From bd9785e5197450860ad178a93742294c20142686 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Wed, 8 Mar 2023 16:26:43 -1000 Subject: [PATCH] Push edge Helm Chart to OCI registries (#3581) --- .github/workflows/build-oss.yml | 1 + .github/workflows/ci.yml | 90 +++++------ .github/workflows/lint.yml | 9 ++ README.md | 2 +- deployments/helm-chart/README.md | 145 ++++++++++-------- deployments/helm-chart/templates/_helpers.tpl | 6 +- deployments/helm-chart/values.schema.json | 3 +- deployments/helm-chart/values.yaml | 4 +- 8 files changed, 146 insertions(+), 114 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 07fa08f929..ead0d58adc 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -47,6 +47,7 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + - name: DockerHub Login uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ee06cc41b..755fe8278e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,11 +21,6 @@ defaults: run: shell: bash -env: - HELM_CHART_DIR: deployments/helm-chart - GIT_NAME: NGINX Kubernetes Team - GIT_MAIL: kubernetes@nginx.com - concurrency: group: ${{ github.ref_name }}-ci cancel-in-progress: true @@ -342,62 +337,67 @@ jobs: path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html if: always() - package-helm: - name: Package Helm Chart + publish-helm: + name: Package and Publish Helm Chart runs-on: ubuntu-22.04 - needs: unit-tests - outputs: - version: ${{ steps.var.outputs.helm_version }} - type: ${{ steps.var.outputs.helm_type }} + needs: helm-tests if: ${{ github.event_name == 'push' }} + permissions: + contents: read + packages: write steps: - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Output Variables - id: var - run: | - if ${{ startsWith(github.ref, 'refs/tags/') }}; then - helm_version="$(helm show chart ${{ env.HELM_CHART_DIR }} | grep 'version:' | cut -d ' ' -f 2)" - helm_type="stable" - else - helm_version="0.0.0-edge" - helm_type="edge" - fi - echo "helm_version=$helm_version" >> $GITHUB_OUTPUT - echo "helm_type=$helm_type" >> $GITHUB_OUTPUT - - name: Lint - run: helm lint ${{ env.HELM_CHART_DIR }} - - name: Package - run: helm package --version ${{ steps.var.outputs.helm_version }} ${{ env.HELM_CHART_DIR }} - - name: Upload Chart - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: - name: helm-chart - path: ${{ github.workspace }}/nginx-ingress-${{ steps.var.outputs.helm_version }}.tgz + path: kic + + - name: Login to GitHub Container Registry + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: DockerHub Login + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Package + id: package + run: | + output=$(helm package ${{ ! startsWith(github.ref, 'refs/tags/') && '--app-version edge --version 0.0.0-edge' || '' }} kic/deployments/helm-chart) + echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT + + - name: Push to OCI registries + run: | + helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginxinc/charts + helm push ${{ steps.package.outputs.path }} oci://registry-1.docker.io/nginxcharts - release-helm: - name: Release Helm Chart - runs-on: ubuntu-22.04 - needs: package-helm - if: ${{ github.event_name == 'push' }} - steps: - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: repository: nginxinc/helm-charts fetch-depth: 1 token: ${{ secrets.NGINX_PAT }} + path: helm-charts + + - name: Get Chart type + id: package-helm + run: | + echo "type=${{ contains(steps.package.outputs.path, 'edge') && 'edge' || 'stable' }}" >> $GITHUB_OUTPUT + - name: Remove previous Chart - run: rm -f ${{ github.workspace }}/${{ needs.package-helm.outputs.type }}/nginx-ingress-${{ needs.package-helm.outputs.version }}.tgz - - name: Retrieve latest Helm Chart - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: helm-chart - path: ${{ github.workspace }}/${{ needs.package-helm.outputs.type }} - - name: Push Helm Chart + if: ${{ ! startsWith(github.ref, 'refs/tags/') }} + run: rm -f ${{ github.workspace }}/helm-charts/edge/nginx-ingress-0.0.0-edge.tgz + + - name: Push Helm Chart to Helm Charts Repository run: | + mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/${{ steps.package-helm.outputs.type }}/ + cd ${{ github.workspace }}/helm-charts helm repo index ${{ needs.package-helm.outputs.type }} --url https://helm.nginx.com/${{ needs.package-helm.outputs.type }} git add -A - git -c user.name='${{ env.GIT_NAME }}' -c user.email='${{ env.GIT_MAIL }}' \ + git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \ commit -m "NGINX Ingress Controller - Release ${{ needs.package-helm.outputs.type }} ${{ needs.package-helm.outputs.version }}" git push -u origin master diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5bf7041dbc..995cf15c05 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -48,3 +48,12 @@ jobs: - uses: reviewdog/action-actionlint@b6feb003955cad286985c42e7047f4567a798f3f # v1.36.0 with: actionlint_flags: -shellcheck "" + + chart-lint: + name: Chart Lint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Lint chart + run: helm lint deployments/helm-chart diff --git a/README.md b/README.md index 28f669d42b..03d361ade7 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ We publish Ingress Controller releases on GitHub. See our [releases page](https: The latest stable release is [3.0.2](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.2). For production use, we recommend that you choose the latest stable release. -The edge version is useful for experimenting with new features that are not yet published in a stable release. To use, choose the *edge* version built from the [latest commit](https://github.com/nginxinc/kubernetes-ingress/commits/main) from the main branch. +The edge version is useful for experimenting with new features that are not yet published in a stable release. To use it, choose the *edge* version built from the [latest commit](https://github.com/nginxinc/kubernetes-ingress/commits/main) from the main branch. To use the Ingress Controller, you need to have access to: * An Ingress Controller image. diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 10a87ba496..e170bea729 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -8,7 +8,6 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. - A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) - Helm 3.0+. - - Git. - If you’d like to use NGINX Plus: - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). @@ -16,125 +15,144 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. - If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator helm chart. Make sure to install in the same namespace as the NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single namespace. +## CRDs -## Getting the Chart Sources - -This step is required if you're installing the chart using its sources. Additionally, the step is also required for managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for upgrading/deleting the CRDs. - -1. Clone the Ingress Controller repo: - ```console - $ git clone https://github.com/nginxinc/kubernetes-ingress --branch v3.0.2 - ``` - **Note**: If you want to use the experimental repository (`edge`), remove the `--branch` flag and value. +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. -2. Change your working directory to /deployments/helm-chart: - ```console - $ cd kubernetes-ingress/deployments/helm-chart - ``` +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. -## Adding the Helm Repository +### Upgrading the CRDs -This step is required if you're installing the chart via the helm repository. +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: ```console -$ helm repo add nginx-stable https://helm.nginx.com/stable -$ helm repo update +$ kubectl apply -f crds/ ``` +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. + +### Uninstalling the CRDs -**Note**: If you want to use the experimental repository, replace `stable` with `edge`. +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: -## Installing the Chart +```console +$ kubectl delete -f crds/ +``` +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the cluster. -### Installing the CRDs -By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. +## Managing the Chart via OCI Registry (edge version) -If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. -### Installing via Helm Repository +### Installing the Chart To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: ```console -$ helm install my-release nginx-stable/nginx-ingress +$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -$ helm install my-release nginx-stable/nginx-ingress --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` -**Note**: If you want to use the experimental repository, replace `stable` with `edge` and add the `--devel` flag. +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. + + +## Managing the Chart via Helm Repository + +### Adding the helm repository + +```console +$ helm repo add nginx-stable https://helm.nginx.com/stable +$ helm repo update +``` -### Installing Using Chart Sources +### Installing the Chart To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: ```console -$ helm install my-release . +$ helm install my-release nginx-stable/nginx-ingress ``` -For NGINX Plus: +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -$ helm install my-release -f values-plus.yaml . +$ helm install my-release nginx-stable/nginx-ingress --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` -**Note**: If you want to use the experimental repository, replace the value in the `tag` field inside the yaml files with `edge`. +### Upgrading the Chart -The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the CRDs](#upgrading-the-crds). -When deploying the Ingress Controller, make sure to use your own TLS certificate and key for the default server rather than the default pre-generated ones. Read the [Configuration](#Configuration) section below to see how to configure a TLS certificate and key for the default server. Note that the default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. +To upgrade the release `my-release`: -## Upgrading the Chart +```console +$ helm upgrade my-release nginx-stable/nginx-ingress +``` -### Upgrading the CRDs +### Uninstalling the Chart -Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, run the following command to upgrade the CRDs: +To uninstall/delete the release `my-release`: ```console -$ kubectl apply -f crds/ +$ helm uninstall my-release ``` -> **Note**: The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. - -> **Note**: Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. +The command removes all the Kubernetes components associated with the release and deletes the release. -### Upgrading the Release +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). -To upgrade the release `my-release`: -#### Upgrade Using Chart Sources: +## Managing the Chart via Sources -```console -$ helm upgrade my-release . -``` +### Pulling the Chart -#### Upgrade via Helm Repository: +This step is required if you're installing the chart using its sources. Additionally, the step is also required for managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for upgrading/deleting the CRDs. -```console -$ helm upgrade my-release nginx-stable/nginx-ingress -``` +1. Pull the chart sources: + ```console + $ helm pull nginx-stable/nginx-ingress --untar --version 0.16.1 + ``` -## Uninstalling the Chart +2. Change your working directory to nginx-ingress: + ```console + $ cd nginx-ingress + ``` +### Installing -### Uninstalling the Release +To install the chart with the release name my-release (my-release is the name that you choose): -To uninstall/delete the release `my-release`: +For NGINX: +```console +$ helm install my-release . +``` +For NGINX Plus: ```console -$ helm uninstall my-release +$ helm install my-release -f values-plus.yaml . ``` -The command removes all the Kubernetes components associated with the release and deletes the release. -### Uninstalling the CRDs +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. + +When deploying the Ingress Controller, make sure to use your own TLS certificate and key for the default server rather than the default pre-generated ones. Read the [Configuration](#Configuration) section below to see how to configure a TLS certificate and key for the default server. Note that the default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. -Uninstalling the release does not remove the CRDs. To remove the CRDs, run: +### Upgrading ```console -$ kubectl delete -f crds/ +$ helm upgrade my-release . ``` -> **Note**: This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the cluster. + ## Running Multiple Ingress Controllers @@ -142,6 +160,7 @@ If you are running multiple Ingress Controller releases in your cluster with ena See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) for more details. + ## Configuration The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. @@ -167,8 +186,8 @@ Parameter | Description | Default `controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} `controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} `controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] -`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** By default, a pre-generated self-signed certificate is used. It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | A pre-generated self-signed certificate. -`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** By default, a pre-generated key is used. It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | A pre-generated key. +`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** By default, a pre-generated self-signed certificate is used. It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | A pre-generated self-signed certificate. +`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** By default, a pre-generated key is used. It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | A pre-generated key. `controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None `controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None @@ -221,7 +240,7 @@ Parameter | Description | Default `controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 `controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true `controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 -`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" +`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" `controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 `controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} `controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated diff --git a/deployments/helm-chart/templates/_helpers.tpl b/deployments/helm-chart/templates/_helpers.tpl index b5ca9fba41..fb83b9e8f1 100644 --- a/deployments/helm-chart/templates/_helpers.tpl +++ b/deployments/helm-chart/templates/_helpers.tpl @@ -81,6 +81,10 @@ Expand app name. {{- default (include "nginx-ingress.name" .) .Values.controller.name -}} {{- end -}} +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + {{/* Expand image name. */}} @@ -88,6 +92,6 @@ Expand image name. {{- if .Values.controller.image.digest -}} {{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} {{- else -}} -{{- printf "%s:%s" .Values.controller.image.repository .Values.controller.image.tag -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} {{- end -}} {{- end -}} diff --git a/deployments/helm-chart/values.schema.json b/deployments/helm-chart/values.schema.json index 7734c03178..47123b797f 100644 --- a/deployments/helm-chart/values.schema.json +++ b/deployments/helm-chart/values.schema.json @@ -247,8 +247,7 @@ "default": {}, "title": "The image Schema", "required": [ - "repository", - "tag" + "repository" ], "properties": { "repository": { diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index c53de26a6e..092bc088ba 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -54,8 +54,8 @@ controller: ## The image repository of the Ingress Controller. repository: nginx/nginx-ingress - ## The tag of the Ingress Controller image. - tag: "3.0.2" + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.0.2" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead