From bda0eee94a393a84d604e649f9360fc3b5af3253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Fri, 14 Jun 2024 12:40:50 +0200 Subject: [PATCH] chore: bump ControlPlane default version to 3.2.0 (#327) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: bump ControlPlane default version to 3.2.0 * chore(tests): fix ControlPlane integration test * chore(tests): make linter happy * chore: add usage of kustomize for KIC's webhook config generation * chore(tests): do not set images but instead allow operator defaults to be used --------- Co-authored-by: Grzegorz BurzyƄski --- CHANGELOG.md | 2 + config/rbac/role/role.yaml | 16 + hack/generators/kic/kustomize.go | 43 ++ .../kic/webhook-config-generator/main.go | 30 +- internal/versions/controlplane.go | 5 +- .../resources/clusterrole_helpers_test.go | 20 +- ...d_controlplane_clusterrole_ge3_1_lt3_2.go} | 6 +- ...enerated_controlplane_clusterrole_ge3_2.go | 641 ++++++++++++++++++ ...ng_ingress_controller_rbac_ge3_1_lt3_2.go} | 0 ...ated_kong_ingress_controller_rbac_ge3_2.go | 66 ++ .../zz_generated_kic_ge3_1_lt3_2.go | 341 ++++++++++ .../zz_generated_kic_ge3_2.go | 405 +++++++++++ .../zz_generated_clusterrole_helpers.go | 14 +- ...z_generated_kic_validatingwebhookconfig.go | 15 +- test/conformance/conformance_test.go | 1 - test/e2e/test_helm_install_upgrade.go | 12 +- test/integration/test_controlplane.go | 31 +- 17 files changed, 1610 insertions(+), 38 deletions(-) create mode 100644 hack/generators/kic/kustomize.go rename pkg/utils/kubernetes/resources/clusterroles/{zz_generated_controlplane_clusterrole_ge3_1.go => zz_generated_controlplane_clusterrole_ge3_1_lt3_2.go} (98%) create mode 100755 pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_2.go rename pkg/utils/kubernetes/resources/clusterroles/{zz_generated_kong_ingress_controller_rbac_ge3_1.go => zz_generated_kong_ingress_controller_rbac_ge3_1_lt3_2.go} (100%) create mode 100755 pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_2.go create mode 100644 pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_1_lt3_2.go create mode 100644 pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_2.go diff --git a/CHANGELOG.md b/CHANGELOG.md index 762be27b3..46240efb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,8 @@ replaced by a proper set of labels to identify `kind`, `namespace`, and `name` of the owning object. [#259](https://github.com/Kong/gateway-operator/pull/259) +- Default version of `ControlPlane` is bumped to 3.2.0 + [#327](https://github.com/Kong/gateway-operator/pull/327) ### Fixes diff --git a/config/rbac/role/role.yaml b/config/rbac/role/role.yaml index c1c0bb007..48267f297 100644 --- a/config/rbac/role/role.yaml +++ b/config/rbac/role/role.yaml @@ -123,6 +123,22 @@ rules: - get - patch - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update - apiGroups: - configuration.konghq.com resources: diff --git a/hack/generators/kic/kustomize.go b/hack/generators/kic/kustomize.go new file mode 100644 index 000000000..e078399ba --- /dev/null +++ b/hack/generators/kic/kustomize.go @@ -0,0 +1,43 @@ +package kic + +import ( + "context" + "fmt" + "io" + "log" + "os/exec" +) + +// BuildKustomizeForURLAndRef runs kustomize build for the provided URL and ref. +// It returns the output of the kustomize build command. +func BuildKustomizeForURLAndRef(ctx context.Context, url, ref string) ([]byte, error) { + kustomizeResourceURL := fmt.Sprintf("%s?ref=%s", url, ref) + + log.Printf("Running 'kustomize build %s'\n", kustomizeResourceURL) + cmd := exec.CommandContext(ctx, "kustomize", "build", kustomizeResourceURL) + stdout, err := cmd.StdoutPipe() + if err != nil { + return nil, err + } + stderr, err := cmd.StderrPipe() + if err != nil { + return nil, err + } + + if err := cmd.Start(); err != nil { + return nil, fmt.Errorf("failed to start kustomize command %v: %w", cmd, err) + } + b, err := io.ReadAll(stdout) + if err != nil { + return nil, fmt.Errorf("failed to read kustomize stdout: %w", err) + } + berr, err := io.ReadAll(stderr) + if err != nil { + return nil, fmt.Errorf("failed to read kustomize stderr: %w", err) + } + if err := cmd.Wait(); err != nil { + return nil, fmt.Errorf("failed to wait for kustomize to finish, output %s: %w", string(berr), err) + } + + return b, nil +} diff --git a/hack/generators/kic/webhook-config-generator/main.go b/hack/generators/kic/webhook-config-generator/main.go index 22962d14b..8f0c12e6f 100644 --- a/hack/generators/kic/webhook-config-generator/main.go +++ b/hack/generators/kic/webhook-config-generator/main.go @@ -2,11 +2,13 @@ package main import ( "bytes" + "context" "fmt" "log" "os" "text/template" + "github.com/kong/semver/v4" "github.com/samber/lo" admregv1 "k8s.io/api/admissionregistration/v1" "k8s.io/apimachinery/pkg/util/yaml" @@ -18,25 +20,41 @@ import ( const ( validatingWebhookConfigurationPath = "config/webhook/manifests.yaml" + validatingWebhookConfigurationKustomizeURL = "https://github.com/kong/kubernetes-ingress-controller/config/webhook" validatingWebhookConfigurationGeneratorForVersionOutputPath = "pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_%s.go" validatingWebhookConfigurationGeneratorMasterOutputPath = "pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go" ) func main() { - generateHelpersForAllConfiguredVersions() + generateHelpersForAllConfiguredVersions(context.Background()) generateMasterHelper() } // generateHelpersForAllConfiguredVersions iterates over kicversions.ManifestsVersionsForKICVersions map and generates // GenerateValidatingWebhookConfigurationForKIC_{versionConstraint} function for each configured version. -func generateHelpersForAllConfiguredVersions() { +func generateHelpersForAllConfiguredVersions(ctx context.Context) { for versionConstraint, version := range kicversions.ManifestsVersionsForKICVersions { log.Printf("Generating ValidatingWebhook Configuration for KIC versions %s (using manifests: %s)\n", versionConstraint, version) - // Download KIC-generated ValidatingWebhookConfiguration. - manifestContent, err := kic.GetFileFromKICRepositoryForVersion(validatingWebhookConfigurationPath, version) - if err != nil { - log.Fatalf("Failed to download %s from KIC repository: %s", validatingWebhookConfigurationPath, err) + var ( + manifestContent []byte + err error + ) + // Before KIC 3.2 config/webhook directory contained only the generated manifes YAML. + // 3.2 and later versions contain a kustomization.yaml file that use the patches from config/webhook + // directory to generate the ValidatingWebhookConfiguration. + if version.LT(semver.MustParse("3.2.0")) { + // Download KIC-generated ValidatingWebhookConfiguration. + manifestContent, err = kic.GetFileFromKICRepositoryForVersion(validatingWebhookConfigurationPath, version) + if err != nil { + log.Fatalf("Failed to download %s from KIC repository: %s", validatingWebhookConfigurationPath, err) + } + } else { + // Generate ValidatingWebhookConfiguration using KIC's webhook kustomize dir. + manifestContent, err = kic.BuildKustomizeForURLAndRef(ctx, validatingWebhookConfigurationKustomizeURL, "v"+version.String()) + if err != nil { + log.Fatalf("Failed to generate KIC's ValidatingWebhookConfiguration based on %s: %s", validatingWebhookConfigurationKustomizeURL, err) + } } // Get rid of the YAML objects separator as we know there's only one ValidatingWebhookConfiguration in the file. diff --git a/internal/versions/controlplane.go b/internal/versions/controlplane.go index 9ae01c33d..bca648ed4 100644 --- a/internal/versions/controlplane.go +++ b/internal/versions/controlplane.go @@ -13,7 +13,7 @@ const ( // and those tests create KIC's URLs for things like roles or CRDs. // Since KIC only defines the full tags in its repo (as expected) we cannot use // a partial version here, as it would not match KIC's tag. - DefaultControlPlaneVersion = "3.1.3" // renovate: datasource=docker depName=kong/kubernetes-ingress-controller + DefaultControlPlaneVersion = "3.2.0" // renovate: datasource=docker depName=kong/kubernetes-ingress-controller ) // minimumControlPlaneVersion indicates the bare minimum version of the @@ -34,7 +34,8 @@ var minimumControlPlaneVersion = semver.MustParse("3.1.2") // the release 5.0, a new entry '">=5.0": "5.0"' should be added to this map, and the previous most // updated entry should be limited to "<5.0". var ManifestsVersionsForKICVersions = map[string]semver.Version{ - ">=3.1": semver.MustParse("3.1.3"), + ">=3.2": semver.MustParse("3.2.0"), + ">=3.1, <3.2": semver.MustParse("3.1.6"), } // IsControlPlaneImageVersionSupported is a helper intended to validate the diff --git a/pkg/utils/kubernetes/resources/clusterrole_helpers_test.go b/pkg/utils/kubernetes/resources/clusterrole_helpers_test.go index 2ba2b0ff8..bb6c54776 100644 --- a/pkg/utils/kubernetes/resources/clusterrole_helpers_test.go +++ b/pkg/utils/kubernetes/resources/clusterrole_helpers_test.go @@ -23,7 +23,7 @@ func TestClusterroleHelpers(t *testing.T) { controlplane: "test_3.1.2", image: "kong/kubernetes-ingress-controller:3.1.2", expectedClusterRole: func() *rbacv1.ClusterRole { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.1.2") + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1_lt3_2("test_3.1.2") resources.LabelObjectAsControlPlaneManaged(cr) return cr }, @@ -33,7 +33,7 @@ func TestClusterroleHelpers(t *testing.T) { image: "kong/kubernetes-ingress-controller:3.1", devMode: true, expectedClusterRole: func() *rbacv1.ClusterRole { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.1_dev") + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_3.1_dev") resources.LabelObjectAsControlPlaneManaged(cr) return cr }, @@ -48,7 +48,7 @@ func TestClusterroleHelpers(t *testing.T) { image: "kong/kubernetes-ingress-controller:3.0.0", devMode: true, expectedClusterRole: func() *rbacv1.ClusterRole { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_3.0_dev") + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_3.0_dev") resources.LabelObjectAsControlPlaneManaged(cr) return cr }, @@ -63,7 +63,7 @@ func TestClusterroleHelpers(t *testing.T) { image: "kong/kubernetes-ingress-controller:1.0", devMode: true, expectedClusterRole: func() *rbacv1.ClusterRole { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_unsupported_dev") + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_unsupported_dev") resources.LabelObjectAsControlPlaneManaged(cr) return cr }, @@ -78,7 +78,17 @@ func TestClusterroleHelpers(t *testing.T) { image: "test/development:main", devMode: true, expectedClusterRole: func() *rbacv1.ClusterRole { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1("test_invalid_tag_dev") + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("test_invalid_tag_dev") + resources.LabelObjectAsControlPlaneManaged(cr) + return cr + }, + }, + { + controlplane: "cp-3-2-0", + image: "kong/kubernetes-ingress-controller:3.2.0", + devMode: false, + expectedClusterRole: func() *rbacv1.ClusterRole { + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2("cp-3-2-0") resources.LabelObjectAsControlPlaneManaged(cr) return cr }, diff --git a/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1.go b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1_lt3_2.go similarity index 98% rename from pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1.go rename to pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1_lt3_2.go index 9efb2d7ac..9772548a5 100755 --- a/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1.go +++ b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_1_lt3_2.go @@ -15,10 +15,10 @@ import ( // ClusterRole generator // ----------------------------------------------------------------------------- -// GenerateNewClusterRoleForControlPlane_ge3_1 is a helper to generate a ClusterRole +// GenerateNewClusterRoleForControlPlane_ge3_1_lt3_2 is a helper to generate a ClusterRole // resource with all the permissions needed by the controlplane deployment. -// It is used for controlplanes that match the semver constraint ">=3.1" -func GenerateNewClusterRoleForControlPlane_ge3_1(controlplaneName string) *rbacv1.ClusterRole { +// It is used for controlplanes that match the semver constraint ">=3.1, <3.2" +func GenerateNewClusterRoleForControlPlane_ge3_1_lt3_2(controlplaneName string) *rbacv1.ClusterRole { return &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ GenerateName: k8sutils.TrimGenerateName(fmt.Sprintf("%s-", controlplaneName)), diff --git a/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_2.go b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_2.go new file mode 100755 index 000000000..2aa70e301 --- /dev/null +++ b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_controlplane_clusterrole_ge3_2.go @@ -0,0 +1,641 @@ +// This file is generated by /hack/generators/kic/role-generator. DO NOT EDIT. + +package clusterroles + +import ( + "fmt" + + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + k8sutils "github.com/kong/gateway-operator/pkg/utils/kubernetes" +) + +// ----------------------------------------------------------------------------- +// ClusterRole generator +// ----------------------------------------------------------------------------- + +// GenerateNewClusterRoleForControlPlane_ge3_2 is a helper to generate a ClusterRole +// resource with all the permissions needed by the controlplane deployment. +// It is used for controlplanes that match the semver constraint ">=3.2" +func GenerateNewClusterRoleForControlPlane_ge3_2(controlplaneName string) *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: k8sutils.TrimGenerateName(fmt.Sprintf("%s-", controlplaneName)), + Labels: map[string]string{ + "app": controlplaneName, + }, + }, + Rules: []rbacv1.PolicyRule{ + + { + APIGroups: []string{ + "apiextensions.k8s.io", + }, + Resources: []string{ + "customresourcedefinitions", + }, + Verbs: []string{ + "list", "watch", + }, + }, + + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "events", + }, + Verbs: []string{ + "create", "patch", + }, + }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "nodes", + }, + Verbs: []string{ + "list", "watch", + }, + }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "pods", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "secrets", + }, + Verbs: []string{ + "list", "watch", + }, + }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "services", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "services/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "ingressclassparameterses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongclusterplugins", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongclusterplugins/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongconsumergroups", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongconsumergroups/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongconsumers", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongconsumers/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongcustomentities", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongcustomentities/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongingresses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongingresses/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "konglicenses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "konglicenses/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongplugins", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongplugins/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongupstreampolicies", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongupstreampolicies/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongvaults", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "kongvaults/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "tcpingresses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "tcpingresses/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "udpingresses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "configuration.konghq.com", + }, + Resources: []string{ + "udpingresses/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "discovery.k8s.io", + }, + Resources: []string{ + "endpointslices", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "httproutes", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "incubator.ingress-controller.konghq.com", + }, + Resources: []string{ + "kongservicefacades", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "incubator.ingress-controller.konghq.com", + }, + Resources: []string{ + "kongservicefacades/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "networking.k8s.io", + }, + Resources: []string{ + "ingressclasses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "networking.k8s.io", + }, + Resources: []string{ + "ingresses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "networking.k8s.io", + }, + Resources: []string{ + "ingresses/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "configmaps", + }, + Verbs: []string{ + "get", "list", "watch", "create", "update", "patch", "delete", + }, + }, + { + APIGroups: []string{ + "coordination.k8s.io", + }, + Resources: []string{ + "leases", + }, + Verbs: []string{ + "get", "list", "watch", "create", "update", "patch", "delete", + }, + }, + + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "namespaces", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "gatewayclasses", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "gatewayclasses/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "gateways", + }, + Verbs: []string{ + "get", "list", "update", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "gateways/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "grpcroutes", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "grpcroutes/status", + }, + Verbs: []string{ + "get", "patch", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "httproutes/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "referencegrants", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "referencegrants/status", + }, + Verbs: []string{ + "get", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "tcproutes", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "tcproutes/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "tlsroutes", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "tlsroutes/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "udproutes", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, + { + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + Resources: []string{ + "udproutes/status", + }, + Verbs: []string{ + "get", "update", + }, + }, + }, + } +} diff --git a/pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_1.go b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_1_lt3_2.go similarity index 100% rename from pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_1.go rename to pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_1_lt3_2.go diff --git a/pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_2.go b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_2.go new file mode 100755 index 000000000..809ef0449 --- /dev/null +++ b/pkg/utils/kubernetes/resources/clusterroles/zz_generated_kong_ingress_controller_rbac_ge3_2.go @@ -0,0 +1,66 @@ +// This file is generated by /hack/generators/kic/role-generator. DO NOT EDIT. + +package clusterroles + +// ----------------------------------------------------------------------------- +// Kong Ingress Controller - RBAC +// ----------------------------------------------------------------------------- + +//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list;watch + +//+kubebuilder:rbac:groups=core,resources=events,verbs=create;patch +//+kubebuilder:rbac:groups=core,resources=nodes,verbs=list;watch +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=secrets,verbs=list;watch +//+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=services/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=ingressclassparameterses,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongclusterplugins,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongclusterplugins/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcustomentities,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcustomentities/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongingresses/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=konglicenses,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=konglicenses/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongplugins,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongplugins/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreampolicies,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreampolicies/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=tcpingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=tcpingresses/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=udpingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=configuration.konghq.com,resources=udpingresses/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=incubator.ingress-controller.konghq.com,resources=kongservicefacades,verbs=get;list;watch +//+kubebuilder:rbac:groups=incubator.ingress-controller.konghq.com,resources=kongservicefacades/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses,verbs=get;list;watch +//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses/status,verbs=get;patch;update + +//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete + +//+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses/status,verbs=get;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;update;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=grpcroutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=grpcroutes/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/status,verbs=get;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=referencegrants,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=referencegrants/status,verbs=get +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tcproutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tcproutes/status,verbs=get;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes/status,verbs=get;update +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=udproutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=udproutes/status,verbs=get;update diff --git a/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_1_lt3_2.go b/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_1_lt3_2.go new file mode 100644 index 000000000..4d28713c6 --- /dev/null +++ b/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_1_lt3_2.go @@ -0,0 +1,341 @@ +// This file is generated by /hack/generators/kic/webhook-config-generator. DO NOT EDIT. + +package validatingwebhookconfig + +import ( + "github.com/samber/lo" + admregv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// GenerateValidatingWebhookConfigurationForKIC_ge3_1_lt3_2 generates a ValidatingWebhookConfiguration for KIC >=3.1, <3.2. +func GenerateValidatingWebhookConfigurationForKIC_ge3_1_lt3_2(name string, clientConfig admregv1.WebhookClientConfig) *admregv1.ValidatingWebhookConfiguration { + return &admregv1.ValidatingWebhookConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Webhooks: []admregv1.ValidatingWebhook{ + { + Name: "httproutes.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + APIVersions: []string{ + "v1", + "v1beta1", + }, + Resources: []string{ + "httproutes", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "ingresses.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "networking.k8s.io", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "ingresses", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongclusterplugins.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongclusterplugins", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongconsumergroups.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1beta1", + }, + Resources: []string{ + "kongconsumergroups", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongconsumers.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongconsumers", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongingresses.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongingresses", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongplugins.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongplugins", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongvaults.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1alpha1", + }, + Resources: []string{ + "kongvaults", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "secrets.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "secrets", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "services.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "services", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + }, + } +} diff --git a/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_2.go b/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_2.go new file mode 100644 index 000000000..f588a0567 --- /dev/null +++ b/pkg/utils/kubernetes/resources/validatingwebhookconfig/zz_generated_kic_ge3_2.go @@ -0,0 +1,405 @@ +// This file is generated by /hack/generators/kic/webhook-config-generator. DO NOT EDIT. + +package validatingwebhookconfig + +import ( + "github.com/samber/lo" + admregv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// GenerateValidatingWebhookConfigurationForKIC_ge3_2 generates a ValidatingWebhookConfiguration for KIC >=3.2. +func GenerateValidatingWebhookConfigurationForKIC_ge3_2(name string, clientConfig admregv1.WebhookClientConfig) *admregv1.ValidatingWebhookConfiguration { + return &admregv1.ValidatingWebhookConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Webhooks: []admregv1.ValidatingWebhook{ + { + Name: "secrets.credentials.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "secrets", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "secrets.plugins.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "secrets", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "httproutes.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "gateway.networking.k8s.io", + }, + APIVersions: []string{ + "v1", + "v1beta1", + }, + Resources: []string{ + "httproutes", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "ingresses.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "networking.k8s.io", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "ingresses", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongclusterplugins.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongclusterplugins", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongconsumergroups.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1beta1", + }, + Resources: []string{ + "kongconsumergroups", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongconsumers.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongconsumers", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongcustomentities.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1alpha1", + }, + Resources: []string{ + "kongcustomentities", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongingresses.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongingresses", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongplugins.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "kongplugins", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "kongvaults.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "configuration.konghq.com", + }, + APIVersions: []string{ + "v1alpha1", + }, + Resources: []string{ + "kongvaults", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + { + Name: "services.validation.ingress-controller.konghq.com", + ClientConfig: clientConfig, + // We're using 'Ignore' failure policy to avoid issues with modifying resources when webhook-backing + // Deployments (ControlPlane and DataPlane) are not available. + // See https://github.com/Kong/gateway-operator/issues/1564 for more details. + FailurePolicy: lo.ToPtr(admregv1.Ignore), + MatchPolicy: lo.ToPtr(admregv1.MatchPolicyType("Equivalent")), + SideEffects: lo.ToPtr(admregv1.SideEffectClass("None")), + AdmissionReviewVersions: []string{ + "v1", + }, + Rules: []admregv1.RuleWithOperations{ + { + Rule: admregv1.Rule{ + APIGroups: []string{ + "", + }, + APIVersions: []string{ + "v1", + }, + Resources: []string{ + "services", + }, + }, + Operations: []admregv1.OperationType{ + "CREATE", + "UPDATE", + }, + }, + }, + }, + }, + } +} diff --git a/pkg/utils/kubernetes/resources/zz_generated_clusterrole_helpers.go b/pkg/utils/kubernetes/resources/zz_generated_clusterrole_helpers.go index 48817cef5..3543028ca 100755 --- a/pkg/utils/kubernetes/resources/zz_generated_clusterrole_helpers.go +++ b/pkg/utils/kubernetes/resources/zz_generated_clusterrole_helpers.go @@ -60,12 +60,22 @@ func GenerateNewClusterRoleForControlPlane(controlplaneName string, image string return nil, err } - constraint, err = semver.NewConstraint(">=3.1") + constraint, err = semver.NewConstraint(">=3.1, <3.2") if err != nil { return nil, err } if constraint.Check(semVersion) { - cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1(controlplaneName) + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_1_lt3_2(controlplaneName) + LabelObjectAsControlPlaneManaged(cr) + return cr, nil + } + + constraint, err = semver.NewConstraint(">=3.2") + if err != nil { + return nil, err + } + if constraint.Check(semVersion) { + cr := clusterroles.GenerateNewClusterRoleForControlPlane_ge3_2(controlplaneName) LabelObjectAsControlPlaneManaged(cr) return cr, nil } diff --git a/pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go b/pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go index d891fb08f..0b13bd799 100644 --- a/pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go +++ b/pkg/utils/kubernetes/resources/zz_generated_kic_validatingwebhookconfig.go @@ -54,12 +54,23 @@ func GenerateValidatingWebhookConfigurationForControlPlane(webhookName string, i var constraint *semver.Constraints - constraint, err = semver.NewConstraint(">=3.1") + constraint, err = semver.NewConstraint(">=3.1, <3.2") if err != nil { return nil, err } if constraint.Check(semVersion) { - cfg := webhook.GenerateValidatingWebhookConfigurationForKIC_ge3_1(webhookName, clientConfig) + cfg := webhook.GenerateValidatingWebhookConfigurationForKIC_ge3_1_lt3_2(webhookName, clientConfig) + pkgapisadmregv1.SetObjectDefaults_ValidatingWebhookConfiguration(cfg) + LabelObjectAsControlPlaneManaged(cfg) + return cfg, nil + } + + constraint, err = semver.NewConstraint(">=3.2") + if err != nil { + return nil, err + } + if constraint.Check(semVersion) { + cfg := webhook.GenerateValidatingWebhookConfigurationForKIC_ge3_2(webhookName, clientConfig) pkgapisadmregv1.SetObjectDefaults_ValidatingWebhookConfiguration(cfg) LabelObjectAsControlPlaneManaged(cfg) return cfg, nil diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 10a57060a..175eeed03 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -190,7 +190,6 @@ func createGatewayConfiguration(ctx context.Context, t *testing.T, c Conformance Value: "off", }, }, - Image: "kong/kubernetes-ingress-controller:3.2.0", }, }, }, diff --git a/test/e2e/test_helm_install_upgrade.go b/test/e2e/test_helm_install_upgrade.go index c628d80db..649d4f99c 100644 --- a/test/e2e/test_helm_install_upgrade.go +++ b/test/e2e/test_helm_install_upgrade.go @@ -24,7 +24,6 @@ import ( k8sutils "github.com/kong/gateway-operator/pkg/utils/kubernetes" testutils "github.com/kong/gateway-operator/pkg/utils/test" "github.com/kong/gateway-operator/pkg/vars" - "github.com/kong/gateway-operator/test/helpers" ) func init() { @@ -360,10 +359,11 @@ func deploymentReadyConditions() []appsv1.DeploymentCondition { func splitRepoVersionFromImage(t *testing.T, image string) (string, string) { splitImage := strings.Split(image, ":") - if len(splitImage) != 2 { + l := len(splitImage) + if l < 2 { t.Fatalf("image %q does not contain a tag", image) } - return splitImage[0], splitImage[1] + return strings.Join(splitImage[:l-1], ":"), splitImage[l-1] } func baseGatewayConfigurationSpec() operatorv1beta1.GatewayConfigurationSpec { @@ -375,8 +375,7 @@ func baseGatewayConfigurationSpec() operatorv1beta1.GatewayConfigurationSpec { Spec: corev1.PodSpec{ Containers: []corev1.Container{ { - Name: consts.DataPlaneProxyContainerName, - Image: helpers.GetDefaultDataPlaneImage(), + Name: consts.DataPlaneProxyContainerName, ReadinessProbe: &corev1.Probe{ InitialDelaySeconds: 1, PeriodSeconds: 1, @@ -394,8 +393,7 @@ func baseGatewayConfigurationSpec() operatorv1beta1.GatewayConfigurationSpec { Spec: corev1.PodSpec{ Containers: []corev1.Container{ { - Name: consts.ControlPlaneControllerContainerName, - Image: consts.DefaultControlPlaneImage, + Name: consts.ControlPlaneControllerContainerName, ReadinessProbe: &corev1.Probe{ InitialDelaySeconds: 1, PeriodSeconds: 1, diff --git a/test/integration/test_controlplane.go b/test/integration/test_controlplane.go index a5fac7d4d..0af40399c 100644 --- a/test/integration/test_controlplane.go +++ b/test/integration/test_controlplane.go @@ -14,6 +14,7 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + netv1 "k8s.io/api/networking/v1" rbacv1 "k8s.io/api/rbac/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -344,7 +345,7 @@ func TestControlPlaneEssentials(t *testing.T) { require.Eventually(t, testutils.ControlPlaneHasAdmissionWebhookConfiguration(t, GetCtx(), controlplane, clients), testutils.ControlPlaneCondDeadline, testutils.ControlPlaneCondTick) t.Log("verifying controlplane's webhook is functional") - eventuallyVerifyControlPlaneWebhookIsFunctional(t, GetCtx(), clients) + eventuallyVerifyControlPlaneWebhookIsFunctional(t, GetCtx(), client.NewNamespacedClient(clients.MgrClient, namespace.Name)) t.Log("verifying that controlplane's ClusterRole is patched if it goes out of sync") clusterRoles = testutils.MustListControlPlaneClusterRoles(t, GetCtx(), controlplane, clients) @@ -453,24 +454,34 @@ func verifyControlPlaneDeploymentAdmissionWebhookMount(t *testing.T, deployment // eventuallyVerifyControlPlaneWebhookIsFunctional verifies that the controlplane validating webhook // is functional by creating a resource that should be rejected by the webhook and verifying that // it is rejected. -func eventuallyVerifyControlPlaneWebhookIsFunctional(t *testing.T, ctx context.Context, clients testutils.K8sClients) { +func eventuallyVerifyControlPlaneWebhookIsFunctional(t *testing.T, ctx context.Context, cl client.Client) { require.Eventually(t, func() bool { - keyAuthSecretWithNoKey := corev1.Secret{ + ing := netv1.Ingress{ ObjectMeta: metav1.ObjectMeta{ - GenerateName: "test-cred-", - Namespace: "default", - Labels: map[string]string{ - "konghq.com/credential": "key-auth", + GenerateName: "test-ingress-", + Annotations: map[string]string{ + "konghq.com/protocols": "invalid", + }, + }, + Spec: netv1.IngressSpec{ + IngressClassName: lo.ToPtr(ingressClass), + DefaultBackend: &netv1.IngressBackend{ + Service: &netv1.IngressServiceBackend{ + Name: "test", + Port: netv1.ServiceBackendPort{ + Number: 8080, + }, + }, }, }, } - err := clients.MgrClient.Create(ctx, &keyAuthSecretWithNoKey) + err := cl.Create(ctx, &ing) if err == nil { - t.Log("ControlPlane webhook accepted an invalid secret, retrying and waiting for webhook to become functional") + t.Logf("ControlPlane webhook accepted an invalid Ingress %s, retrying and waiting for webhook to become functional", client.ObjectKeyFromObject(&ing)) return false } - if !strings.Contains(err.Error(), "admission webhook \"secrets.validation.ingress-controller.konghq.com\" denied the request") { + if !strings.Contains(err.Error(), "admission webhook \"ingresses.validation.ingress-controller.konghq.com\" denied the request") { t.Logf("unexpected error: %v", err) return false }