- 19 Aug, 2020 8 commits
-
-
Geoff Simmons authored
This made it necessary to separate the RBAC and ServiceAccount maifests for controller and varnish. We now have deploy and undeploy targets for both controller and Varnish that use helm or kubectl, depending on whether the make variable DEPLOY=kubectl is set.
-
Geoff Simmons authored
make variable DEPLOY=kubectl specifies these variants for the targets deploy- and undeploy-controller, otherwise un/deploy the helm chart.
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
make VARNISH=klarlack ... # for the klarlack image, otherwise varnish make TEST=local ... # for the local docker registry make TEST=ci ... # for the gitlab registry (CI pipeline) If TEST is unset, pull the "official" images from dockerhub.
-
Geoff Simmons authored
This has the consequence that GNU make is required.
-
Geoff Simmons authored
-
Geoff Simmons authored
-
- 18 Aug, 2020 5 commits
-
-
Geoff Simmons authored
-
Geoff Simmons authored
Ref #36
-
Geoff Simmons authored
The haproxy container now runs the app k8s-crt-dnldr, and no longer runs http-faccess. See https://code.uplex.de/k8s/k8s-crt-dnldr k8s-crt-dnldr runs a k8s client that reads Secrets, filtered for RLS (type:kubernetes.io/tls). It provides a REST API with which a client can instruct it to write (PUT) or remove (DELETE) a pem file (concatenated crt and key) corresponding to a TLS Secret in the cluster. By default, these are written to /etc/ssl/private, where haproxy reads certificates. After the next haproxy reload following the write or delete, haproxy will use or not use the certificate. Once k8s-crt-dnldr has been instructed to store a Secret, it responds to Update and Delete events for the Secret by updating or deleting the file on its own. The controller currently sends commands to do so as well, but in practice the k8s-crt-dnldr has already changed the certificate itself (this is not an error). This means that viking Pods must have RBAC rights to read Secrets (the fact that these are filtered for TLS is not expressible in RBAC). That in turn means that viking Pods must be assigned a service account name, to get the RBAC role binding. The controller no longer needs RBAC write privileges for Secrets, and the "tls-cert" Secret with the hard-wired name is no longer necessary. The Secret volume that projects "tls-cert" into viking Pods has been removed. The port faccess in the headless Service for viking admin has been renamed to crt-dnldr. Addresses #36
-
Geoff Simmons authored
-
Geoff Simmons authored
-
- 17 Aug, 2020 8 commits
-
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
This re-uses the example chart for "hello without TLS". Passes verify.sh.
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
-
- 14 Aug, 2020 1 commit
-
-
Geoff Simmons authored
-
- 13 Aug, 2020 1 commit
-
-
Geoff Simmons authored
This will be re-organized over time, but this configuration passes deploy/verify.sh without changes.
-
- 05 Aug, 2020 1 commit
-
-
Tim Leers authored
-
- 23 Jul, 2020 1 commit
-
-
Geoff Simmons authored
-
- 21 Jul, 2020 2 commits
-
-
Geoff Simmons authored
-
Geoff Simmons authored
-
- 20 Jul, 2020 1 commit
-
-
Lars Fenneberg authored
-
- 10 Jul, 2020 7 commits
-
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
-
Geoff Simmons authored
In test/e2e.sh, we run the test twice, to confirm that VMOD dynamic picks up the changed IP for the DNS name. For now, just run the test once in the pipeline.
-
Geoff Simmons authored
These are unfortunately set up to run in a specific order. The order should currently match the order in test/e2e.sh.
-
Geoff Simmons authored
Since it has been failing consistently in the CI pipeline.
-
- 09 Jul, 2020 4 commits
-
-
Geoff Simmons authored
VCL label and source file names changed.
-
Geoff Simmons authored
Update comments and fix up whitespace while we're here.
-
Geoff Simmons authored
Add the port "configured" to the headless Varnish admin Service, which responds with status 200 when an Ingress is configured, 503 otherwise. This replaces the previous purpose of the Ready state, to determine if the Pods are currently implementing an Ingress. This is actually a small change to the Varnish images and the admin Service, but a wide-ranging change for testing, since we now check the configured port before verifying a configuration (rather than wait for the Ready state). Common test code is now in the bash library test/utils.sh. This commit also includes a fix for the repeated test of the ExternalName example, which verifies that the changed IP addresses for ExternalName Services are picked up by VMOD dynamic. The test waits for the Ready state of the IngressBackends. The second time around, kubectl wait sometimes picked up previous versions of the Pods that were in the process of terminating. These of course never became Ready, and the wait timed out. Now we wait for those Pods to delete before proceeding with the second test.
-
Geoff Simmons authored
-
- 07 Jul, 2020 1 commit
-
-
Geoff Simmons authored
-