Merge pull request #98 from shiftstack/merge-bot-master

Bug 2036569: Merge upstream bump to k8s 1.23

Makefile

@@ -25,7 +25,7 @@ HAS_LINT := $(shell command -v golint;)
 HAS_GOX := $(shell command -v gox;)
 GOX_PARALLEL ?= 3
 
-TARGETS		?= darwin/amd64 linux/amd64 linux/386 linux/arm linux/arm64 linux/ppc64le linux/s390x
+TARGETS		?= linux/amd64 linux/386 linux/arm linux/arm64 linux/ppc64le linux/s390x
 DIST_DIRS	= find * -type d -exec
 
 TEMP_DIR	:=$(shell mktemp -d)

charts/cinder-csi-plugin/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: latest
 description: Cinder CSI Chart for OpenStack
 name: openstack-cinder-csi
-version: 2.0.0
+version: 2.1.0
 home: https://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml

@@ -115,7 +115,7 @@ spec:
             - name: CLOUD_CONFIG
               value: /etc/kubernetes/cloud-config
             - name: CLUSTER_NAME
-              value: kubernetes
+              value: "{{ .Values.clusterID }}"
           ports:
             - containerPort: 9808
               name: healthz

charts/cinder-csi-plugin/values.yaml

@@ -140,4 +140,8 @@ storageClass:
 #     driver: cinder.csi.openstack.org
 #     deletionPolicy: Delete
 
+# You may set ID of the cluster where openstack-cinder-csi is deployed. This value will be appended
+# to volume metadata in newly provisioned volumes as `cinder.csi.openstack.org/cluster=<cluster ID>`.
+clusterID: "kubernetes"
+
 priorityClassName: ""

charts/manila-csi-plugin/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: latest
 description: Manila CSI Chart for OpenStack
 name: openstack-manila-csi
-version: 1.3.2
+version: 1.4.0
 home: http://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/openstack-cloud-controller-manager/Chart.yaml

@@ -4,7 +4,7 @@ description: Openstack Cloud Controller Manager Helm Chart
 icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
 home: https://github.com/kubernetes/cloud-provider-openstack
 name: openstack-cloud-controller-manager
-version: 1.1.1
+version: 1.2.0
 maintainers:
   - name: morremeyer
     email: kubernetes@maurice-meyer.de

cluster/images/barbican-kms-plugin/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/barbican-kms-plugin/Dockerfile.build

@@ -1,5 +1,5 @@
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 LABEL maintainers="Kubernetes Authors"
 LABEL description="Barbican KMS Plugin"
 

cluster/images/k8s-keystone-auth/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/k8s-keystone-auth/Dockerfile.build

@@ -11,7 +11,7 @@
 # limitations under the License.
 
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/magnum-auto-healer/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/magnum-auto-healer/Dockerfile.build

@@ -11,7 +11,7 @@
 # limitations under the License.
 
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/manila-csi-plugin/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/manila-csi-plugin/Dockerfile.build

@@ -1,5 +1,5 @@
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/octavia-ingress-controller/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/octavia-ingress-controller/Dockerfile.build

@@ -10,7 +10,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/openstack-cloud-controller-manager/Dockerfile

@@ -13,7 +13,7 @@
 ARG ALPINE_ARCH=amd64
 # We not using scratch because we need to keep the basic image information
 # from parent image
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 

cluster/images/openstack-cloud-controller-manager/Dockerfile.build

@@ -11,7 +11,7 @@
 # limitations under the License.
 
 ARG ALPINE_ARCH=amd64
-FROM ${ALPINE_ARCH}/alpine:3.11
+FROM ${ALPINE_ARCH}/alpine:3.15
 
 ARG ARCH=amd64
 RUN apk add --no-cache ca-certificates

cmd/barbican-kms-plugin/main.go

@@ -18,14 +18,13 @@ package main
 
 import (
 	"flag"
-	"fmt"
 	"os"
 	"os/signal"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
 	"k8s.io/cloud-provider-openstack/pkg/kms/server"
-	"k8s.io/component-base/logs"
+	"k8s.io/component-base/cli"
 	"k8s.io/klog/v2"
 )
 
@@ -55,9 +54,6 @@ func main() {
 		}
 	})
 
-	logs.InitLogs()
-	defer logs.FlushLogs()
-
 	cmd := &cobra.Command{
 		Use:   "barbican-kms-plugin",
 		Short: "Barbican KMS plugin for kubernetes",
@@ -77,10 +73,6 @@ func main() {
 	cmd.PersistentFlags().StringVar(&cloudconfig, "cloud-config", "", "Barbican KMS Plugin cloud config")
 	cmd.MarkPersistentFlagRequired("cloud-config")
 
-	if err := cmd.Execute(); err != nil {
-		fmt.Fprintf(os.Stderr, "%s", err.Error())
-		os.Exit(1)
-	}
-
-	os.Exit(0)
+	code := cli.Run(cmd)
+	os.Exit(code)
 }

cmd/cinder-csi-plugin/main.go

@@ -18,7 +18,6 @@ package main
 
 import (
 	"flag"
-	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
@@ -27,7 +26,7 @@ import (
 	"k8s.io/cloud-provider-openstack/pkg/csi/cinder/openstack"
 	"k8s.io/cloud-provider-openstack/pkg/util/metadata"
 	"k8s.io/cloud-provider-openstack/pkg/util/mount"
-	"k8s.io/component-base/logs"
+	"k8s.io/component-base/cli"
 	"k8s.io/klog/v2"
 )
 
@@ -87,15 +86,8 @@ func main() {
 
 	openstack.AddExtraFlags(pflag.CommandLine)
 
-	logs.InitLogs()
-	defer logs.FlushLogs()
-
-	if err := cmd.Execute(); err != nil {
-		fmt.Fprintf(os.Stderr, "%s", err.Error())
-		os.Exit(1)
-	}
-
-	os.Exit(0)
+	code := cli.Run(cmd)
+	os.Exit(code)
 }
 
 func handle() {

cmd/client-keystone-auth/main.go

@@ -26,6 +26,7 @@ import (
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/spf13/pflag"
+	"k8s.io/component-base/logs"
 
 	"golang.org/x/crypto/ssh/terminal"
 
@@ -177,6 +178,11 @@ func main() {
 	pflag.StringVar(&applicationCredentialID, "application-credential-id", os.Getenv("OS_APPLICATION_CREDENTIAL_ID"), "Application Credential ID")
 	pflag.StringVar(&applicationCredentialName, "application-credential-name", os.Getenv("OS_APPLICATION_CREDENTIAL_NAME"), "Application Credential Name")
 	pflag.StringVar(&applicationCredentialSecret, "application-credential-secret", os.Getenv("OS_APPLICATION_CREDENTIAL_SECRET"), "Application Credential Secret")
+
+	logs.AddFlags(pflag.CommandLine)
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
 	pflag.CommandLine.AddGoFlagSet(klogFlags)
 	kflag.InitFlags()
 

cmd/k8s-keystone-auth/main.go

@@ -34,6 +34,7 @@ func main() {
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
 	klog.InitFlags(klogFlags)
 
+	logs.AddFlags(pflag.CommandLine)
 	keystone.AddExtraFlags(pflag.CommandLine)
 
 	// Sync the glog and klog flags.

cmd/manila-csi-plugin/main.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/cloud-provider-openstack/pkg/csi/manila/manilaclient"
 	"k8s.io/cloud-provider-openstack/pkg/csi/manila/options"
 	"k8s.io/cloud-provider-openstack/pkg/csi/manila/runtimeconfig"
-	"k8s.io/component-base/logs"
+	"k8s.io/component-base/cli"
 	"k8s.io/klog/v2"
 )
 
@@ -182,13 +182,6 @@ func main() {
 
 	cmd.PersistentFlags().StringVar(&clusterID, "cluster-id", "", "The identifier of the cluster that the plugin is running in.")
 
-	logs.InitLogs()
-	defer logs.FlushLogs()
-
-	if err := cmd.Execute(); err != nil {
-		fmt.Fprintf(os.Stderr, "%s\n", err.Error())
-		os.Exit(1)
-	}
-
-	os.Exit(0)
+	code := cli.Run(cmd)
+	os.Exit(code)
 }

docs/cinder-csi-plugin/using-cinder-csi-plugin.md

@@ -116,7 +116,7 @@ These configuration options pertain to block storage and should appear in the `[
 * `rescan-on-resize`
   Optional. Set to `true`, to rescan block device and verify its size before expanding the filesystem. Not all hypervizors have a /sys/class/block/XXX/device/rescan location, therefore if you enable this option and your hypervizor doesn't support this, you'll get a warning log on resize event. It is recommended to disable this option in this case. Defaults to `false`
 * `ignore-volume-az`
-  Optional. When `Topology` feature enabled, by default, PV volume node affinity is populated with volume accessible topology, which is volume AZ. But, some of the openstack users do not have compute zones named exactly the same as volume zones. This might cause pods to go in pending state as no nodes available in volume AZ. Enabling `ignore-volume-az=true`, ignores volumeAZ and schedules on any of the available node AZ. Default `false`.
+  Optional. When `Topology` feature enabled, by default, PV volume node affinity is populated with volume accessible topology, which is volume AZ. But, some of the openstack users do not have compute zones named exactly the same as volume zones. This might cause pods to go in pending state as no nodes available in volume AZ. Enabling `ignore-volume-az=true`, ignores volumeAZ and schedules on any of the available node AZ. Default `false`. Check `cross_az_attach` in [nova configuration](https://docs.openstack.org/nova/latest/configuration/config.html) for further information.
 
 ### Metadata
 These configuration options pertain to metadata and should appear in the `[Metadata]` section of the `$CLOUD_CONFIG` file.

docs/octavia-ingress-controller/using-octavia-ingress-controller.md

@@ -14,6 +14,7 @@
     - [Create a backend service](#create-a-backend-service)
     - [Create an Ingress resource](#create-an-ingress-resource)
   - [Enable TLS encryption](#enable-tls-encryption)
+  - [Allow CIDRs](#allow-cidrs)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -139,7 +140,7 @@ Here are several other config options are not included in the example configurat
 
     Notes for the security group:
 
-    - The security group name is in the format: `k8s_ing_<cluster-name>_<ingress-namespace>_<ingress-name>`
+    - The security group name is in the format: `kube_ingress_<cluster-name>_<ingress-namespace>_<ingress-name>`
     - The security group description is in the format: `Security group created for Ingress <ingress-namespace>/<ingress-name> from cluster <cluster-name>`
     - The security group has tags: `["octavia.ingress.kubernetes.io", "<ingress-namespace>_<ingress-name>"]`
     - The security group is associated with all the Neutron ports of the Kubernetes worker nodes. 
@@ -449,3 +450,34 @@ Ingress and enable the more secure HTTPS protocol.
 > NOTE: octavia-ingress-controller currently doesn't support to integrate with
 > `cert-manager` to create the non-existing secret dynamically. Could be improved
 > in the future.
+
+## Allow CIDRs
+
+By using the annotation `octavia.ingress.kubernetes.io/whitelist-source-range`,
+you can restrict access to certain IP addresses.
+The value should be a comma-separated list of CIDRs.
+
+Example:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test-octavia-ingress
+  annotations:
+    kubernetes.io/ingress.class: "openstack"
+    octavia.ingress.kubernetes.io/internal: "false"
+    octavia.ingress.kubernetes.io/whitelist-source-range: 192.168.1.0/23
+spec:
+  rules:
+    - host: foo.bar.com
+      http:
+        paths:
+        - path: /ping
+          pathType: Exact
+          backend:
+            service:
+              name: webserver
+              port:
+                number: 8080
+```

docs/openstack-cloud-controller-manager/expose-applications-using-loadbalancer-type-service.md

@@ -20,6 +20,8 @@ This page shows how to create Services of LoadBalancer type in Kubernetes cluste
 
 A LoadBalancer type Service is a typical way to expose an application to the internet. It relies on the cloud provider to create an external load balancer with an IP address in the relevant network space. Any traffic that is then directed to this IP address is forwarded on to the application’s service.
 
+**NOTE: for test/PoC with only 1 master node environment, you need remove the label `node.kubernetes.io/exclude-from-external-load-balancers` of the master node otherwise the loadbalancer will not be created. search the label [here](https://pkg.go.dev/k8s.io/api/core/v1) for further information.**
+
 > Note: Different cloud providers may support different Service annotations and features.
 
 ## Creating a Service of LoadBalancer type
@@ -171,7 +173,7 @@ Request Body:
 
 - `loadbalancer.openstack.org/enable-health-monitor`
 
-  Defines whether to create health monitor for the load balancer pool, if not specified, use `create-monitor` config. The health monitor can be created or deleted dynamically.
+  Defines whether to create health monitor for the load balancer pool, if not specified, use `create-monitor` config. The health monitor can be created or deleted dynamically. A health monitor is required for services with `externalTrafficPolicy: Local`.
 
   Not supported when `lb-provider=ovn` is configured in openstack-cloud-controller-manager.
 

docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md

@@ -16,7 +16,6 @@
   - [Metrics](#metrics)
   - [Limitation](#limitation)
     - [OpenStack availability zone must not contain blank](#openstack-availability-zone-must-not-contain-blank)
-    - [externalTrafficPolicy support](#externaltrafficpolicy-support)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -209,7 +208,7 @@ Although the openstack-cloud-controller-manager was initially implemented with N
   This option is not supported for Octavia. The worker nodes and the Octavia amphorae are usually in the same subnet, so it's sufficient to config the port security group rules manually for worker nodes, to allow the traffic coming from the the subnet IP range to the node port range(i.e. 30000-32767).
 
 * `create-monitor`
-  Indicates whether or not to create a health monitor for the service load balancer. Default: false
+  Indicates whether or not to create a health monitor for the service load balancer. A health monitor required for services that declare `externalTrafficPolicy: Local`. Default: false
 
 * `monitor-delay`
   The time, in seconds, between sending probes to members of the load balancer. Default: 5
@@ -289,9 +288,3 @@ Refer to [Metrics for openstack-cloud-controller-manager](../metrics.md)
 ### OpenStack availability zone must not contain blank
 
 `topology.kubernetes.io/zone` is used to label node and its value comes from availability zone of the node, according to [label spec](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set) it does not support blank (' ') but OpenStack availability zone supports blank. So your OpenStack availability zone must not contain blank otherwise it will lead to node that belongs to this availability zone register failure, see [#1379](https://github.com/kubernetes/cloud-provider-openstack/issues/1379) for further information.
-
-### externalTrafficPolicy support
-
-`externalTrafficPolicy` denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. "Local" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. "Cluster" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.
-
-openstack-cloud-controller-manager only supports `externalTrafficPolicy: Cluster` for now.