Add appProtocol prefix to Service port names

Changelog: changed

Add appProtocol prefix to Service port names
5efcf454 · Hossein Pursultani · Jason Plum · 83c80f17 · 5efcf454 · 5efcf454
Commit 5efcf454 authored 2 years ago by Hossein Pursultani Committed by Jason Plum 2 years ago
--- a/charts/gitlab/charts/gitaly/templates/_service_spec.yaml
+++ b/charts/gitlab/charts/gitaly/templates/_service_spec.yaml
@@ -3,11 +3,11 @@ spec:
  clusterIP: "None"
  ports:
    - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }}
-      name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}
+      name: grpc-{{ coalesce .Values.service.name .Values.global.gitaly.service.name }}
      targetPort: grpc-gitaly
   {{- if .Values.global.gitaly.tls.enabled }}
    - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }}
-      name: {{coalesce  .Values.service.name .Values.global.gitaly.service.name }}-tls
+      name: tls-{{coalesce .Values.service.name .Values.global.gitaly.service.name }}
      targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }}
   {{- end }}
   {{- if .Values.metrics.enabled }}

--- a/charts/gitlab/charts/gitlab-exporter/templates/service.yaml
+++ b/charts/gitlab/charts/gitlab-exporter/templates/service.yaml
@@ -16,7 +16,7 @@ spec:
    - port: {{ .Values.service.externalPort }}
      targetPort: http-metrics
      protocol: TCP
-      name: http-metrics
+      name: {{ .Values.tls.enabled | ternary "https" "http" }}-metrics
  selector:
    {{- include "gitlab.selectorLabels" . | nindent 4 }}
 {{- end }}
--- a/charts/gitlab/charts/gitlab-pages/templates/service-metrics.yaml
+++ b/charts/gitlab/charts/gitlab-pages/templates/service-metrics.yaml
@@ -17,7 +17,7 @@ spec:
    - port: {{ .Values.metrics.port | int }}
      targetPort: http-metrics
      protocol: TCP
-      name: http-metrics
+      name: {{ .Values.metrics.tls.enabled | ternary "https" "http" }}-metrics
  selector:
    app: {{ template "name" . }}
    release: {{ .Release.Name }}

--- a/charts/gitlab/charts/kas/templates/service.yaml
+++ b/charts/gitlab/charts/kas/templates/service.yaml
@@ -27,15 +27,15 @@ spec:
    - port: {{ .Values.service.externalPort }}
      targetPort: {{ .Values.service.internalPort }}
      protocol: TCP
-      name: tcp-{{ template "name" . }}-external-api
+      name: grpc-{{ template "name" . }}-external-api
    - port: {{ .Values.global.kas.service.apiExternalPort }}
      targetPort: {{ .Values.service.apiInternalPort }}
      protocol: TCP
-      name: tcp-{{ template "name" . }}-internal-api
+      name: grpc-{{ template "name" . }}-internal-api
    - port: {{ .Values.service.kubernetesApiPort }}
      targetPort: {{ .Values.service.kubernetesApiPort }}
      protocol: TCP
-      name: tcp-{{ template "name" . }}-k8s-api
+      name: grpc-{{ template "name" . }}-k8s-api
  {{- if .Values.metrics.enabled }}
    - port: {{ .Values.metrics.port }}
      targetPort: http-metrics

--- a/charts/gitlab/charts/praefect/templates/service.yaml
+++ b/charts/gitlab/charts/praefect/templates/service.yaml
@@ -20,12 +20,12 @@ spec:
  type: {{ coalesce .Values.service.type .Values.global.praefect.service.type }}
  clusterIP: None
  ports:
-  - name: {{ coalesce .Values.service.name .Values.global.praefect.service.name }}
+  - name: grpc-{{ coalesce .Values.service.name .Values.global.praefect.service.name }}
    port: {{ include "gitlab.praefect.externalPort" . }}
    protocol: TCP
    targetPort: {{ include "gitlab.praefect.internalPort" . }}
  {{- if $.Values.global.praefect.tls.enabled }}
-  - name: {{ coalesce .Values.service.name .Values.global.praefect.service.name }}-tls
+  - name: tls-{{ coalesce .Values.service.name .Values.global.praefect.service.name }}
    port: {{ include "gitlab.praefect.tls.externalPort" . }}
    protocol: TCP
    targetPort: {{ include "gitlab.praefect.tls.internalPort" . }}

--- a/charts/gitlab/charts/webservice/templates/service.yaml
+++ b/charts/gitlab/charts/webservice/templates/service.yaml
@@ -47,7 +47,7 @@ spec:
    - port: {{ $.Values.service.workhorseExternalPort }}
      targetPort: http-workhorse
      protocol: TCP
-      name: http-workhorse
+      name: {{ $.Values.global.workhorse.tls.enabled | ternary "https" "http" }}-workhorse
    {{- if $.Values.tls.enabled }}
    - port: {{ $.Values.service.tls.externalPort }}
      targetPort: https-ws
@@ -59,13 +59,13 @@ spec:
    - port: {{ $.Values.monitoring.exporter.port }}
      targetPort: http-metrics-ws
      protocol: TCP
-      name: http-metrics-ws
+      name: {{ $.Values.metrics.tls.enabled | ternary "https" "http" }}-metrics-ws
  {{- end }}
  {{- if or $.Values.workhorse.monitoring.exporter.enabled $.Values.workhorse.metrics.enabled }}
    - port: {{ $.Values.workhorse.monitoring.exporter.port }}
      targetPort: http-metrics-wh
      protocol: TCP
-      name: http-metrics-wh
+      name: {{ $.Values.workhorse.monitoring.exporter.tls.enabled | ternary "https" "http" }}-metrics-wh
  {{- end }}
  selector:
    app: {{ template "name" $ }}

--- a/charts/gitlab/charts/webservice/values.yaml
+++ b/charts/gitlab/charts/webservice/values.yaml
@@ -189,7 +189,8 @@ workhorse:
    exporter:
      enabled: false
      port: 9229
-      tls: {}
+      tls:
+        enabled: false
  metrics:
    enabled: false
    port: 9229

--- a/charts/minio/templates/minio_svc.yaml
+++ b/charts/minio/templates/minio_svc.yaml
@@ -19,7 +19,7 @@ spec:
    release: {{ .Release.Name }}
    component: app
  ports:
-    - name: service
+    - name: http
      port: 9000
      targetPort: {{ .Values.servicePort }}
      protocol: TCP

--- a/charts/nginx-ingress/templates/controller-service-internal.yaml
+++ b/charts/nginx-ingress/templates/controller-service-internal.yaml
@@ -35,9 +35,6 @@ spec:
      port: {{ .Values.controller.service.ports.http }}
      protocol: TCP
      targetPort: {{ .Values.controller.service.targetPorts.http }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: http
-    {{- end }}
    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
      nodePort: {{ .Values.controller.service.nodePorts.http }}
    {{- end }}
@@ -47,9 +44,6 @@ spec:
      port: {{ .Values.controller.service.ports.https }}
      protocol: TCP
      targetPort: {{ .Values.controller.service.targetPorts.https }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: https
-    {{- end }}
    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
      nodePort: {{ .Values.controller.service.nodePorts.https }}
    {{- end }}

--- a/charts/nginx-ingress/templates/controller-service-webhook.yaml
+++ b/charts/nginx-ingress/templates/controller-service-webhook.yaml
@@ -31,9 +31,6 @@ spec:
    - name: https-webhook
      port: 443
      targetPort: webhook
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: https
-    {{- end }}
  selector:
    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
    component: "{{ .Values.controller.name }}"

--- a/charts/nginx-ingress/templates/controller-service.yaml
+++ b/charts/nginx-ingress/templates/controller-service.yaml
@@ -57,9 +57,6 @@ spec:
      port: {{ .Values.controller.service.ports.http }}
      protocol: TCP
      targetPort: {{ .Values.controller.service.targetPorts.http }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: http
-    {{- end }}
    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
      nodePort: {{ .Values.controller.service.nodePorts.http }}
    {{- end }}
@@ -69,9 +66,6 @@ spec:
      port: {{ .Values.controller.service.ports.https }}
      protocol: TCP
      targetPort: {{ .Values.controller.service.targetPorts.https }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: https
-    {{- end }}
    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
      nodePort: {{ .Values.controller.service.nodePorts.https }}
    {{- end }}

--- a/charts/nginx-ingress/templates/default-backend-service.yaml
+++ b/charts/nginx-ingress/templates/default-backend-service.yaml
@@ -32,9 +32,6 @@ spec:
      port: {{ .Values.defaultBackend.service.servicePort }}
      protocol: TCP
      targetPort: http
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
-      appProtocol: http
-    {{- end }}
  selector:
    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
    component: "{{ .Values.defaultBackend.name }}"

--- a/charts/registry/templates/service.yaml
+++ b/charts/registry/templates/service.yaml
@@ -22,7 +22,7 @@ spec:
  - port: {{ .Values.service.externalPort }}
    targetPort: {{ .Values.tls.enabled | ternary "https" "http" }}
    protocol: TCP
-    name: {{ .Values.service.name }}
+    name: {{ .Values.tls.enabled | ternary "https" "http" }}-{{ .Values.service.name }}
  {{- if (or .Values.metrics.enabled .Values.debug.prometheus.enabled) }}
  - port: {{ .Values.debug.addr.port }}
    targetPort: debug

--- a/doc/installation/tools.md
+++ b/doc/installation/tools.md
@@ -85,6 +85,11 @@ For example, use the following with `helm install`:
 --set global.hosts.externalIP=10.10.10.10
 ```

+#### Compatibility with Istio protocol selection
+
+Service port names follow the convention that is compatible with Istio's [explicit port selection](https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection).
+They look like `<protocol>-<suffix>`, for example `grpc-gitaly` or `https-metrics`.
+
 ### Persistence

 By default the GitLab chart creates Volume Claims with the expectation that a

--- a/spec/configuration/workhorse_spec.rb
+++ b/spec/configuration/workhorse_spec.rb
@@ -65,6 +65,14 @@ describe 'Workhorse configuration' do
  end

  context 'TLS support' do
+    let(:tls_enabled) { false }
+    let(:tls_verify) {}
+    let(:monitoring_enabled) { true }
+    let(:monitoring_tls_enabled) { false }
+    let(:tls_secret_name) {}
+    let(:tls_ca_secret_name) {}
+    let(:tls_custom_ca) {}
+
    let(:tls_values) do
      YAML.safe_load(%(
        global:
@@ -91,14 +99,6 @@ describe 'Workhorse configuration' do
    end

    context 'when TLS is disabled' do
-      let(:tls_enabled) {}
-      let(:tls_verify) {}
-      let(:tls_secret_name) {}
-      let(:tls_ca_secret_name) {}
-      let(:tls_custom_ca) {}
-      let(:monitoring_enabled) { true }
-      let(:monitoring_tls_enabled) {}
-
      let(:template) { HelmTemplate.new(tls_values) }

      it 'renders a TOML configuration file' do
@@ -115,12 +115,6 @@ describe 'Workhorse configuration' do

    context 'when TLS is enabled but custom CA and TLS Secrets are not specified' do
      let(:tls_enabled) { true }
-      let(:tls_verify) {}
-      let(:tls_secret_name) {}
-      let(:tls_ca_secret_name) {}
-      let(:tls_custom_ca) {}
-      let(:monitoring_enabled) {}
-      let(:monitoring_tls_enabled) {}

      let(:template) { HelmTemplate.new(tls_values) }

@@ -136,7 +130,6 @@ describe 'Workhorse configuration' do
      let(:tls_secret_name) { 'webservice-tls-secret' }
      let(:tls_ca_secret_name) { 'custom-ca-secret' }
      let(:tls_custom_ca) { 'secret: custom-ca-secret' }
-      let(:monitoring_enabled) { true }
      let(:monitoring_tls_enabled) { true }

      let(:template) { HelmTemplate.new(tls_values) }
@@ -176,8 +169,7 @@ describe 'Workhorse configuration' do
      let(:tls_secret_name) { 'webservice-tls-secret' }
      let(:tls_ca_secret_name) { 'custom-ca-secret' }
      let(:tls_custom_ca) { 'secret: custom-ca-secret' }
-      let(:monitoring_enabled) {}
-      let(:monitoring_tls_enabled) {}
+      let(:monitoring_enabled) { false }

      let(:template) { HelmTemplate.new(tls_values) }


--- a/values.yaml
+++ b/values.yaml
@@ -657,8 +657,8 @@ global:
    ## https://docs.gitlab.com/charts/installation/secrets#gitlab-workhorse-secret
    # secret:
    # key:
-    tls: {}
-      # enabled: true
+    tls:
+      enabled: false

  ## https://docs.gitlab.com/charts/charts/globals#configure-webservice
  webservice: