chore: bump ControlPlane default version to 3.2.0 (#327)

* chore: bump ControlPlane default version to 3.2.0

* chore(tests): fix ControlPlane integration test

* chore(tests): make linter happy

* chore: add usage of kustomize for KIC's webhook config generation

* chore(tests): do not set images but instead allow operator defaults to be used

---------

Co-authored-by: Grzegorz Burzyński <[email protected]>

CHANGELOG.md

@@ -50,6 +50,8 @@
   replaced by a proper set of labels to identify `kind`, `namespace`, and
   `name` of the owning object.
   [#259](https://github.com/Kong/gateway-operator/pull/259)
+- Default version of `ControlPlane` is bumped to 3.2.0
+  [#327](https://github.com/Kong/gateway-operator/pull/327)
 
 ### Fixes
 

config/rbac/role/role.yaml

@@ -123,6 +123,22 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongcustomentities
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongcustomentities/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - configuration.konghq.com
   resources:

hack/generators/kic/kustomize.go

@@ -0,0 +1,43 @@
+package kic
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"os/exec"
+)
+
+// BuildKustomizeForURLAndRef runs kustomize build for the provided URL and ref.
+// It returns the output of the kustomize build command.
+func BuildKustomizeForURLAndRef(ctx context.Context, url, ref string) ([]byte, error) {
+	kustomizeResourceURL := fmt.Sprintf("%s?ref=%s", url, ref)
+
+	log.Printf("Running 'kustomize build %s'\n", kustomizeResourceURL)
+	cmd := exec.CommandContext(ctx, "kustomize", "build", kustomizeResourceURL)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, err
+	}
+
+	if err := cmd.Start(); err != nil {
+		return nil, fmt.Errorf("failed to start kustomize command %v: %w", cmd, err)
+	}
+	b, err := io.ReadAll(stdout)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read kustomize stdout: %w", err)
+	}
+	berr, err := io.ReadAll(stderr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read kustomize stderr: %w", err)
+	}
+	if err := cmd.Wait(); err != nil {
+		return nil, fmt.Errorf("failed to wait for kustomize to finish, output %s: %w", string(berr), err)
+	}
+
+	return b, nil
+}

hack/generators/kic/webhook-config-generator/main.go

@@ -2,11 +2,13 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"text/template"
 
+	"github.com/kong/semver/v4"
 	"github.com/samber/lo"
 	admregv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/util/yaml"
@@ -18,25 +20,41 @@ import (
 
 const (
 	validatingWebhookConfigurationPath                          = "config/webhook/manifests.yaml"
+	validatingWebhookConfigurationKustomizeURL                  = "https://github.com/kong/kubernetes-ingress-controller/config/webhook"
 	validatingWebhookConfigurationGeneratorForVersionOutputPath = "pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_%s.go"
 	validatingWebhookConfigurationGeneratorMasterOutputPath     = "pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go"
 )
 
 func main() {
-	generateHelpersForAllConfiguredVersions()
+	generateHelpersForAllConfiguredVersions(context.Background())
 	generateMasterHelper()
 }
 
 // generateHelpersForAllConfiguredVersions iterates over kicversions.ManifestsVersionsForKICVersions map and generates
 // GenerateValidatingWebhookConfigurationForKIC_{versionConstraint} function for each configured version.
-func generateHelpersForAllConfiguredVersions() {
+func generateHelpersForAllConfiguredVersions(ctx context.Context) {
 	for versionConstraint, version := range kicversions.ManifestsVersionsForKICVersions {
 		log.Printf("Generating ValidatingWebhook Configuration for KIC versions %s (using manifests: %s)\n", versionConstraint, version)
 
-		// Download KIC-generated ValidatingWebhookConfiguration.
-		manifestContent, err := kic.GetFileFromKICRepositoryForVersion(validatingWebhookConfigurationPath, version)
-		if err != nil {
-			log.Fatalf("Failed to download %s from KIC repository: %s", validatingWebhookConfigurationPath, err)
+		var (
+			manifestContent []byte
+			err             error
+		)
+		// Before KIC 3.2 config/webhook directory contained only the generated manifes YAML.
+		// 3.2 and later versions contain a kustomization.yaml file that use the patches from config/webhook
+		// directory to generate the ValidatingWebhookConfiguration.
+		if version.LT(semver.MustParse("3.2.0")) {
+			// Download KIC-generated ValidatingWebhookConfiguration.
+			manifestContent, err = kic.GetFileFromKICRepositoryForVersion(validatingWebhookConfigurationPath, version)
+			if err != nil {
+				log.Fatalf("Failed to download %s from KIC repository: %s", validatingWebhookConfigurationPath, err)
+			}
+		} else {
+			// Generate ValidatingWebhookConfiguration using KIC's webhook kustomize dir.
+			manifestContent, err = kic.BuildKustomizeForURLAndRef(ctx, validatingWebhookConfigurationKustomizeURL, "v"+version.String())
+			if err != nil {
+				log.Fatalf("Failed to generate KIC's ValidatingWebhookConfiguration based on %s: %s", validatingWebhookConfigurationKustomizeURL, err)
+			}
 		}
 
 		// Get rid of the YAML objects separator as we know there's only one ValidatingWebhookConfiguration in the file.

internal/versions/controlplane.go

@@ -13,7 +13,7 @@ const (
 	// and those tests create KIC's URLs for things like roles or CRDs.
 	// Since KIC only defines the full tags in its repo (as expected) we cannot use
 	// a partial version here, as it would not match KIC's tag.
-	DefaultControlPlaneVersion = "3.1.3" // renovate: datasource=docker depName=kong/kubernetes-ingress-controller
+	DefaultControlPlaneVersion = "3.2.0" // renovate: datasource=docker depName=kong/kubernetes-ingress-controller
 )
 
 // minimumControlPlaneVersion indicates the bare minimum version of the
@@ -34,7 +34,8 @@ var minimumControlPlaneVersion = semver.MustParse("3.1.2")
 // the release 5.0, a new entry '">=5.0": "5.0"' should be added to this map, and the previous most
 // updated entry should be limited to "<5.0".
 var ManifestsVersionsForKICVersions = map[string]semver.Version{
-	">=3.1": semver.MustParse("3.1.3"),
+	">=3.2":       semver.MustParse("3.2.0"),
+	">=3.1, <3.2": semver.MustParse("3.1.6"),
 }
 
 // IsControlPlaneImageVersionSupported is a helper intended to validate the

pkg/utils/kubernetes/resources/clusterrole_helpers_test.go

@@ -23,7 +23,7 @@ func TestClusterroleHelpers(t *testing.T) {
 			controlplane: "test_3.1.2",
 			image:        "kong/kubernetes-ingress-controller:3.1.2",
 			expectedClusterRole: func() *rbacv1.ClusterRole {
-				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.1.2")
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1_lt3_2("test_3.1.2")
 				resources.LabelObjectAsControlPlaneManaged(cr)
 				return cr
 			},
@@ -33,7 +33,7 @@ func TestClusterroleHelpers(t *testing.T) {
 			image:        "kong/kubernetes-ingress-controller:3.1",
 			devMode:      true,
 			expectedClusterRole: func() *rbacv1.ClusterRole {
-				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.1_dev")
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_3.1_dev")
 				resources.LabelObjectAsControlPlaneManaged(cr)
 				return cr
 			},
@@ -48,7 +48,7 @@ func TestClusterroleHelpers(t *testing.T) {
 			image:        "kong/kubernetes-ingress-controller:3.0.0",
 			devMode:      true,
 			expectedClusterRole: func() *rbacv1.ClusterRole {
-				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.0_dev")
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_3.0_dev")
 				resources.LabelObjectAsControlPlaneManaged(cr)
 				return cr
 			},
@@ -63,7 +63,7 @@ func TestClusterroleHelpers(t *testing.T) {
 			image:        "kong/kubernetes-ingress-controller:1.0",
 			devMode:      true,
 			expectedClusterRole: func() *rbacv1.ClusterRole {
-				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_unsupported_dev")
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_unsupported_dev")
 				resources.LabelObjectAsControlPlaneManaged(cr)
 				return cr
 			},
@@ -78,7 +78,17 @@ func TestClusterroleHelpers(t *testing.T) {
 			image:        "test/development:main",
 			devMode:      true,
 			expectedClusterRole: func() *rbacv1.ClusterRole {
-				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_invalid_tag_dev")
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_invalid_tag_dev")
+				resources.LabelObjectAsControlPlaneManaged(cr)
+				return cr
+			},
+		},
+		{
+			controlplane: "cp-3-2-0",
+			image:        "kong/kubernetes-ingress-controller:3.2.0",
+			devMode:      false,
+			expectedClusterRole: func() *rbacv1.ClusterRole {
+				cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("cp-3-2-0")
 				resources.LabelObjectAsControlPlaneManaged(cr)
 				return cr
 			},