diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e15ad72f..9e487b9c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## unreleased +## v0.1.54 (beta) - June 12, 2024 + * Fixes an issue with load balancer health checks when the LB is using PROXY protocol. The new health check implementation (introduced in v0.1.51), now probes either kube proxy (Cluster) or the health check node port (Local). If the LB enables PROXY protocol, this alters the health check behavior to also use PROXY protocol. Since these Kubernetes diff --git a/VERSION b/VERSION index da2be6f48..21f49a199 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.1.53 +v0.1.54 diff --git a/releases/digitalocean-cloud-controller-manager-admission-server/v0.1.54.yml b/releases/digitalocean-cloud-controller-manager-admission-server/v0.1.54.yml new file mode 100644 index 000000000..3d6effe65 --- /dev/null +++ b/releases/digitalocean-cloud-controller-manager-admission-server/v0.1.54.yml @@ -0,0 +1,109 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: digitalocean-cloud-controller-manager-admission-server + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: digitalocean-cloud-controller-manager-admission-server + template: + metadata: + labels: + app: digitalocean-cloud-controller-manager-admission-server + spec: + containers: + - image: digitalocean/digitalocean-cloud-controller-manager-admission-server:v0.1.54 + name: digitalocean-cloud-controller-manager-admission-server + command: + - "/bin/digitalocean-cloud-controller-manager-admission-server" + resources: + requests: + cpu: 100m + memory: 50Mi + env: + - name: DO_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: digitalocean + key: access-token + ports: + - containerPort: 9443 + name: admission + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: serving-certs + readOnly: true + volumes: + - name: serving-certs + secret: + defaultMode: 420 + secretName: digitalocean-cloud-controller-manager-admission-server-serving-certs +--- +apiVersion: v1 +kind: Service +metadata: + name: digitalocean-cloud-controller-manager-admission-server + namespace: kube-system +spec: + selector: + app: digitalocean-cloud-controller-manager-admission-server + ports: + - protocol: TCP + port: 443 + targetPort: 9443 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: digitalocean-cloud-controller-manager-admission-server-serving-certs + namespace: kube-system +spec: + dnsNames: + - digitalocean-cloud-controller-manager-admission-server + - digitalocean-cloud-controller-manager-admission-server.kube-system.svc + - digitalocean-cloud-controller-manager-admission-server.kube-system.svc.cluster.local + issuerRef: + kind: Issuer + name: digitalocean-cloud-controller-manager-selfsigned-issuer + secretName: digitalocean-cloud-controller-manager-admission-server-serving-certs +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: digitalocean-cloud-controller-manager-selfsigned-issuer + namespace: kube-system +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/digitalocean-cloud-controller-manager-admission-server-serving-certs + name: digitalocean-cloud-controller-manager-admission-webhook +webhooks: +- name: validation-webhook.cloud-controller-manager.digitalocean.com + admissionReviewVersions: + - v1 + clientConfig: + service: + namespace: "kube-system" + name: "digitalocean-cloud-controller-manager-admission-server" + path: "/lb-service" + failurePolicy: Ignore + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - services + scope: Namespaced + sideEffects: None diff --git a/releases/digitalocean-cloud-controller-manager/v0.1.54.yml b/releases/digitalocean-cloud-controller-manager/v0.1.54.yml new file mode 100644 index 000000000..d155e2193 --- /dev/null +++ b/releases/digitalocean-cloud-controller-manager/v0.1.54.yml @@ -0,0 +1,153 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: digitalocean-cloud-controller-manager + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: digitalocean-cloud-controller-manager + template: + metadata: + labels: + app: digitalocean-cloud-controller-manager + spec: + dnsPolicy: Default + hostNetwork: true + serviceAccountName: cloud-controller-manager + priorityClassName: system-cluster-critical + tolerations: + # this taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the digitalocean ccm + - key: "node.cloudprovider.kubernetes.io/uninitialized" + value: "true" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + # cloud controller manages should be able to run on masters + # TODO: remove this when ccm is not supported on k8s <= 1.23 + - key: "node-role.kubernetes.io/master" + effect: NoSchedule + # k8s clusters 1.24+ uses control-plane name instead of master + - key: "node-role.kubernetes.io/control-plane" + effect: NoSchedule + containers: + - image: digitalocean/digitalocean-cloud-controller-manager:v0.1.54 + name: digitalocean-cloud-controller-manager + command: + - "/bin/digitalocean-cloud-controller-manager" + - "--leader-elect=false" + resources: + requests: + cpu: 100m + memory: 50Mi + env: + - name: DO_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: digitalocean + key: access-token +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cloud-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: system:cloud-controller-manager +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - create + - update + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: +- kind: ServiceAccount + name: cloud-controller-manager + namespace: kube-system