tectonic: pull in default network policy (utility), enable ingress controller operator

config.tf

@@ -67,22 +67,23 @@ variable "tectonic_container_images" {
   type        = "map"
 
   default = {
-    addon_resizer                = "gcr.io/google_containers/addon-resizer:2.1"
-    awscli                       = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600"
-    gcloudsdk                    = "google/cloud-sdk:178.0.0-alpine"
-    bootkube                     = "quay.io/coreos/bootkube:v0.10.0"
-    etcd                         = "quay.io/coreos/etcd:v3.2.14"
-    hyperkube                    = "quay.io/coreos/hyperkube:v1.9.1_coreos.0"
-    kube_core_renderer           = "quay.io/coreos/kube-core-renderer-dev:6c49ce4da9fc36966812381891b4f558aa53097b"
-    kube_core_operator           = "quay.io/coreos/kube-core-operator:beryllium-m1"
-    tectonic_channel_operator    = "quay.io/coreos/tectonic-channel-operator:0.6.2"
-    tectonic_prometheus_operator = "quay.io/coreos/tectonic-prometheus-operator:v1.9.3"
-    tectonic_cluo_operator       = "quay.io/coreos/tectonic-cluo-operator:v0.3.1"
-    tectonic_torcx               = "quay.io/coreos/tectonic-torcx:v0.2.1"
-    kubernetes_addon_operator    = "quay.io/coreos/kubernetes-addon-operator:beryllium-m1"
-    tectonic_alm_operator        = "quay.io/coreos/tectonic-alm-operator:v0.3.1"
-    tectonic_utility_operator    = "quay.io/coreos/tectonic-utility-operator:beryllium-m1"
-    tectonic_network_operator    = "quay.io/coreos/tectonic-network-operator:beryllium-m1"
+    addon_resizer                        = "gcr.io/google_containers/addon-resizer:2.1"
+    awscli                               = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600"
+    gcloudsdk                            = "google/cloud-sdk:178.0.0-alpine"
+    bootkube                             = "quay.io/coreos/bootkube:v0.10.0"
+    etcd                                 = "quay.io/coreos/etcd:v3.2.14"
+    hyperkube                            = "quay.io/coreos/hyperkube:v1.9.1_coreos.0"
+    kube_core_renderer                   = "quay.io/coreos/kube-core-renderer-dev:6c49ce4da9fc36966812381891b4f558aa53097b"
+    kube_core_operator                   = "quay.io/coreos/kube-core-operator:beryllium-m1"
+    tectonic_channel_operator            = "quay.io/coreos/tectonic-channel-operator:0.6.2"
+    tectonic_prometheus_operator         = "quay.io/coreos/tectonic-prometheus-operator:v1.9.3"
+    tectonic_cluo_operator               = "quay.io/coreos/tectonic-cluo-operator:v0.3.1"
+    tectonic_torcx                       = "quay.io/coreos/tectonic-torcx:v0.2.1"
+    kubernetes_addon_operator            = "quay.io/coreos/kubernetes-addon-operator:beryllium-m1"
+    tectonic_alm_operator                = "quay.io/coreos/tectonic-alm-operator:v0.3.1"
+    tectonic_ingress_controller_operator = "quay.io/coreos/tectonic-ingress-controller-operator:f96287f555b7366af14dfcbb02f9a6529dd24b99"
+    tectonic_utility_operator            = "quay.io/coreos/tectonic-utility-operator:7884c5c9b6cf738e3bda2731449c5c2ead54b390"
+    tectonic_network_operator            = "quay.io/coreos/tectonic-network-operator:beryllium-m1"
   }
 }
 

modules/tectonic/assets.tf

@@ -9,14 +9,15 @@ resource "template_dir" "tectonic" {
   destination_dir = "./generated/tectonic"
 
   vars {
-    addon_resizer_image                = "${var.container_images["addon_resizer"]}"
-    kube_core_operator_image           = "${var.container_images["kube_core_operator"]}"
-    kubernetes_addon_operator_image    = "${var.container_images["kubernetes_addon_operator"]}"
-    tectonic_channel_operator_image    = "${var.container_images["tectonic_channel_operator"]}"
-    tectonic_prometheus_operator_image = "${var.container_images["tectonic_prometheus_operator"]}"
-    tectonic_cluo_operator_image       = "${var.container_images["tectonic_cluo_operator"]}"
-    tectonic_alm_operator_image        = "${var.container_images["tectonic_alm_operator"]}"
-    tectonic_utility_operator_image    = "${var.container_images["tectonic_utility_operator"]}"
+    addon_resizer_image                        = "${var.container_images["addon_resizer"]}"
+    kube_core_operator_image                   = "${var.container_images["kube_core_operator"]}"
+    kubernetes_addon_operator_image            = "${var.container_images["kubernetes_addon_operator"]}"
+    tectonic_channel_operator_image            = "${var.container_images["tectonic_channel_operator"]}"
+    tectonic_prometheus_operator_image         = "${var.container_images["tectonic_prometheus_operator"]}"
+    tectonic_cluo_operator_image               = "${var.container_images["tectonic_cluo_operator"]}"
+    tectonic_alm_operator_image                = "${var.container_images["tectonic_alm_operator"]}"
+    tectonic_ingress_controller_operator_image = "${var.container_images["tectonic_ingress_controller_operator"]}"
+    tectonic_utility_operator_image            = "${var.container_images["tectonic_utility_operator"]}"
 
     tectonic_monitoring_auth_base_image = "${var.container_base_images["tectonic_monitoring_auth"]}"
     config_reload_base_image            = "${var.container_base_images["config_reload"]}"

modules/tectonic/resources/manifests/cluster-config.yaml

@@ -6,14 +6,14 @@ metadata:
 data:
   addon-config: |
       apiVersion: v1
-      kind: AddonConfig
+      kind: KubeAddonOperatorConfig
       heapsterConfig:
       dnsConfig:
           clusterIP: ${kube_dns_service_ip}
       cloudProvider: ${platform}
   utility-config: |
     apiVersion: v1
-    kind: UtilityConfig
+    kind: TectonicUtilityOperatorConfig
     identityConfig:
       adminEmail: ${admin_email}
       adminPasswordHash: ${admin_password_hash}

modules/tectonic/resources/manifests/ingress/README.md

@@ -0,0 +1,2 @@
+tectonic-ingress-controller-operator is a special case, since it is in its own
+namespace and reads its own config.

modules/tectonic/resources/manifests/ingress/cluster-config.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-config-v1
+  namespace: tectonic-ingress
+data:
+  ingress-config: |
+    apiVersion: v1
+    kind: TectonicIngressOperatorConfig
+    installerPlatform: ${platform}

modules/tectonic/resources/manifests/ingress/namespace.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  # This is the namespace used to hold the tectonic ingress controllers
+  name: tectonic-ingress
+  # Give the namespace a label, so we can select for it in networkpolicy
+  labels:
+    kubernetes.io/ingress.class: tectonic
+    name: tectonic-ingress

modules/tectonic/resources/manifests/ingress/pull.json

@@ -0,0 +1,12 @@
+{
+  "apiVersion": "v1",
+  "kind": "Secret",
+  "type": "kubernetes.io/dockerconfigjson",
+  "metadata": {
+    "namespace": "tectonic-ingress",
+    "name": "coreos-pull-secret"
+  },
+  "data": {
+    ".dockerconfigjson": "${pull_secret}"
+  }
+}

modules/tectonic/resources/manifests/ingress/svc-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tectonic-ingress-controller-operator
+  namespace: tectonic-ingress

modules/tectonic/resources/manifests/rbac/binding-admin.yaml

@@ -8,6 +8,9 @@ subjects:
   - kind: ServiceAccount
     namespace: tectonic-system
     name: default
+  - kind: ServiceAccount
+    namespace: tectonic-ingress
+    name: tectonic-ingress-controller-operator
 roleRef:
   kind: ClusterRole
   name: cluster-admin

modules/tectonic/resources/manifests/updater/app_versions/app-version-tectonic-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: tco.coreos.com/v1
+kind: AppVersion
+metadata:
+  name: tectonic-ingress
+  namespace: tectonic-system
+  labels:
+    managed-by-channel-operator: "true"
+spec:
+  desiredVersion:
+  paused: false
+status:
+  paused: false
+upgradereq: 1
+upgradecomp: 0

modules/tectonic/resources/manifests/updater/operators/tectonic-ingress-controller-operator.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: tectonic-ingress-controller-operator
+  namespace: tectonic-ingress
+  labels:
+    k8s-app: tectonic-ingress-controller-operator
+    managed-by-channel-operator: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: tectonic-ingress-controller-operator
+  template:
+    metadata:
+      labels:
+        k8s-app: tectonic-ingress-controller-operator
+        tectonic-app-version-name: tectonic-ingress
+    spec:
+      containers:
+      - name: tectonic-ingress-controller-operator
+        image: ${tectonic_ingress_controller_operator_image}
+        resources:
+          limits:
+            cpu: 20m
+            memory: 50Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        volumeMounts:
+        - name: cluster-config
+          mountPath: /etc/cluster-config
+      imagePullSecrets:
+      - name: coreos-pull-secret
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccount: tectonic-ingress-controller-operator
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      volumes:
+      - name: cluster-config
+        configMap:
+          name: cluster-config-v1
+          items:
+          - key: ingress-config
+            path: ingress-config

modules/tectonic/resources/tectonic.sh

@@ -127,16 +127,21 @@ set -e
 # wait for Kubernetes pods
 wait_for_pods kube-system
 
+echo "creating namespaces"
+kubectl create -f ingress/namespace.yaml
+
 echo "Creating Initial Roles"
 kubectl delete -f rbac/role-admin.yaml
 
+kubectl create -f ingress/svc-account.yaml
 kubectl create -f rbac/role-admin.yaml
 kubectl create -f rbac/role-user.yaml
 kubectl create -f rbac/binding-admin.yaml
 kubectl create -f rbac/binding-discovery.yaml
 
 echo "Creating Cluster Config For Tectonic"
 kubectl create -f cluster-config.yaml
+kubectl create -f ingress/cluster-config.yaml
 
 echo "Creating Tectonic Secrets"
 kubectl create -f secrets/pull.json
@@ -145,6 +150,7 @@ kubectl create -f secrets/ingress-tls.yaml
 kubectl create -f secrets/ca-cert.yaml
 kubectl create -f secrets/identity-grpc-client.yaml
 kubectl create -f secrets/identity-grpc-server.yaml
+kubectl create -f ingress/pull.json
 
 echo "Creating Operators"
 kubectl create -f updater/tectonic-channel-operator-kind.yaml
@@ -162,6 +168,7 @@ kubectl create -f updater/operators/tectonic-cluo-operator.yaml
 kubectl create -f updater/operators/kubernetes-addon-operator.yaml
 kubectl create -f updater/operators/tectonic-alm-operator.yaml
 kubectl create -f updater/operators/tectonic-utility-operator.yaml
+kubectl create -f updater/operators/tectonic-ingress-controller-operator.yaml
 
 wait_for_crd tectonic-system appversions.tco.coreos.com
 kubectl create -f updater/app_versions/app-version-tectonic-cluster.yaml
@@ -171,6 +178,7 @@ kubectl create -f updater/app_versions/app-version-tectonic-cluo.yaml
 kubectl create -f updater/app_versions/app-version-kubernetes-addon.yaml
 kubectl create -f updater/app_versions/app-version-tectonic-alm.yaml
 kubectl create -f updater/app_versions/app-version-tectonic-utility.yaml
+kubectl create -f updater/app_versions/app-version-tectonic-ingress.yaml
 
 # wait for Tectonic pods
 wait_for_pods tectonic-system