diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index ffc809c676..81ab6b9524 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -5040,7 +5040,7 @@ spec: defaultLoadBalancerMode: description: 'DefaultLoadBalancerMode specifies the default load balancer mode. Possible values: ''shared'' or ''dedicated'' - Default: shared' + Default: dedicated' type: string enableSecretsSync: description: 'EnableSecretsSync specifies whether synchronization @@ -5060,10 +5060,6 @@ spec: Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"' type: string - secretsNamespace: - description: 'SecretsNamespace specifies the namespace - where secrets are synchronized. Default: cilium-secrets' - type: string sharedLoadBalancerServiceName: description: 'SharedLoadBalancerServiceName specifies the name of the shared load balancer service. Default: diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 8a637a73e2..563aa339d8 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -511,17 +511,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 0d5528642f..a781bf6d16 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -632,17 +632,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index b44a3640d5..8e2bf472b4 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1921,7 +1921,6 @@ func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName @@ -1937,7 +1936,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha2_CiliumIngressSpec(in *kops.C out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index cc3b3b2a27..0bc057f665 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -474,17 +474,13 @@ type CiliumIngressSpec struct { // Default: true EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` - // SecretsNamespace specifies the namespace where secrets are synchronized. - // Default: cilium-secrets - SecretsNamespace string `json:"secretsNamespace,omitempty"` - // LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. // Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" LoadBalancerAnnotationPrefixes string `json:"loadBalancerAnnotationPrefixes,omitempty"` // DefaultLoadBalancerMode specifies the default load balancer mode. // Possible values: 'shared' or 'dedicated' - // Default: shared + // Default: dedicated DefaultLoadBalancerMode string `json:"defaultLoadBalancerMode,omitempty"` // SharedLoadBalancerServiceName specifies the name of the shared load balancer service. diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 2790cb6948..1189b3f96d 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -2103,7 +2103,6 @@ func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *Cilium out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName @@ -2119,7 +2118,6 @@ func autoConvert_kops_CiliumIngressSpec_To_v1alpha3_CiliumIngressSpec(in *kops.C out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps out.EnableSecretsSync = in.EnableSecretsSync - out.SecretsNamespace = in.SecretsNamespace out.LoadBalancerAnnotationPrefixes = in.LoadBalancerAnnotationPrefixes out.DefaultLoadBalancerMode = in.DefaultLoadBalancerMode out.SharedLoadBalancerServiceName = in.SharedLoadBalancerServiceName diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index c02182cac2..c24b74b855 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -179,14 +179,11 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { if ingress.EnableSecretsSync == nil { ingress.EnableSecretsSync = fi.PtrTo(true) } - if ingress.SecretsNamespace == "" { - ingress.SecretsNamespace = "cilium-secrets" - } if ingress.LoadBalancerAnnotationPrefixes == "" { ingress.LoadBalancerAnnotationPrefixes = "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" } if ingress.DefaultLoadBalancerMode == "" { - ingress.DefaultLoadBalancerMode = "shared" + ingress.DefaultLoadBalancerMode = "dedicated" } if ingress.SharedLoadBalancerServiceName == "" { ingress.SharedLoadBalancerServiceName = "cilium-ingress" diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index d9a11cfbda..5a00de74a5 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -219,13 +219,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 6f91cf8a59..bdad49b1a6 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -211,13 +211,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index a187a355e0..8b885db039 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -192,13 +192,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index 2976059bce..4cbe6b4552 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -213,13 +213,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index 4bacb1ef68..ce30a71836 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -217,13 +217,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index d87e85da64..3bcf34deea 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -222,7 +222,6 @@ spec: enabled: true enforceHttps: false loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io - secretsNamespace: private-secrets sharedLoadBalancerServiceName: private-ingress ipam: kubernetes memoryRequest: 128Mi diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 0d638141a5..4bbed2943d 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -162,7 +162,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.13.yaml - manifestHash: 307c72c9cb2732c4a2fcd0a9044ad5809539ac129a9c7793a00557bb5babc384 + manifestHash: cfa1382b52e49d9df2eac473b74a29641ebf9d52766d7d149e280e7f9f9ae29d name: networking.cilium.io needsPKI: true needsRollingUpdate: all diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index 5b5c7694b1..a97919d2e2 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -83,7 +83,7 @@ data: identity-change-grace-period: 5s ingress-default-lb-mode: dedicated ingress-lb-annotation-prefixes: service.alpha.kubernetes.io - ingress-secrets-namespace: private-secrets + ingress-secrets-namespace: kube-system ingress-shared-lb-service-name: private-ingress install-iptables-rules: "true" ipam: kubernetes @@ -455,18 +455,6 @@ subjects: --- -apiVersion: v1 -kind: Namespace -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: private-secrets - ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -477,7 +465,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-ingress-secrets - namespace: private-secrets + namespace: kube-system rules: - apiGroups: - "" @@ -500,7 +488,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-secrets - namespace: private-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -522,7 +510,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-operator-ingress-secrets - namespace: private-secrets + namespace: kube-system rules: - apiGroups: - "" @@ -546,7 +534,7 @@ metadata: app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" name: cilium-operator-ingress-secrets - namespace: private-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml index 3e38a5b2aa..925101fdf2 100644 --- a/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/privatecilium2/in-v1alpha2.yaml @@ -36,7 +36,6 @@ spec: enableSecretsSync: false enforceHttps: false loadBalancerAnnotationPrefixes: service.alpha.kubernetes.io - secretsNamespace: private-secrets sharedLoadBalancerServiceName: private-ingress hubble: enabled: true diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index 8490a68dd0..9987d1efef 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -225,13 +225,12 @@ spec: identityAllocationMode: crd identityChangeGracePeriod: 5s ingress: - defaultLoadBalancerMode: shared + defaultLoadBalancerMode: dedicated enableSecretsSync: true enabled: false enforceHttps: true loadBalancerAnnotationPrefixes: service.beta.kubernetes.io service.kubernetes.io cloud.google.com - secretsNamespace: cilium-secrets sharedLoadBalancerServiceName: cilium-ingress ipam: eni memoryRequest: 128Mi diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template index dab6dca625..954b6658c1 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template @@ -284,7 +284,7 @@ data: enable-ingress-controller: "true" enforce-ingress-https: "{{ .Ingress.EnforceHttps }}" enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}" - ingress-secrets-namespace: {{ .Ingress.SecretsNamespace }} + ingress-secrets-namespace: kube-system ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }} @@ -640,17 +640,12 @@ subjects: namespace: kube-system {{ if WithDefaultBool .Ingress.Enabled false }} --- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Ingress.SecretsNamespace }} ---- # Source: cilium/templates/cilium-agent/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cilium-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium rules: @@ -668,7 +663,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cilium-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium roleRef: @@ -685,7 +680,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cilium-operator-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium rules: @@ -704,7 +699,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cilium-operator-ingress-secrets - namespace: {{ .Ingress.SecretsNamespace }} + namespace: kube-system labels: app.kubernetes.io/part-of: cilium roleRef: