Make it possible to set nodePort in services (#931)

bianchi2 · web-flow · commit d05e942cacf5 · 2024-12-17T10:02:46.000+11:00
* Make it possible to set nodePort in services

* Fix copy-pasted comment

* Define nodeport for synchrony svc

* Fix unit tests

* Add docs

---------

Co-authored-by: Yevhen Ivantsov &lt;yivantsov@atlassian.com&gt;
diff --git a/docs/docs/userguide/CONFIGURATION.md b/docs/docs/userguide/CONFIGURATION.md
@@ -56,7 +56,7 @@ jira:
           timeoutSeconds: 10800
 ```
 
-The service port will be exposed on a random port from the ephemeral port range (`30000`-`32767`) on all worker nodes. You can provision a LoadBalancer with `443` or `80` (or both) listeners that will forward traffic to the node port (you can get service node port by running `kubectl describe $service -n $namespace`). Both LoadBalancer and Kubernetes service should be configured to maintain session affinity. LoadBalancer session affinity should be configured as per instructions for your Kubernetes/cloud provider. Service session affinity is configured by overriding the default Helm chart values (see the above example). Make sure you configure networking rules to allow the LoadBalancer to communicate with the Kubernetes cluster worker node on the node port.
+The service port will be exposed on a random port from the ephemeral port range (`30000`-`32767`) on all worker nodes. It is possible to explicitly set NodePort in `service.nodePort` (make sure it's not reserved for any existing service in the cluster). You can provision a LoadBalancer with `443` or `80` (or both) listeners that will forward traffic to the node port (you can get service node port by running `kubectl describe $service -n $namespace`). Both LoadBalancer and Kubernetes service should be configured to maintain session affinity. LoadBalancer session affinity should be configured as per instructions for your Kubernetes/cloud provider. Service session affinity is configured by overriding the default Helm chart values (see the above example). Make sure you configure networking rules to allow the LoadBalancer to communicate with the Kubernetes cluster worker node on the node port.
 
 !!!tip
     For more information about Kubernetes service session affinity, see [Kubernetes documentation](https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity){.external}.
diff --git a/src/main/charts/bamboo/README.md b/src/main/charts/bamboo/README.md
@@ -87,6 +87,7 @@ Kubernetes: `>=1.21.x-0`
 | bamboo.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
 | bamboo.service.contextPath | string | `nil` | The Tomcat context path that Bamboo will use. The ATL_TOMCAT_CONTEXTPATH will be set automatically.  |
 | bamboo.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| bamboo.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Bamboo service  |
 | bamboo.service.port | int | `80` | The port on which the Bamboo K8s Service will listen for http traffic  |
 | bamboo.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
 | bamboo.service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":null}}` | Session affinity configuration  |
diff --git a/src/main/charts/bamboo/templates/service.yaml b/src/main/charts/bamboo/templates/service.yaml
@@ -24,5 +24,8 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.bamboo.service.type "NodePort") .Values.bamboo.service.nodePort}}
+      nodePort: {{ .Values.bamboo.service.nodePort }}
+      {{- end }}
   selector:
   {{- include "common.labels.selectorLabels" . | nindent 4 }}
diff --git a/src/main/charts/bamboo/values.yaml b/src/main/charts/bamboo/values.yaml
@@ -568,6 +568,10 @@ bamboo:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Bamboo service
+    #
+    nodePort:
+
     # -- Session affinity type. If you want to make sure that connections from a particular client
     # are passed to the same pod each time, set sessionAffinity to ClientIP.
     # See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
diff --git a/src/main/charts/bitbucket/README.md b/src/main/charts/bitbucket/README.md
@@ -122,20 +122,23 @@ Kubernetes: `>=1.21.x-0`
 | bitbucket.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
 | bitbucket.service.contextPath | string | `nil` | The context path that Bitbucket will use.  |
 | bitbucket.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| bitbucket.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Bitbucket service  |
 | bitbucket.service.port | int | `80` | The port on which the Bitbucket K8s HTTP Service will listen  |
 | bitbucket.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
 | bitbucket.service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":null}}` | Session affinity configuration  |
 | bitbucket.service.sessionAffinityConfig.clientIP.timeoutSeconds | string | `nil` | Specifies the seconds of ClientIP type session sticky time. The value must be > 0 && <= 86400 (for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800 (for 3 hours).  |
+| bitbucket.service.sshNodePort | string | `nil` | SSH  Only applicable if service.type is NodePort. NodePort for Bitbucket service  |
 | bitbucket.service.sshPort | int | `7999` | The port on which the Bitbucket K8s SSH Service will listen  |
 | bitbucket.service.type | string | `"ClusterIP"` | The type of K8s service to use for Bitbucket  |
 | bitbucket.setPermissions | bool | `true` | Boolean to define whether to set local home directory permissions on startup of Bitbucket container. Set to 'false' to disable this behaviour.  |
 | bitbucket.shutdown.command | string | `"/shutdown-wait.sh"` | By default pods will be stopped via a [preStop hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/), using a script supplied by the Docker image. If any other shutdown behaviour is needed it can be achieved by overriding this value. Note that the shutdown command needs to wait for the application shutdown completely before exiting; see [the default command](https://bitbucket.org/atlassian-docker/docker-atlassian-bitbucket-server/src/master/shutdown-wait.sh) for details.  |
 | bitbucket.shutdown.terminationGracePeriodSeconds | int | `35` | The termination grace period for pods during shutdown. This should be set to the Bitbucket internal grace period (default 30 seconds), plus a small buffer to allow the JVM to fully terminate.  |
-| bitbucket.sshService | object | `{"annotations":{},"enabled":false,"host":null,"loadBalancerIP":null,"port":22,"type":"LoadBalancer"}` | Enable or disable an additional service for exposing SSH for external access. Disable when the SSH service is exposed through the ingress controller, or enable if the ingress controller does not support TCP.  |
+| bitbucket.sshService | object | `{"annotations":{},"enabled":false,"host":null,"loadBalancerIP":null,"nodePort":null,"port":22,"type":"LoadBalancer"}` | Enable or disable an additional service for exposing SSH for external access. Disable when the SSH service is exposed through the ingress controller, or enable if the ingress controller does not support TCP.  |
 | bitbucket.sshService.annotations | object | `{}` | Annotations for the SSH service. Useful if a load balancer controller needs extra annotations.  |
 | bitbucket.sshService.enabled | bool | `false` | Set to 'true' if an additional SSH Service should be created  |
 | bitbucket.sshService.host | string | `nil` | The hostname of the SSH service. If set, it'll be used to configure the SSH base URL for the application.  |
 | bitbucket.sshService.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| bitbucket.sshService.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Bitbucket ssh service  |
 | bitbucket.sshService.port | int | `22` | Port to expose the SSH service on.  |
 | bitbucket.sshService.type | string | `"LoadBalancer"` | SSH Service type  |
 | bitbucket.startupProbe.enabled | bool | `false` | Whether to apply the startupProbe check to pod.  |
diff --git a/src/main/charts/bitbucket/templates/service.yaml b/src/main/charts/bitbucket/templates/service.yaml
@@ -25,10 +25,16 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.bitbucket.service.type "NodePort") .Values.bitbucket.service.nodePort}}
+      nodePort: {{ .Values.bitbucket.service.nodePort }}
+      {{- end }}
     - port: {{ .Values.bitbucket.service.sshPort }}
       targetPort: ssh
       protocol: TCP
       name: ssh
+      {{- if and (eq .Values.bitbucket.service.type "NodePort") .Values.bitbucket.service.sshNodePort}}
+      nodePort: {{ .Values.bitbucket.service.sshNodePort }}
+      {{- end }}
   {{- if not .Values.bitbucket.hazelcastService.enabled }}
     - port: {{ .Values.bitbucket.ports.hazelcast }}
       targetPort: hazelcast
diff --git a/src/main/charts/bitbucket/values.yaml b/src/main/charts/bitbucket/values.yaml
@@ -542,6 +542,14 @@ bitbucket:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Bitbucket service
+    #
+    nodePort:
+
+    # -- SSH  Only applicable if service.type is NodePort. NodePort for Bitbucket service
+    #
+    sshNodePort:
+
     # -- Session affinity type. If you want to make sure that connections from a particular client
     # are passed to the same pod each time, set sessionAffinity to ClientIP.
     # See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
@@ -593,6 +601,10 @@ bitbucket:
     #
     type: LoadBalancer
 
+    # --  Only applicable if service.type is NodePort. NodePort for Bitbucket ssh service
+    #
+    nodePort:
+
     # -- Use specific loadBalancerIP. Only applies to service type LoadBalancer.
     #
     loadBalancerIP:
diff --git a/src/main/charts/confluence/README.md b/src/main/charts/confluence/README.md
@@ -88,6 +88,7 @@ Kubernetes: `>=1.21.x-0`
 | confluence.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
 | confluence.service.contextPath | string | `nil` | The Tomcat context path that Confluence will use. The ATL_TOMCAT_CONTEXTPATH will be set automatically.  |
 | confluence.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| confluence.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Confluence service  |
 | confluence.service.port | int | `80` | The port on which the Confluence K8s Service will listen  |
 | confluence.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
 | confluence.service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":null}}` | Session affinity configuration  |
@@ -223,6 +224,7 @@ Kubernetes: `>=1.21.x-0`
 | synchrony.securityContextEnabled | bool | `true` |  |
 | synchrony.service.annotations | object | `{}` | Annotations to apply to Synchrony Service  |
 | synchrony.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| synchrony.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Synchrony service  |
 | synchrony.service.port | int | `80` | The port on which the Synchrony K8s Service will listen  |
 | synchrony.service.type | string | `"ClusterIP"` | The type of K8s service to use for Synchrony  |
 | synchrony.setPermissions | bool | `true` | Boolean to define whether to set synchrony home directory permissions on startup of Synchrony container. Set to 'false' to disable this behaviour.  |
diff --git a/src/main/charts/confluence/templates/service-synchrony.yaml b/src/main/charts/confluence/templates/service-synchrony.yaml
@@ -26,6 +26,9 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.synchrony.service.type "NodePort") .Values.synchrony.service.nodePort}}
+      nodePort: {{ .Values.synchrony.service.nodePort }}
+      {{- end }}
     - port: {{ .Values.synchrony.ports.hazelcast }}
       targetPort: hazelcast
       protocol: TCP
diff --git a/src/main/charts/confluence/templates/service.yaml b/src/main/charts/confluence/templates/service.yaml
@@ -24,6 +24,9 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.confluence.service.type "NodePort") .Values.confluence.service.nodePort}}
+      nodePort: {{ .Values.confluence.service.nodePort }}
+      {{- end }}
   {{- if not .Values.confluence.hazelcastService.enabled }}
     - port: {{ .Values.confluence.ports.hazelcast }}
       targetPort: hazelcast
diff --git a/src/main/charts/confluence/values.yaml b/src/main/charts/confluence/values.yaml
@@ -583,6 +583,10 @@ confluence:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Confluence service
+    #
+    nodePort:
+
     # -- Session affinity type. If you want to make sure that connections from a particular client
     # are passed to the same pod each time, set sessionAffinity to ClientIP.
     # See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
@@ -1210,6 +1214,10 @@ synchrony:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Synchrony service
+    #
+    nodePort:
+
     # -- Use specific loadBalancerIP. Only applies to service type LoadBalancer.
     #
     loadBalancerIP:
diff --git a/src/main/charts/crowd/README.md b/src/main/charts/crowd/README.md
@@ -70,6 +70,7 @@ Kubernetes: `>=1.21.x-0`
 | crowd.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
 | crowd.service.contextPath | string | `"/crowd"` | The Tomcat context path that Crowd will use. The ATL_TOMCAT_CONTEXTPATH will be set automatically.  |
 | crowd.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| crowd.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Crowd service  |
 | crowd.service.port | int | `80` | The port on which the Crowd K8s Service will listen  |
 | crowd.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
 | crowd.service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":null}}` | Session affinity configuration  |
diff --git a/src/main/charts/crowd/templates/service.yaml b/src/main/charts/crowd/templates/service.yaml
@@ -24,5 +24,8 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.crowd.service.type "NodePort") .Values.crowd.service.nodePort}}
+      nodePort: {{ .Values.crowd.service.nodePort }}
+      {{- end }}
   selector:
     {{- include "common.labels.selectorLabels" . | nindent 4 }}
diff --git a/src/main/charts/crowd/values.yaml b/src/main/charts/crowd/values.yaml
@@ -116,6 +116,10 @@ crowd:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Crowd service
+    #
+    nodePort:
+
     # -- Session affinity type. If you want to make sure that connections from a particular client
     # are passed to the same pod each time, set sessionAffinity to ClientIP.
     # See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
diff --git a/src/main/charts/jira/README.md b/src/main/charts/jira/README.md
@@ -121,6 +121,7 @@ Kubernetes: `>=1.21.x-0`
 | jira.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
 | jira.service.contextPath | string | `nil` | The Tomcat context path that Jira will use. The ATL_TOMCAT_CONTEXTPATH will be set automatically.  |
 | jira.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
+| jira.service.nodePort | string | `nil` |  Only applicable if service.type is NodePort. NodePort for Jira service  |
 | jira.service.port | int | `80` | The port on which the Jira K8s Service will listen  |
 | jira.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
 | jira.service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":null}}` | Session affinity configuration  |
diff --git a/src/main/charts/jira/templates/service.yaml b/src/main/charts/jira/templates/service.yaml
@@ -24,5 +24,8 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+      {{- if and (eq .Values.jira.service.type "NodePort") .Values.jira.service.nodePort}}
+      nodePort: {{ .Values.jira.service.nodePort }}
+      {{- end }}
   selector:
     {{- include "common.labels.selectorLabels" . | nindent 4 }}
diff --git a/src/main/charts/jira/values.yaml b/src/main/charts/jira/values.yaml
@@ -473,6 +473,10 @@ jira:
     #
     type: ClusterIP
 
+    # --  Only applicable if service.type is NodePort. NodePort for Jira service
+    #
+    nodePort:
+
     # -- Session affinity type. If you want to make sure that connections from a particular client
     # are passed to the same pod each time, set sessionAffinity to ClientIP.
     # See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
diff --git a/src/test/java/test/ServiceTest.java b/src/test/java/test/ServiceTest.java
@@ -30,7 +30,11 @@ void initHelm(TestInfo testInfo) {
     void service_port_type(Product product) throws Exception {
         final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
                 product + ".service.port", "1234",
-                product + ".service.type", "NodePort"
+                product + ".service.type", "NodePort",
+                product + ".service.nodePort", "30001",
+                product + ".service.sshNodePort", "30002",
+                "synchrony.enabled", "true"
+
         ));
 
         final var service = resources.get(Kind.Service, Service.class, product.getHelmReleaseName());
@@ -39,6 +43,17 @@ void service_port_type(Product product) throws Exception {
                 .hasTextEqualTo("NodePort");
         assertThat(service.getPort("http"))
                 .hasValueSatisfying(node -> assertThat(node.path("port")).hasValueEqualTo(1234));
+        assertThat(service.getPort("http"))
+                .hasValueSatisfying(node -> assertThat(node.path("nodePort")).hasValueEqualTo(30001));
+        if (product.name().equals("bitbucket")) {
+            assertThat(service.getPort("ssh"))
+                    .hasValueSatisfying(node -> assertThat(node.path("nodePort")).hasValueEqualTo(30002));
+        }
+        if (product.name().equals("confluence")) {
+            final var synchronyService = resources.get(Kind.Service, Service.class, product.getHelmReleaseName());
+            assertThat(synchronyService.getPort("http"))
+                    .hasValueSatisfying(node -> assertThat(node.path("nodePort")).hasValueEqualTo(30001));
+        }
     }
 
     @ParameterizedTest
diff --git a/src/test/resources/expected_helm_output/bamboo/output.yaml b/src/test/resources/expected_helm_output/bamboo/output.yaml
@@ -161,6 +161,7 @@ data:
         annotations: {}
         contextPath: null
         loadBalancerIP: null
+        nodePort: null
         port: 80
         sessionAffinity: None
         sessionAffinityConfig:
diff --git a/src/test/resources/expected_helm_output/bitbucket/output.yaml b/src/test/resources/expected_helm_output/bitbucket/output.yaml
@@ -233,11 +233,13 @@ data:
         annotations: {}
         contextPath: null
         loadBalancerIP: null
+        nodePort: null
         port: 80
         sessionAffinity: None
         sessionAffinityConfig:
           clientIP:
             timeoutSeconds: null
+        sshNodePort: null
         sshPort: 7999
         type: ClusterIP
       setPermissions: true
@@ -249,6 +251,7 @@ data:
         enabled: false
         host: null
         loadBalancerIP: null
+        nodePort: null
         port: 22
         type: LoadBalancer
       startupProbe:
diff --git a/src/test/resources/expected_helm_output/confluence/output.yaml b/src/test/resources/expected_helm_output/confluence/output.yaml
@@ -163,6 +163,7 @@ data:
         annotations: {}
         contextPath: null
         loadBalancerIP: null
+        nodePort: null
         port: 80
         sessionAffinity: None
         sessionAffinityConfig:
@@ -364,6 +365,7 @@ data:
       service:
         annotations: {}
         loadBalancerIP: null
+        nodePort: null
         port: 80
         type: ClusterIP
       setPermissions: true
diff --git a/src/test/resources/expected_helm_output/crowd/output.yaml b/src/test/resources/expected_helm_output/crowd/output.yaml
@@ -143,6 +143,7 @@ data:
         annotations: {}
         contextPath: /crowd
         loadBalancerIP: null
+        nodePort: null
         port: 80
         sessionAffinity: None
         sessionAffinityConfig:
diff --git a/src/test/resources/expected_helm_output/jira/output.yaml b/src/test/resources/expected_helm_output/jira/output.yaml
@@ -203,6 +203,7 @@ data:
         annotations: {}
         contextPath: null
         loadBalancerIP: null
+        nodePort: null
         port: 80
         sessionAffinity: None
         sessionAffinityConfig:
