Upgrade ingress addon

- Switch to a Helm-based installation. That will help to relieve the
  project of the maintenance burden as by default the latest chart
  version is picked. If case of trouble the user can override the chart
  version to install.
- Set up the admission controller by default. This helps to detect
  invalid configurations early, see
https://kubernetes.github.io/ingress-nginx/how-it-works/#avoiding-outage-from-wrong-configuration.
  It can be disabled at addon installation time to get a configuration
  similar to what is set up so far.
- breaking change: the metrics endpoint is no longer exposed on the host
  (hostPort), instead it is exposed internally only through a ClusterIP
  service. Note that it is fairly easy to expose it externally though an
  Ingress.
- Put back the nginx IngressClass as the default (fixes
  canonical/microk8s#2035).

Signed-off-by: Hervé Werner <[email protected]>

addons.yaml

@@ -34,7 +34,7 @@ microk8s-addons:
     - name: "ingress"
       description: "Ingress controller for external access"
       version: "1.2.0"
-      check_status: "pod/nginx-ingress-microk8s-controller"
+      check_status: "daemonset.apps/ingress-nginx-controller"
       supported_architectures:
         - arm64
         - amd64

addons/ingress/disable

@@ -1,34 +1,16 @@
 #!/usr/bin/env bash
-
 set -e
 
 source $SNAP/actions/common/utils.sh
 CURRENT_DIR=$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)
 source $CURRENT_DIR/../common/utils.sh
 
-echo "Disabling Ingress"
-
-ARCH=$(arch)
-TAG="v1.0.0-alpha.2"
-DEFAULT_CERT="- ' '" # This default value is always fine when deleting resources.
-EXTRA_ARGS="- --publish-status-address=127.0.0.1"
-
-
-KUBECTL="$SNAP/kubectl --kubeconfig=${SNAP_DATA}/credentials/client.config"
-# Clean up old ingress controller resources in the default namespace, in case these are still lurking around.  
-$KUBECTL delete deployment -n default default-http-backend > /dev/null 2>&1 || true
-$KUBECTL delete service -n default default-http-backend > /dev/null 2>&1 || true
-$KUBECTL delete serviceaccount -n default nginx-ingress-microk8s-serviceaccount > /dev/null 2>&1 || true 
-$KUBECTL delete role -n default nginx-ingress-microk8s-role > /dev/null 2>&1 || true 
-$KUBECTL delete rolebinding -n default nginx-ingress-microk8s > /dev/null 2>&1 || true 
-$KUBECTL delete configmap -n default nginx-load-balancer-microk8s-conf > /dev/null 2>&1 || true
-$KUBECTL delete daemonset -n default nginx-ingress-microk8s-controller > /dev/null 2>&1 || true
+NAMESPACE="ingress"
 
+echo "Disabling Ingress"
 
-declare -A map
-map[\$TAG]="$TAG"
-map[\$DEFAULT_CERT]="$DEFAULT_CERT"
-map[\$EXTRA_ARGS]="$EXTRA_ARGS"
-use_addon_manifest ingress/ingress delete "$(declare -p map)"
+"$SNAP/microk8s-helm.wrapper" uninstall ingress-nginx -n $NAMESPACE > /dev/null 2>&1
+use_addon_manifest ingress/ingress-class delete
+"$SNAP/microk8s-kubectl.wrapper" delete namespace $NAMESPACE
 
 echo "Ingress is disabled"

addons/ingress/enable

@@ -1,43 +1,71 @@
 #!/usr/bin/env bash
-
 set -e
 
 source $SNAP/actions/common/utils.sh
 CURRENT_DIR=$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)
 source $CURRENT_DIR/../common/utils.sh
 
-read -ra ARGUMENTS <<<"$1"
-
-read -r key value <<<$(echo "${ARGUMENTS[@]}" | gawk -F "=" '{print $1 ,$2}')
-read -ra CERT_SECRET <<< "$value"
-
-KEY_NAME="default-ssl-certificate"
-
-if [ ! -z "$key" ] && [ "$key" != $KEY_NAME ]
-then
-  echo "Unknown argument '$key'."
-  echo "You can use '$KEY_NAME' to load the default TLS certificate from a secret, eg"
-  echo "   microk8s enable ingress:$KEY_NAME=namespace/secret_name"
-  exit 1
-fi
+NAMESPACE="ingress"
 
 echo "Enabling Ingress"
 
-ARCH=$(arch)
-TAG="v1.2.0"
-EXTRA_ARGS="- --publish-status-address=127.0.0.1"
-DEFAULT_CERT="- ' '"
+CERT_SECRET=
+DISABLE_VALIDATING_ADMISSION=
+INGRESS_NGINX_VALUES=
+INGRESS_NGINX_VERSION=
+while [ $# -ge 1 ]; do
+  case $1 in
+    --default-ssl-certificate=*)
+      CERT_SECRET="${1#*=}"
+      echo "Setting ${CERT_SECRET} as the default ingress certificate"
+      shift
+      ;;
+    --disable-validating-admission-controller)
+      DISABLE_VALIDATING_ADMISSION=1
+      shift
+      ;;
+    --values=*)
+      INGRESS_NGINX_VALUES="${1#*=}"
+      shift
+      ;;
+    --version=*)
+      INGRESS_NGINX_VERSION="${1#*=}"
+      shift
+      ;;
+    *)
+      echo "Unknown option ${1}" >&2
+      exit 1
+      ;;
+  esac
+done
 
-if [ ! -z "$CERT_SECRET" ]
-then
-  DEFAULT_CERT="- --default-ssl-certificate=${CERT_SECRET}"
-  echo "Setting ${CERT_SECRET} as default ingress certificate"
+HELM_OPTS=
+if [ -n "${INGRESS_NGINX_VALUES}" ]; then
+  HELM_OPTS+="--values ${INGRESS_NGINX_VALUES} "
 fi
+if [ -n "${INGRESS_NGINX_VERSION}" ]; then
+  HELM_OPTS+="--version ${INGRESS_NGINX_VERSION} "
+fi
+if [ -n "${CERT_SECRET}" ]; then
+  HELM_OPTS+="--set controller.extraArgs.default-ssl-certificate=${CERT_SECRET} "
+fi
+if [ -n "${DISABLE_VALIDATING_ADMISSION}" ]; then
+  HELM_OPTS+="--set controller.admissionWebhooks.enabled=false "
+fi
+
+"${SNAP}/microk8s-helm3.wrapper" upgrade --install ingress-nginx ingress-nginx \
+  --repo https://kubernetes.github.io/ingress-nginx \
+  --namespace $NAMESPACE --create-namespace \
+  --set controller.extraArgs.publish-status-address=127.0.0.1 \
+  --set controller.hostPort.enabled=true \
+  --set controller.ingressClassResource.default=true \
+  --set controller.kind=DaemonSet \
+  --set controller.metrics.enabled=true \
+  --set controller.publishService.enabled=false \
+  --set controller.service.type=ClusterIP \
+  ${HELM_OPTS}
 
-declare -A map
-map[\$TAG]="$TAG"
-map[\$DEFAULT_CERT]="$DEFAULT_CERT"
-map[\$EXTRA_ARGS]="$EXTRA_ARGS"
-use_addon_manifest ingress/ingress apply "$(declare -p map)"
+# Creating an additional public IngressClass to stay backward-compatible
+use_addon_manifest ingress/ingress-class apply
 
 echo "Ingress is enabled"

addons/ingress/ingress-class.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: microk8s
+  name: public
+spec: 
+  controller: k8s.io/ingress-nginx