Merge pull request #925 from ssurenr/1.9.1-cherrypick-signed

1.9.1 cherrypick signed
F5Networks · Jun 3, 2019 · a22d72f · a22d72f
2 parents 2571a39 + bd69df1
commit a22d72f
Show file tree

Hide file tree

Showing 41 changed files with 25,260 additions and 134 deletions.
diff --git a/.approvals.json b/.approvals.json
@@ -966,6 +966,14 @@
    "category": 3,
    "status": "approved"
  },
+ {
+   "name": "urllib3",
+   "version": "1.24.2",
+   "license": "MIT",
+   "category": 3,
+   "status": "approved"
+ },
+
  {
    "name": "attrs",
    "version": "18.2.0",

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ F5 BIG-IP Controller for Kubernetes
 ===================================
 
 The F5 BIG-IP Controller for [Kubernetes](http://kubernetes.io/) makes F5 BIG-IP
-[Local Traffic Manager](<https://f5.com/products/big-ip/local-traffic-manager-ltm)
+[Local Traffic Manager](https://f5.com/products/big-ip/local-traffic-manager-ltm)
 services available to applications running in Kubernetes.
 
 Documentation
@@ -55,7 +55,7 @@ git clone https://github.com/f5networks/k8s-bigip-ctlr.git
 cd  k8s-bigip-ctlr
 
 # Use docker to build the release artifacts, into a local "_docker_workspace" directory, then put into docker images
-# Alpine image
+# Debian image
 make prod
 
 OR

diff --git a/build-tools/Dockerfile.debian.runtime b/build-tools/Dockerfile.debian.runtime
@@ -12,12 +12,16 @@ COPY requirements.txt /tmp/requirements.txt
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
         git \
+    && apt-get upgrade -y \
     && pip install --no-cache-dir --upgrade pip \
     && pip install --no-cache-dir -r /tmp/requirements.txt \
     && apt-get remove -y git
 
+# FIXME: Remove this fix once libidn is no longer vulnerable
+RUN apt-get remove -y libidn11
+
 COPY bigip-virtual-server_v*.json $APPPATH/vendor/src/f5/schemas/
-COPY as3-schema-3.10-cis.json $APPPATH/vendor/src/f5/schemas/
+COPY as3-schema-3.11.0-3-cis.json $APPPATH/vendor/src/f5/schemas/
 COPY k8s-bigip-ctlr $APPPATH/bin
 COPY VERSION_BUILD.json $APPPATH/vendor/src/f5/
 

diff --git a/build-tools/Dockerfile.rhel7.runtime b/build-tools/Dockerfile.rhel7.runtime
@@ -43,7 +43,7 @@ RUN microdnf --enablerepo=rhel-7-server-rpms --enablerepo=rhel-7-server-optional
     microdnf clean all
 
 COPY bigip-virtual-server_v*.json $APPPATH/vendor/src/f5/schemas/
-COPY as3-schema-3.10-cis.json $APPPATH/vendor/src/f5/schemas/
+COPY as3-schema-3.11.0-3-cis.json $APPPATH/vendor/src/f5/schemas/
 COPY k8s-bigip-ctlr $APPPATH/bin/k8s-bigip-ctlr.real
 COPY VERSION_BUILD.json $APPPATH/vendor/src/f5/
 

diff --git a/build-tools/build-release-images.sh b/build-tools/build-release-images.sh
@@ -22,7 +22,7 @@ VERSION_INFO=$(${CURDIR}/version-tool version)
 cp $CURDIR/../_docker_workspace/out/$RELEASE_PLATFORM/bin/* $WKDIR/
 cp requirements.txt $WKDIR/
 cp schemas/bigip-virtual-server_v*.json $WKDIR/
-cp schemas/as3-schema-3.10-cis.json $WKDIR/
+cp schemas/as3-schema-3.11.0-3-cis.json $WKDIR/
 cp LICENSE $WKDIR/
 cp $CURDIR/help.md $WKDIR/help.md
 echo "{\"version\": \"${VERSION_INFO}\", \"build\": \"${BUILD_INFO}\"}" \

diff --git a/cmd/k8s-bigip-ctlr/main.go b/cmd/k8s-bigip-ctlr/main.go
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2017,2018, F5 Networks, Inc.
+ * Copyright (c) 2017,2018,2019 F5 Networks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -100,13 +100,14 @@ var (
 	useSecrets        *bool
 	schemaLocal       *string
 
-	bigIPURL        *string
-	bigIPUsername   *string
-	bigIPPassword   *string
-	bigIPPartitions *[]string
-	credsDir        *string
-	as3Validation   *bool
-	sslInsecure     *bool
+	bigIPURL           *string
+	bigIPUsername      *string
+	bigIPPassword      *string
+	bigIPPartitions    *[]string
+	credsDir           *string
+	as3Validation      *bool
+	sslInsecure        *bool
+	trustedCertsCfgmap *string
 
 	vxlanMode        string
 	openshiftSDNName *string
@@ -178,6 +179,8 @@ func _init() {
 		"Optional, when set to false, disables as3 template validation on the controller.")
 	sslInsecure = bigIPFlags.Bool("insecure", false,
 		"Optional, when set to true, enable insecure SSL communication to BIGIP.")
+	trustedCertsCfgmap = bigIPFlags.String("trusted-certs-cfgmap", "",
+		"Optional, when certificates are provided, adds them to controller’s trusted certificate store.")
 
 	bigIPFlags.Usage = func() {
 		fmt.Fprintf(os.Stderr, "  BigIP:\n%s\n", bigIPFlags.FlagUsagesWrapped(width))
@@ -514,6 +517,11 @@ func createLabel(label string) (labels.Selector, error) {
 func setupWatchers(appMgr *appmanager.Manager, resyncPeriod time.Duration) {
 	label := appmanager.DefaultConfigMapLabel
 
+	err := appMgr.SetupAS3Informers()
+	if nil != err {
+		log.Warningf("Failed to add AS3 watcher for all namespaces:%v", err)
+	}
+
 	if len(*namespaceLabel) == 0 {
 		ls, err := createLabel(label)
 		if nil != err {
@@ -599,19 +607,20 @@ func main() {
 	}
 
 	var appMgrParms = appmanager.Params{
-		ConfigWriter:      configWriter,
-		UseNodeInternal:   *useNodeInternal,
-		IsNodePort:        isNodePort,
-		RouteConfig:       routeConfig,
-		NodeLabelSelector: *nodeLabelSelector,
-		ResolveIngress:    *resolveIngNames,
-		DefaultIngIP:      *defaultIngIP,
-		VsSnatPoolName:    *vsSnatPoolName,
-		UseSecrets:        *useSecrets,
-		ManageConfigMaps:  *manageConfigMaps,
-		SchemaLocal:       *schemaLocal,
-		AS3Validation:     *as3Validation,
-		SSLInsecure:       *sslInsecure,
+		ConfigWriter:       configWriter,
+		UseNodeInternal:    *useNodeInternal,
+		IsNodePort:         isNodePort,
+		RouteConfig:        routeConfig,
+		NodeLabelSelector:  *nodeLabelSelector,
+		ResolveIngress:     *resolveIngNames,
+		DefaultIngIP:       *defaultIngIP,
+		VsSnatPoolName:     *vsSnatPoolName,
+		UseSecrets:         *useSecrets,
+		ManageConfigMaps:   *manageConfigMaps,
+		SchemaLocal:        *schemaLocal,
+		AS3Validation:      *as3Validation,
+		SSLInsecure:        *sslInsecure,
+		TrustedCertsCfgmap: *trustedCertsCfgmap,
 	}
 
 	// If running with Flannel, create an event channel that the appManager

diff --git a/cmd/k8s-bigip-ctlr/main_test.go b/cmd/k8s-bigip-ctlr/main_test.go
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2017,2018, F5 Networks, Inc.
+ * Copyright (c) 2017,2018,2019 F5 Networks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/cmd/k8s-bigip-ctlr/pythonDriver.go b/cmd/k8s-bigip-ctlr/pythonDriver.go
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2018, F5 Networks, Inc.
+ * Copyright (c) 2019, F5 Networks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/docs/conf.py b/docs/conf.py
@@ -122,7 +122,7 @@
 .. _Kubernetes clusters: https://kubernetes.io/docs/concepts/cluster-administration/cluster-administration-overview/
 .. _NodePort: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
 .. _ClusterIP: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
-.. _iApps: https://devcentral.f5.com/iapps
+.. _iApps: https://www.f5.com/products/f5-technologies
 .. _Kubernetes pods: https://kubernetes.io/docs/user-guide/pods/
 .. _Kubernetes Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/
 .. _Kubernetes Secrets: https://kubernetes.io/docs/concepts/configuration/secret/