Merge pull request #318 from Kong/next

[kong] release 2.0.0-rc.1
Kong · Mar 19, 2021 · e6911ee · e6911ee
2 parents fba7346 + 887c5d2
commit e6911ee
Show file tree

Hide file tree

Showing 20 changed files with 270 additions and 319 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -11,28 +11,38 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
 
-      - name: Fetch history
-        run: git fetch --prune --unshallow
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.2.4
 
-      - name: Run chart-testing (lint)
-        id: lint
-        uses: helm/[email protected]
+      - uses: actions/setup-python@v2
         with:
-          command: lint
-          config: ct-main.yaml
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --remote origin
 
       - name: Create kind cluster
-        uses: helm/[email protected]
-        with:
-          install_local_path_provisioner: true
-        if: steps.lint.outputs.changed == 'true'
+        uses: helm/[email protected]
+        if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)
-        uses: helm/[email protected]
-        with:
-          command: install
-          config: ct-main.yaml
+        run: ct install
   release:
     needs: lint-test
     runs-on: ubuntu-latest
@@ -49,18 +59,16 @@ jobs:
           git config user.email "[email protected]"
 
       # See https://github.com/helm/chart-releaser-action/issues/6
-      - name: Install Helm
-        run: |
-          curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get
-          chmod 700 get_helm.sh
-          ./get_helm.sh
-          helm init --client-only
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.2.4
 
       - name: Add dependency chart repos
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.0.0-alpha.2
+        uses: helm/chart-releaser-action@v1.1.0
         env:
           CR_TOKEN: "${{ secrets.CR_TOKEN }}"
diff --git a/.github/workflows/non-main.yaml b/.github/workflows/non-main.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches-ignore:
     - 'main'
+    - 'kong-1.x'
   pull_request:
     branches:
     - '**'
@@ -14,23 +15,35 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
 
-      - name: Fetch history
-        run: git fetch --prune --unshallow
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.2.4
 
-      - name: Run chart-testing (lint)
-        id: lint
-        uses: helm/[email protected]
+      - uses: actions/setup-python@v2
         with:
-          command: lint
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --check-version-increment false --remote origin
 
       - name: Create kind cluster
-        uses: helm/[email protected]
-        with:
-          install_local_path_provisioner: true
-        if: steps.lint.outputs.changed == 'true'
+        uses: helm/[email protected]
+        if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)
-        uses: helm/[email protected]
-        with:
-          command: install
+        run: ct install
diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -1,5 +1,51 @@
 # Changelog
 
+## 2.0.0-rc.1
+
+### Breaking changes
+
+* Helm 2 is no longer supported. You **must** [migrate your Kong chart releases
+  to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to
+  this release.
+* Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters)
+  are no longer supported.
+* The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration)
+  is no longer supported.
+* Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration)
+  is no longer supported.
+* Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
+  is no longer supported.
+
+`helm upgrade` with the previous version (1.15.0) will print a warning message
+if you still use any of the removed values.yaml configuration. If you do not
+see any warnings after the upgrade completes, you are already using the modern
+equivalents of these settings and can proceed with upgrading to 2.0.0-rc1.
+
+### Improvements
+
+* Admission webhook certificates persist after their initial creation. This
+  prevents an unnecessary restart of Kong Pods on upgrades that do not actually
+  modify the deployment.
+  ([#256](https://github.com/Kong/charts/pull/256))
+* `ingressController.installCRDs` now defaults to `false`, simplifying
+  installation on Helm 3. Installs now default to using Helm 3's CRD management
+  system, and do not require changes to values or install flags to install
+  successfully.
+  ([#305](https://github.com/Kong/charts/pull/305))
+* Added support for Pod `topologySpreadConstraints`.
+  ([#308](https://github.com/Kong/charts/pull/308))
+
+### Fixed
+
+* Generated admission webhook certificates now include SANs for compatibility
+  with Go 1.15 controller builds.
+  ([#312](https://github.com/Kong/charts/pull/312)).
+
+### Documentation
+
+* Clarified use of `terminationGracePeriodSeconds`.
+  ([#302](https://github.com/Kong/charts/pull/302))
+
 ## 1.15.0
 
 1.15.0 is an interim release before the planned release of 2.0.0. There were

diff --git a/charts/kong/Chart.yaml b/charts/kong/Chart.yaml
@@ -10,5 +10,5 @@ maintainers:
   email: [email protected]
 name: kong
 sources:
-version: 1.15.0
+version: 2.0.0-rc.1
 appVersion: 2.3
diff --git a/charts/kong/README.md b/charts/kong/README.md
@@ -14,17 +14,12 @@ This chart bootstraps all the components needed to run Kong on a
 $ helm repo add kong https://charts.konghq.com
 $ helm repo update
 
-# Helm 2
-$ helm install kong/kong
-
-# Helm 3
-$ helm install kong/kong --generate-name --set ingressController.installCRDs=false
+$ helm install kong/kong --generate-name
 ```
 
 ## Table of contents
 
 - [Prerequisites](#prerequisites)
-- [Helm 2 vs Helm 3](#important-helm-2-vs-helm-3)
 - [Install](#install)
 - [Uninstall](#uninstall)
 - [Kong Enterprise](#kong-enterprise)
@@ -36,7 +31,7 @@ $ helm install kong/kong --generate-name --set ingressController.installCRDs=fal
   - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes)
   - [Standalone controller nodes](#standalone-controller-nodes)
   - [Hybrid mode](#hybrid-mode)
-  - [CRDs only](#crds-only)
+  - [CRD management](#crd-management)
   - [Sidecar containers](#sidecar-containers)
   - [Example configurations](#example-configurations)
 - [Configuration](#configuration)
@@ -64,30 +59,6 @@ $ helm install kong/kong --generate-name --set ingressController.installCRDs=fal
 - PV provisioner support in the underlying infrastructure if persistence
   is needed for Kong datastore.
 
-## Important: Helm 2 vs Helm 3
-
-Custom Resource Definitions (CRDs) are handled differently in Helm 2 vs Helm 3.
-
-#### Helm 2
-
-If you want CRDs to be installed,
-make sure `ingressController.installCRDs` is set to `true` (the default value).
-Set this value to `false` to skip installing CRDs.
-
-#### Helm 3
-
-Make sure `ingressController.installCRDs` is set to `false`,
-note that the default is `true`.
-You can do so either by passing in a custom `values.yaml`
-(`-f` when running helm)
-or by passing `--set ingressController.installCRDs=false`
-at the command line.
-
-**If you do not set this value to `false`, the helm chart will not install correctly.**
-
-Use helm CLI flag `--skip-crds` with `helm install` if you want to skip
-CRD creation while creating a release.
-
 ## Install
 
 To install Kong:
@@ -96,10 +67,6 @@ To install Kong:
 $ helm repo add kong https://charts.konghq.com
 $ helm repo update
 
-# Helm 2
-$ helm install kong/kong
-
-# Helm 3
 $ helm install kong/kong --generate-name --set ingressController.installCRDs=false
 ```
 
@@ -427,17 +394,37 @@ documentation on Service
 DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
 for more detail.
 
-### CRDs only
-
-For Helm 2 installations, CRDs are managed as part of a release, and are
-deleted if the release is. This can cause issues for clusters with multiple
-Kong installations, as one release must remain in place for the rest to
-function. To avoid this, you can create a CRD-only release by setting
-`deployment.kong.enabled: false` and `ingressController.enabled: false`.
-
-On Helm 3, CRDs are created if necessary, but are not managed along with the
-release. Releases can be deleted without affecting CRDs; CRDs are only removed
-if you delete them manually.
+### CRD management
+
+Earlier versions of this chart (<2.0) created CRDs associated with the ingress
+controller as part of the release. This raised two challenges:
+
+- Multiple release of the chart would conflict with one another, as each would
+  attempt to create its own set of CRDs.
+- Because deleting a CRD also deletes any custom resources associated with it,
+  deleting a release of the chart could destroy user configuration without
+  providing any means to restore it.
+
+Helm 3 introduced a simplified CRD management method that was safer, but
+requires some manual work when a chart added or modified CRDs: CRDs are created
+on install if they are not already present, but are not modified during
+release upgrades or deletes. Our chart release upgrade instructions call out
+when manual action is necessary to update CRDs. This CRD handling strategy is
+recommended for most users.
+
+Some users may wish to manage their CRDs automatically. If you manage your CRDs
+this way, we _strongly_ recommend that you back up all associated custom
+resources in the event you need to recover from unintended CRD deletion.
+
+While Helm 3's CRD management system is recommended, there is no simple means
+of migrating away from release-managed CRDs if you previously installed your
+release with the old system (you would need to back up your existing custom
+resources, delete your release, reinstall, and restore your custom resources
+after). As such, the chart detects if you currently use release-managed CRDs
+and continues to use the old CRD templates when using chart version 2.0+. If
+you do (your resources will have a `meta.helm.sh/release-name` annotation), we
+_strongly_ recommend that you back up all associated custom resources in the
+event you need to recover from unintended CRD deletion.
 
 ### Sidecar Containers
 
@@ -564,7 +551,7 @@ section of `values.yaml` file:
 | image.tag                          | Version of the ingress controller                                                     | 0.9.1                                                                        |
 | readinessProbe                     | Kong ingress controllers readiness probe                                              |                                                                              |
 | livenessProbe                      | Kong ingress controllers liveness probe                                               |                                                                              |
-| installCRDs                        | Create CRDs. **FOR HELM3, MAKE SURE THIS VALUE IS SET TO `false`.**  Regardless of value of this, Helm v3+ will install the CRDs if those are not present already. Use `--skip-crds` with `helm install` if you want to skip CRD creation.                 | true                                                                         |
+| installCRDs                        | Creates managed CRDs.                                                                 | false
 | serviceAccount.create              | Create Service Account for ingress controller                                         | true
 | serviceAccount.name                | Use existing Service Account, specify its name                                        | ""
 | serviceAccount.annotations         | Annotations for Service Account                                                       | {}
@@ -594,8 +581,9 @@ For a complete list of all configuration values you can set in the
 | readinessProbe                     | Kong readiness probe                                                                  |                     |
 | livenessProbe                      | Kong liveness probe                                                                   |                     |
 | lifecycle                          | Proxy container lifecycle hooks                                                       | see `values.yaml`   |
-| terminationGracePeriodSeconds      | Related to lifecycle hook                                                             | 30                  |
+| terminationGracePeriodSeconds      | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30                  |
 | affinity                           | Node/pod affinities                                                                   |                     |
+| topologySpreadConstraints          | Control how Pods are spread across cluster among failure-domains                      |                     |
 | nodeSelector                       | Node labels for pod assignment                                                        | `{}`                |
 | deploymentAnnotations              | Annotations to add to deployment                                                      |  see `values.yaml`  |
 | podAnnotations                     | Annotations to add to each pod                                                        | `{}`                |
@@ -676,9 +664,12 @@ configuration can be placed under the `.env` key.
 
 #### Kong Enterprise License
 
-All Kong Enterprise deployments require a license. If you do not have a copy
-of yours, please contact Kong Support. Once you have it, you will need to
-store it in a Secret:
+Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+
+without a license, you can skip this step and leave `enterprise.license_secret`
+unset. Earlier versions require a license.
+
+If you have paid for a license, but you do not have a copy of yours, please
+contact Kong Support. Once you have it, you will need to store it in a Secret:
 
 ```bash
 $ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json