From 4059b11a42e88a00440e65a59fbba18235c9b82c Mon Sep 17 00:00:00 2001
From: Aaron Sheffield <ajs@sheffieldfamily.net>
Date: Tue, 24 Jul 2018 15:01:59 -0500
Subject: [PATCH] Opening apiserver Via Ingress

- Adding ingress charts to the kubernetes apiserver.
- Works with using Airship in a Bottle:
curl -H 'Host: kubernetes-apiserver.kube-system.svc.cluster.local' http://HOST_IP/healthz -v
- Defaulting the apiserver ingress to off (false).

Change-Id: I9341c4c281ae993991bfcda09026ab477fdff8fe
---
 charts/apiserver/templates/ingress-api.yaml   | 21 ++++++++++++
 .../templates/secret-ingress-tls.yaml         | 19 +++++++++++
 .../templates/service-apiserver-ingress.yaml  | 33 +++++++++++++++++++
 charts/apiserver/values.yaml                  | 33 ++++++++++++++++++-
 .../bootstrap-armada-config.yaml              |  1 +
 5 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 charts/apiserver/templates/ingress-api.yaml
 create mode 100644 charts/apiserver/templates/secret-ingress-tls.yaml
 create mode 100644 charts/apiserver/templates/service-apiserver-ingress.yaml

diff --git a/charts/apiserver/templates/ingress-api.yaml b/charts/apiserver/templates/ingress-api.yaml
new file mode 100644
index 00000000..8b9f9bf0
--- /dev/null
+++ b/charts/apiserver/templates/ingress-api.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}}
+{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
+{{- end }}
diff --git a/charts/apiserver/templates/secret-ingress-tls.yaml b/charts/apiserver/templates/secret-ingress-tls.yaml
new file mode 100644
index 00000000..92574bf9
--- /dev/null
+++ b/charts/apiserver/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
+{{- end }}
diff --git a/charts/apiserver/templates/service-apiserver-ingress.yaml b/charts/apiserver/templates/service-apiserver-ingress.yaml
new file mode 100644
index 00000000..63f76ad9
--- /dev/null
+++ b/charts/apiserver/templates/service-apiserver-ingress.yaml
@@ -0,0 +1,33 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ingress }}
+{{- $envAll := . }}
+{{- if .Values.network.kubernetes_apiserver.ingress.public }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubernetes-apiserver-ingress
+spec:
+  ports:
+  - name: https
+    port: {{ .Values.network.kubernetes_apiserver.port }}
+  selector:
+    app: ingress-apiserver
+{{- end }}
+{{- end }}
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index f6828301..7552e97c 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -65,9 +65,21 @@ apiserver:
 
 network:
   kubernetes_apiserver:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx-cluster"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/secure-backends: "true"
     name: kubernetes-apiserver
     port: 6443
-    enable_node_port: false
+    node_port:
+      enabled: false
+      port: 31943
 
 service:
   name: kubernetes-apiserver
@@ -95,8 +107,24 @@ endpoints:
     name: kubernetes-apiserver
     hosts:
       default: kubernetes-apiserver
+    port:
+      https:
+        default: 6443
+        public: 443
+    path:
+      default: /
+    scheme:
+      default: https
+      public: https
     host_fqdn_override:
       default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
 
 pod:
   mounts:
@@ -137,6 +165,9 @@ manifests:
   configmap_bin: true
   configmap_certs: true
   configmap_etc: true
+  ingress_api: false
   kubernetes_apiserver: true
   secret: true
+  secret_ingress_tls: false
   service: true
+  service_ingress: false
diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml
index 2df52015..d32ba6e0 100644
--- a/tools/gate/config-templates/bootstrap-armada-config.yaml
+++ b/tools/gate/config-templates/bootstrap-armada-config.yaml
@@ -542,6 +542,7 @@ metadata:
   layeringDefinition:
     abstract: false
     layer: site
+  storagePolicy: cleartext
 data:
   chart_name: haproxy
   release: haproxy