rules:
@ -704,7 +699,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: cilium-operator-ingress-secrets
-  namespace: {{ .Ingress.SecretsNamespace }}
+  namespace: kube-system
  labels:
    app.kubernetes.io/part-of: cilium
 roleRef: