From cb133fb946a13d16ca43d81233ba1ba903c475e4 Mon Sep 17 00:00:00 2001 From: Scott Cotton Date: Mon, 18 Sep 2023 15:17:09 +0200 Subject: [PATCH 1/7] docs for new istio params and new auditor image params --- signadot/operator/README.md | 11 +++++++++++ signadot/operator/values.yaml | 16 +++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index 396c3b0..b25abc2 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -110,6 +110,8 @@ style resources and are not needed in an installation which uses the new | `tunnel.api.imagePullPolicy` | Tunnel API image pull policy | `IfNotPresent` | | `tunnel.proxy.image` | Tunnel Proxy image override | `signadot/tunnel-proxy:vX.Y.Z` | | `tunnel.proxy.imagePullPolicy` | Tunnel Proxy image pull policy | `IfNotPresent` | +| `tunnel.auditor.image` | Tunnel Auditor image override | `signadot/tunnel-auditor:vX.Y.Z` | +| `tunnel.auditor.imagePullPolicy` | Tunnel Auditor image pull policy | `IfNotPresent` | | `tunnel.auditor.init.image` | Tunnel Auditor init image override | `signadot/tunnel-auditor-init:vX.Y.Z` | | `tunnel.auditor.init.imagePullPolicy` | Tunnel Auditor init image pull policy | `IfNotPresent` | @@ -132,3 +134,12 @@ style resources and are not needed in an installation which uses the new | `tunnel.auditor.inboundRulesLuaScript` | All inbound traffic (from cluster to workstation) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` | | `tunnel.auditor.outboundRulesLuaScript` | All outbound traffic (from workstation to cluster) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` | | | | | +### Istio Parameters + +The Signadot Operator manipulates istio objects when istio VirtualServices are applied to workloads in sandboxes. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. + + +| Name | Description | Default | +| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `istio.additionalAnnotations` | Annotations to add to istio objects if not present | `{}` | +| `istio.additionalLabels` | Labels to add to istio objects if not present | `{}` | diff --git a/signadot/operator/values.yaml b/signadot/operator/values.yaml index 3d7fa01..dcbd31d 100644 --- a/signadot/operator/values.yaml +++ b/signadot/operator/values.yaml @@ -22,6 +22,18 @@ # serviceAnnotations: # exampleServiceLAnnotation: exampleServiceLAnnotationValue +# Add these labels or annotations to all istio objects when they are managed by +# Signadot Note that virtual services are only managed by Signadot when they +# route to some sandbox. For virtual services, these labels or annotations are +# only added if they were not present before becoming managed by signadot. +# +# istio: +# additionalLabels: +# exampleLabel: exampleLabelValue +# additionalAnnotations: +# exampleAnnotatonKey: exampleAnnotationValue + + # By default, this chart will install the operator in # cluster-wide mode, where it watches all namespaces. @@ -116,6 +128,8 @@ # maxUnavailable: 25% # type: RollingUpdate # auditor: +# image: my-private-registry/signadot/tunnel-auditor:latest +# imagePullPolicy: Always # init: # image: my-private-registry/signadot/tunnel-auditor-init:latest # imagePullPolicy: Always @@ -152,4 +166,4 @@ # server: http://10.20.10.2:8083 # syncInterval: 60 # disableSSH: false -# disableXAP: false \ No newline at end of file +# disableXAP: false From a3e4bbe79df76913223429ff3a2ef44a83dffebd Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Thu, 5 Oct 2023 15:49:13 -0300 Subject: [PATCH 2/7] Addition of istio.enabled --- signadot/operator/README.md | 81 ++++++++++++++++++----------------- signadot/operator/values.yaml | 12 +++--- 2 files changed, 47 insertions(+), 46 deletions(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index b25abc2..f24743d 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -77,43 +77,43 @@ their name. Additionally, the `execpod-` images are for compatibility with old style resources and are not needed in an installation which uses the new [resource plugins](https://www.signadot.com/docs/resourceplugins). -| Name | Description | Default | -| ------------------------------------- | ------------------------------------------------------- | -------------- | -| `operator.image` | Operator image override | `signadot/operator:vX.Y.Z` | -| `operator.imagePullPolicy` | Operator image pull policy | `IfNotPresent` | -| `agent.image` | Agent image override | `signadot/agent:vX.Y.Z` | -| `agent.imagePullPolicy` | Agent image pull policy | `IfNotPresent` | -| `routeServer.image` | Route Server image override | `signadot/route-server:vX.Y.Z` | -| `routeServer.imagePullPolicy` | Route Server image pull policy | `IfNotPresent` | -| `ioContextServer.image` | IO Context Server image override | `signadot/io-context-server:vX.Y.Z` | -| `ioContextServer.imagePullPolicy` | IO Context Server image pull policy | `IfNotPresent` | -| `kubeRBACProxy.image` | Kube-rbac-proxy image override | `""` | -| `kubeRBACProxy.imagePullPolicy` | Kube-rbac-proxy image pull policy | `IfNotPresent` | -| `routeInit.image` | Route Init container image override | `signadot/route-sidecar-init:vX.Y.Z` | -| `routeInit.legacy.image` | Route Init container image override (legacy version) | `signadot/sd-init-networking:latest` | -| `routeInit.imagePullPolicy` | Route Init container image pull policy | `IfNotPresent` | -| `routeInit.imagePullSecret` | Route Init container image pull secret | `""` | -| `routeSidecar.image` | Route Sidecar container image override | `signadot/route-sidecar:vX.Y.Z` | -| `routeSidecar.legacy.image` | Route Sidecar container image override (legacy version) | `signadot/route-sidecar-legacy:vX.Y.Z` | -| `routeSidecar.imagePullPolicy` | Route Sidecar container image pull policy | `IfNotPresent` | -| `routeSidecar.imagePullSecret` | Route Sidecar container image pull secret | `""` | -| `ioInit.image` | IO Init container image override | `signadot/io-init:vX.Y.Z` | -| `ioInit.imagePullPolicy` | IO Init container image pull policy | `IfNotPresent` | -| `ioInit.imagePullSecret` | IO Init container image pull secret | `""` | +| Name | Description | Default | +| ------------------------------------- | ------------------------------------------------------- | -------------------------------------- | +| `operator.image` | Operator image override | `signadot/operator:vX.Y.Z` | +| `operator.imagePullPolicy` | Operator image pull policy | `IfNotPresent` | +| `agent.image` | Agent image override | `signadot/agent:vX.Y.Z` | +| `agent.imagePullPolicy` | Agent image pull policy | `IfNotPresent` | +| `routeServer.image` | Route Server image override | `signadot/route-server:vX.Y.Z` | +| `routeServer.imagePullPolicy` | Route Server image pull policy | `IfNotPresent` | +| `ioContextServer.image` | IO Context Server image override | `signadot/io-context-server:vX.Y.Z` | +| `ioContextServer.imagePullPolicy` | IO Context Server image pull policy | `IfNotPresent` | +| `kubeRBACProxy.image` | Kube-rbac-proxy image override | `""` | +| `kubeRBACProxy.imagePullPolicy` | Kube-rbac-proxy image pull policy | `IfNotPresent` | +| `routeInit.image` | Route Init container image override | `signadot/route-sidecar-init:vX.Y.Z` | +| `routeInit.legacy.image` | Route Init container image override (legacy version) | `signadot/sd-init-networking:latest` | +| `routeInit.imagePullPolicy` | Route Init container image pull policy | `IfNotPresent` | +| `routeInit.imagePullSecret` | Route Init container image pull secret | `""` | +| `routeSidecar.image` | Route Sidecar container image override | `signadot/route-sidecar:vX.Y.Z` | +| `routeSidecar.legacy.image` | Route Sidecar container image override (legacy version) | `signadot/route-sidecar-legacy:vX.Y.Z` | +| `routeSidecar.imagePullPolicy` | Route Sidecar container image pull policy | `IfNotPresent` | +| `routeSidecar.imagePullSecret` | Route Sidecar container image pull secret | `""` | +| `ioInit.image` | IO Init container image override | `signadot/io-init:vX.Y.Z` | +| `ioInit.imagePullPolicy` | IO Init container image pull policy | `IfNotPresent` | +| `ioInit.imagePullSecret` | IO Init container image pull secret | `""` | | `ioSidecar.image` | IO Sidecar container image override | `signadot/io-sidecar:vX.Y.Z` | -| `ioSidecar.imagePullPolicy` | IO Sidecar container image pull policy | `IfNotPresent` | -| `ioSidecar.imagePullSecret` | IO Sidecar container image pull secret | `""` | -| `execpodSidecar.image` | ExecPod Sidecar container image override | `signadot/execpod-sidecar:vX.Y.Z` | -| `execpodSidecar.imagePullPolicy` | ExecPod Sidecar container image pull policy | `IfNotPresent` | -| `execpodSidecar.imagePullSecret` | ExecPod Sidecar container image pull secret | `""` | +| `ioSidecar.imagePullPolicy` | IO Sidecar container image pull policy | `IfNotPresent` | +| `ioSidecar.imagePullSecret` | IO Sidecar container image pull secret | `""` | +| `execpodSidecar.image` | ExecPod Sidecar container image override | `signadot/execpod-sidecar:vX.Y.Z` | +| `execpodSidecar.imagePullPolicy` | ExecPod Sidecar container image pull policy | `IfNotPresent` | +| `execpodSidecar.imagePullSecret` | ExecPod Sidecar container image pull secret | `""` | | `tunnel.api.image` | Tunnel API image override | `signadot/tunnel-api:vX.Y.Z` | -| `tunnel.api.imagePullPolicy` | Tunnel API image pull policy | `IfNotPresent` | -| `tunnel.proxy.image` | Tunnel Proxy image override | `signadot/tunnel-proxy:vX.Y.Z` | -| `tunnel.proxy.imagePullPolicy` | Tunnel Proxy image pull policy | `IfNotPresent` | -| `tunnel.auditor.image` | Tunnel Auditor image override | `signadot/tunnel-auditor:vX.Y.Z` | -| `tunnel.auditor.imagePullPolicy` | Tunnel Auditor image pull policy | `IfNotPresent` | -| `tunnel.auditor.init.image` | Tunnel Auditor init image override | `signadot/tunnel-auditor-init:vX.Y.Z` | -| `tunnel.auditor.init.imagePullPolicy` | Tunnel Auditor init image pull policy | `IfNotPresent` | +| `tunnel.api.imagePullPolicy` | Tunnel API image pull policy | `IfNotPresent` | +| `tunnel.proxy.image` | Tunnel Proxy image override | `signadot/tunnel-proxy:vX.Y.Z` | +| `tunnel.proxy.imagePullPolicy` | Tunnel Proxy image pull policy | `IfNotPresent` | +| `tunnel.auditor.image` | Tunnel Auditor image override | `envoyproxy/envoy:v1.26.1` | +| `tunnel.auditor.imagePullPolicy` | Tunnel Auditor image pull policy | `IfNotPresent` | +| `tunnel.auditor.init.image` | Tunnel Auditor init image override | `signadot/tunnel-auditor-init:vX.Y.Z` | +| `tunnel.auditor.init.imagePullPolicy` | Tunnel Auditor init image pull policy | `IfNotPresent` | ### Tunnel parameters @@ -136,10 +136,11 @@ style resources and are not needed in an installation which uses the new | | | | ### Istio Parameters -The Signadot Operator manipulates istio objects when istio VirtualServices are applied to workloads in sandboxes. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. +When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes for each of the sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. -| Name | Description | Default | -| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `istio.additionalAnnotations` | Annotations to add to istio objects if not present | `{}` | -| `istio.additionalLabels` | Labels to add to istio objects if not present | `{}` | +| Name | Description | Default | +| ----------------------------- | -------------------------------------------------- | ------- | +| `istio.enabled` | Enable Istio integration | `false` | +| `istio.additionalAnnotations` | Annotations to add to istio objects if not present | `{}` | +| `istio.additionalLabels` | Labels to add to istio objects if not present | `{}` | diff --git a/signadot/operator/values.yaml b/signadot/operator/values.yaml index dcbd31d..2fa4196 100644 --- a/signadot/operator/values.yaml +++ b/signadot/operator/values.yaml @@ -22,18 +22,18 @@ # serviceAnnotations: # exampleServiceLAnnotation: exampleServiceLAnnotationValue -# Add these labels or annotations to all istio objects when they are managed by -# Signadot Note that virtual services are only managed by Signadot when they -# route to some sandbox. For virtual services, these labels or annotations are -# only added if they were not present before becoming managed by signadot. -# # istio: +# # Enable the integration with Istio +# enabled: true +# # Add these labels or annotations to all istio objects when they are managed by +# # Signadot Note that virtual services are only managed by Signadot when they +# # route to some sandbox. For virtual services, these labels or annotations are +# # only added if they were not present before becoming managed by signadot. # additionalLabels: # exampleLabel: exampleLabelValue # additionalAnnotations: # exampleAnnotatonKey: exampleAnnotationValue - # By default, this chart will install the operator in # cluster-wide mode, where it watches all namespaces. From f1841604433cf8918bfa12ffb04534a2d4db10a5 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Fri, 6 Oct 2023 08:30:19 -0300 Subject: [PATCH 3/7] PR feedback --- signadot/operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index f24743d..8ab944b 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -136,7 +136,7 @@ style resources and are not needed in an installation which uses the new | | | | ### Istio Parameters -When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes for each of the sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. +When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. | Name | Description | Default | From e44aca37bfbc32eef5d42c03bf8f95cb97b5b06e Mon Sep 17 00:00:00 2001 From: Scott Cotton Date: Thu, 12 Oct 2023 10:01:08 +0200 Subject: [PATCH 4/7] specify VirtualServices, remove only if equal condition --- signadot/operator/README.md | 4 ++-- signadot/operator/values.yaml | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index b25abc2..3bb21a9 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -141,5 +141,5 @@ The Signadot Operator manipulates istio objects when istio VirtualServices are a | Name | Description | Default | | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `istio.additionalAnnotations` | Annotations to add to istio objects if not present | `{}` | -| `istio.additionalLabels` | Labels to add to istio objects if not present | `{}` | +| `istio.additionalAnnotations` | Annotations to add to istio VirtualServices if not present | `{}` | +| `istio.additionalLabels` | Labels to add to istio VirtualServices if not present | `{}` | diff --git a/signadot/operator/values.yaml b/signadot/operator/values.yaml index dcbd31d..7f6ec2b 100644 --- a/signadot/operator/values.yaml +++ b/signadot/operator/values.yaml @@ -23,9 +23,8 @@ # exampleServiceLAnnotation: exampleServiceLAnnotationValue # Add these labels or annotations to all istio objects when they are managed by -# Signadot Note that virtual services are only managed by Signadot when they -# route to some sandbox. For virtual services, these labels or annotations are -# only added if they were not present before becoming managed by signadot. +# Signadot Note that VirtualServices are only managed by Signadot when they +# route to some sandbox. # # istio: # additionalLabels: From dc71b0acdaae38a36cbbe063bbe812289df6a082 Mon Sep 17 00:00:00 2001 From: Scott Cotton Date: Thu, 12 Oct 2023 10:06:52 +0200 Subject: [PATCH 5/7] slight rephrase --- signadot/operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index 45901a1..c81d21b 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -136,7 +136,7 @@ style resources and are not needed in an installation which uses the new | | | | ### Istio Parameters -When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added if not present when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. +When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. | Name | Description | Default | | ----------------------------- | --------------------------------------------------------- | ------- | From bd90ac6ce8280e0d8ad053130600daf034199d6a Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Thu, 12 Oct 2023 18:11:26 -0300 Subject: [PATCH 6/7] Operator release v0.14.0 --- .../operator/templates/agent-deployment.yaml | 2 +- ...signadot.com-customresourcedefinition.yaml | 298 +++++++++++++++++ .../io-context-server-deployment.yaml | 2 +- ...signadot.com-customresourcedefinition.yaml | 174 ++++++++++ .../templates/routeserver-deployment.yaml | 2 +- ...signadot.com-customresourcedefinition.yaml | 311 ++++++++++++++++++ .../templates/signadot-agent-clusterrole.yaml | 3 + ...ignadot-controller-manager-deployment.yaml | 20 +- .../signadot-manager-role-clusterrole.yaml | 104 +++++- ...guration-mutatingwebhookconfiguration.yaml | 11 + .../signadot-routeserver-clusterrole.yaml | 2 +- ...signadot.com-customresourcedefinition.yaml | 77 ++++- ...signadot.com-customresourcedefinition.yaml | 9 +- .../templates/tunnel-api-deployment.yaml | 2 +- .../templates/tunnel-proxy-deployment.yaml | 7 +- 15 files changed, 984 insertions(+), 40 deletions(-) create mode 100644 signadot/operator/templates/forkedworkloads.signadot.com-customresourcedefinition.yaml create mode 100644 signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml create mode 100644 signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml diff --git a/signadot/operator/templates/agent-deployment.yaml b/signadot/operator/templates/agent-deployment.yaml index 8ec553a..2ca9d72 100644 --- a/signadot/operator/templates/agent-deployment.yaml +++ b/signadot/operator/templates/agent-deployment.yaml @@ -48,7 +48,7 @@ spec: secretKeyRef: key: token name: cluster-agent - image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.13.3{{- end }}{{- else -}}signadot/agent:v0.13.3{{- end }}{{- else -}}signadot/agent:v0.13.3{{- end }} + image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.14.0{{- end }}{{- else -}}signadot/agent:v0.14.0{{- end }}{{- else -}}signadot/agent:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: diff --git a/signadot/operator/templates/forkedworkloads.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/forkedworkloads.signadot.com-customresourcedefinition.yaml new file mode 100644 index 0000000..8af91af --- /dev/null +++ b/signadot/operator/templates/forkedworkloads.signadot.com-customresourcedefinition.yaml @@ -0,0 +1,298 @@ +# This file is generated. Do not edit. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: forkedworkloads.signadot.com +spec: + group: signadot.com + names: + kind: ForkedWorkload + listKind: ForkedWorkloadList + plural: forkedworkloads + shortNames: + - sdfw + singular: forkedworkload + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ForkedWorkloadSpec defines the desired state of ForkedWorkload + properties: + baseline: + description: Baseline specifies the target workload being forked by + this object + properties: + apiVersion: + description: APIVersion specifies the API Version (e.g. "apps/v1") + of the object to patch. + type: string + kind: + description: Kind specifies the Kind (e.g. "Deployment") of the + object to patch. + type: string + name: + description: Name specifies the name of the object to patch. + type: string + namespace: + description: Namespace optionally specifies which namespace will + be searched. + type: string + required: + - apiVersion + - kind + - name + type: object + patches: + description: List of patches to be applied to the baseline workload + items: + description: ForkedWorkloadPatch describes a set of changes to apply + to a given object. + properties: + json: + description: JSON specifies the patch in JSON Patch format (RFC + 6902). + items: + description: "RawExtension is a wrapper around runtime.RawExtension. + \n It exists so we can add the PreserveUnknownFields directive + on the items in a []RawExtension list, rather than to the + list itself. Adding PreserveUnknownFields to the list itself + works in the latest patch releases of k8s v1.18+, but the + fix was never backported to v1.17 or older: \n https://github.com/kubernetes/kubernetes/pull/94888" + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + merge: + description: Merge specifies the patch in JSON Merge Patch format + (RFC 7396). + type: object + x-kubernetes-preserve-unknown-fields: true + strategic: + description: "Strategic specifies the patch in Kubernetes strategic + merge patch format. \n See: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/" + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: "Template specifies whether to treat the patch + content as a template. If enabled, variable substitution will + be performed, allowing patches to refer to information that + will only become available after the operator processes a + sandbox spec, such as the names of SignadotResource plugin + output objects. \n Default: false" + type: boolean + type: object + type: array + preservedLabels: + description: "PreservedLabels is a list of RE2 regular expressions + to check against label keys on the original baseline Pod template. + The expression can match any substring within the key, so use anchors + if you want to require a full match. \n Normally, all baseline labels + are stripped from the cloned Pod template to ensure it can't match + any existing Services. Labels from the baseline Pod that match any + of these regular expressions will be preserved on the cloned Pod + instead. \n If preserving these labels would cause the cloned Pods + to match a baseline Service, the sandbox controller will pause and + report an error to avoid interference." + items: + type: string + type: array + resourceTemplateData: + additionalProperties: + description: ResourceTemplateData defines the template data related + to a Resource (this applies both to Resources and SignadotResources) + properties: + name: + description: Name is the name of the resource as referred to + by the requestor. + type: string + objectName: + description: ObjectName is the name of the Resource/SignadotResource + object that will be created by the Sandbox controller. + type: string + outputKind: + default: Secret + description: OutputKind is the kind of object (ConfigMap or + Secret) in which the plugin provisioner's output should be + stored. The default is "Secret". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - objectName + type: object + description: ResourceTemplateData is a map from resource name to the + template data related to that resource. + type: object + required: + - baseline + type: object + status: + description: ForkedWorkloadStatus defines status of a forked workload + properties: + baseline: + description: Baseline provides information about the baseline workload + properties: + generation: + description: Generation is the latest generation of the underlying + baseline workload as seen by the controller + format: int64 + type: integer + workloadID: + description: WorkloadID is the UID of the underlying baseline + workload. + type: string + required: + - workloadID + type: object + conditions: + description: 'Conditions is a list of conditions that matches the + conventions expected by kubectl, allowing our CRDs to work with: + kubectl wait --for=condition=...' + items: + description: "StatusCondition is a condition struct that matches + the conventions expected by kubectl, allowing our CRDs to work + with: kubectl wait --for=condition=... \n StatusConditions must + follow the following discipline in reconciliation: The operator + MUST always populate all the condition types in a SignadotSandboxStatus + struct, irrespective of whether the condition is known or not + (see corev1.ConditionUnknown) so that access via a k8s client + can determine whether the capability is supported in the operator." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + fork: + description: Fork provides information about the forked workload + properties: + objectRef: + description: ObjectRef is a reference to the forked workload object + properties: + apiVersion: + description: APIVersion specifies the API Version (e.g. "apps/v1") + of the object to patch. + type: string + kind: + description: Kind specifies the Kind (e.g. "Deployment") of + the object to patch. + type: string + name: + description: Name specifies the name of the object to patch. + type: string + namespace: + description: Namespace optionally specifies which namespace + will be searched. + type: string + required: + - apiVersion + - kind + - name + type: object + type: object + observedGeneration: + description: ObservedGeneration provides the Generation of the last + ForkedWorkload seen by the controller. + format: int64 + type: integer + routingConfig: + description: This is routing information about the workload, exposed + to the RoutingConfig controller. + properties: + devMeshSidecarPresent: + description: DevMeshSidecarPresent defines if the DevMesh sidecar + is present in the baseline workload + type: boolean + services: + description: Services provides the list of matching services for + the baseline + items: + properties: + from: + description: Name of the baseline service + type: string + missingPorts: + description: List of ports in the baseline service which + do not have a corresponding TargetPort in the workload. + items: + format: int32 + type: integer + type: array + ports: + description: List of ports included in the service + items: + properties: + port: + description: Service port + format: int32 + type: integer + targetPort: + description: Service target port (container port) + format: int32 + type: integer + required: + - port + - targetPort + type: object + type: array + to: + description: Name of the service created for the forked + or external workload An empty name means that no service + was created because there were no ports in the baseline + service which resolved to ports in the baseline workload. + type: string + required: + - from + type: object + type: array + required: + - devMeshSidecarPresent + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/signadot/operator/templates/io-context-server-deployment.yaml b/signadot/operator/templates/io-context-server-deployment.yaml index 8e81d6a..1b4b672 100644 --- a/signadot/operator/templates/io-context-server-deployment.yaml +++ b/signadot/operator/templates/io-context-server-deployment.yaml @@ -40,7 +40,7 @@ spec: - /app/io-context-server - -tls=secretns=signadot - -port=8443 - image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.13.3{{- end }}{{- else -}}signadot/io-context-server:v0.13.3{{- end }}{{- else -}}signadot/io-context-server:v0.13.3{{- end }} + image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.14.0{{- end }}{{- else -}}signadot/io-context-server:v0.14.0{{- end }}{{- else -}}signadot/io-context-server:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: io-context-server ports: diff --git a/signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml new file mode 100644 index 0000000..798fa35 --- /dev/null +++ b/signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml @@ -0,0 +1,174 @@ +# This file is generated. Do not edit. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: istioroutes.signadot.com +spec: + group: signadot.com + names: + kind: IstioRoute + listKind: IstioRouteList + plural: istioroutes + shortNames: + - sdir + singular: istioroute + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IstioRouteSpec defines the desired state of an istio route + properties: + managed: + description: Definition of a managed route, a route whose destination + is managed by the system (the result of a forked or external workload) + properties: + baseline: + description: Baseline workload informaton + properties: + generation: + description: Generation is the latest generation of the underlying + baseline workload as seen by the controller + format: int64 + type: integer + workloadID: + description: WorkloadID is the UID of the underlying baseline + workload. + type: string + required: + - workloadID + type: object + mappings: + description: Mappings defines a list of mappings from a port on + the target service to an alternative destination (specified + by a service) + items: + properties: + fromPort: + description: Source port from the target service + format: int32 + type: integer + toService: + description: Destionation service + type: string + workloadPort: + description: Source port in the workload (the service target + port) + format: int32 + type: integer + required: + - fromPort + - toService + type: object + type: array + namespace: + description: Namespace of this managed route + type: string + targetService: + description: Route target + type: string + required: + - baseline + - mappings + - namespace + - targetService + type: object + routingKey: + description: RoutingKey associated with this route + type: string + required: + - managed + - routingKey + type: object + status: + description: IstioRouteStatus defines the status of an istio route + properties: + conditions: + description: 'Conditions is a list of conditions that matches the + conventions expected by kubectl, allowing our CRDs to work with: + kubectl wait --for=condition=...' + items: + description: "StatusCondition is a condition struct that matches + the conventions expected by kubectl, allowing our CRDs to work + with: kubectl wait --for=condition=... \n StatusConditions must + follow the following discipline in reconciliation: The operator + MUST always populate all the condition types in a SignadotSandboxStatus + struct, irrespective of whether the condition is known or not + (see corev1.ConditionUnknown) so that access via a k8s client + can determine whether the capability is supported in the operator." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + matchedVirtualServices: + description: MatchedVirtualServices is a list of the matching virtual + services for this route, along with its status + items: + properties: + message: + description: Status related message + type: string + name: + description: This is the virtual service name + type: string + status: + description: Status information about the virtual service configuration + type: string + required: + - name + - status + type: object + type: array + observedGeneration: + description: ObservedGeneration provides the Generation of the last + IstioRoute seen by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/signadot/operator/templates/routeserver-deployment.yaml b/signadot/operator/templates/routeserver-deployment.yaml index 1805204..47ea7ce 100644 --- a/signadot/operator/templates/routeserver-deployment.yaml +++ b/signadot/operator/templates/routeserver-deployment.yaml @@ -36,7 +36,7 @@ spec: {{- end }} spec: containers: - - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.13.3{{- end }}{{- else -}}signadot/route-server:v0.13.3{{- end }}{{- else -}}signadot/route-server:v0.13.3{{- end }} + - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.14.0{{- end }}{{- else -}}signadot/route-server:v0.14.0{{- end }}{{- else -}}signadot/route-server:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: routeserver ports: diff --git a/signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml new file mode 100644 index 0000000..a29696a --- /dev/null +++ b/signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml @@ -0,0 +1,311 @@ +# This file is generated. Do not edit. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: routingconfigs.signadot.com +spec: + group: signadot.com + names: + kind: RoutingConfig + listKind: RoutingConfigList + plural: routingconfigs + shortNames: + - sdrc + singular: routingconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RoutingConfigSpec defines the desired state of a sandbox + router + properties: + sandboxedWorkloads: + description: List of workloads for which the RoutingConfig controller + will manage routing. These workloads should identify forks, not + baselines. + items: + properties: + kind: + enum: + - ForkedWorkload + - SignadotExternalWorkload + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + - namespace + type: object + type: array + required: + - sandboxedWorkloads + type: object + status: + description: RoutingConfigStatus defines the status of a sandbox router + properties: + conditions: + description: 'Conditions is a list of conditions that matches the + conventions expected by kubectl, allowing our CRDs to work with: + kubectl wait --for=condition=...' + items: + description: "StatusCondition is a condition struct that matches + the conventions expected by kubectl, allowing our CRDs to work + with: kubectl wait --for=condition=... \n StatusConditions must + follow the following discipline in reconciliation: The operator + MUST always populate all the condition types in a SignadotSandboxStatus + struct, irrespective of whether the condition is known or not + (see corev1.ConditionUnknown) so that access via a k8s client + can determine whether the capability is supported in the operator." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration provides the Generation of the last + IstioRoute seen by the controller. + format: int64 + type: integer + processedWorkloads: + description: ProcessedWorkloads is the list of sandboxed workloads + as seen by the controller, along with its routing information + items: + properties: + routes: + description: Routes is the list of the configured routes per + service mesh (including the signadot sidecar) + properties: + devMesh: + description: DevMesh provides information about the setup + of the DevMesh sidecar for this workload + properties: + enabled: + description: Enabled means that the DevMesh sidecar + container is present and ready in all the baseline + workload pods + type: boolean + required: + - enabled + type: object + istio: + description: Istio is a list of the IstioRoute objects created + for this sandbox + items: + properties: + name: + description: Name of the IstioRoute + type: string + status: + description: Status of the IstioRoute + properties: + conditions: + description: 'Conditions is a list of conditions + that matches the conventions expected by kubectl, + allowing our CRDs to work with: kubectl wait + --for=condition=...' + items: + description: "StatusCondition is a condition + struct that matches the conventions expected + by kubectl, allowing our CRDs to work with: + kubectl wait --for=condition=... \n StatusConditions + must follow the following discipline in reconciliation: + The operator MUST always populate all the + condition types in a SignadotSandboxStatus + struct, irrespective of whether the condition + is known or not (see corev1.ConditionUnknown) + so that access via a k8s client can determine + whether the capability is supported in the + operator." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + matchedVirtualServices: + description: MatchedVirtualServices is a list + of the matching virtual services for this route, + along with its status + items: + properties: + message: + description: Status related message + type: string + name: + description: This is the virtual service + name + type: string + status: + description: Status information about the + virtual service configuration + type: string + required: + - name + - status + type: object + type: array + observedGeneration: + description: ObservedGeneration provides the Generation + of the last IstioRoute seen by the controller. + format: int64 + type: integer + type: object + required: + - name + type: object + type: array + type: object + workload: + description: Workload is a reference to one of the sandboxed + workloads from the Spec + properties: + kind: + enum: + - ForkedWorkload + - SignadotExternalWorkload + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + - namespace + type: object + required: + - workload + type: object + type: array + routeServer: + description: RouteServer is the information that will be consumed + by the route server + properties: + routes: + description: Routes is the list of routes to be exported to the + route server + items: + properties: + baseline: + description: Baseline workload informaton + properties: + generation: + description: Generation is the latest generation of + the underlying baseline workload as seen by the controller + format: int64 + type: integer + workloadID: + description: WorkloadID is the UID of the underlying + baseline workload. + type: string + required: + - workloadID + type: object + from: + description: From the specified location + properties: + host: + description: Host of this location + type: string + port: + description: Port where this location can be accessed + format: int32 + type: integer + workloadPort: + description: Port where it listens the workload behind + this location (if any). In this case of kubernetes + services, this is the service target port. + format: int32 + type: integer + required: + - host + - port + type: object + to: + description: To the specified location + properties: + host: + description: Host of this location + type: string + port: + description: Port where this location can be accessed + format: int32 + type: integer + workloadPort: + description: Port where it listens the workload behind + this location (if any). In this case of kubernetes + services, this is the service target port. + format: int32 + type: integer + required: + - host + - port + type: object + required: + - from + - to + type: object + type: array + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/signadot/operator/templates/signadot-agent-clusterrole.yaml b/signadot/operator/templates/signadot-agent-clusterrole.yaml index 95d5f05..6026459 100644 --- a/signadot/operator/templates/signadot-agent-clusterrole.yaml +++ b/signadot/operator/templates/signadot-agent-clusterrole.yaml @@ -20,11 +20,14 @@ rules: - signadotsandboxes - signadotroutes - signadotexternalworkloads + - signadoforkedworkloads - signadotresources - resources - signadotobjectlifecyclemethods - signadotresourceplugins - signadotroutegroups + - routingconfigs + - istioroutes verbs: - get - list diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index 9a575d9..ae9cb3f 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -77,21 +77,27 @@ spec: value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: EXECPOD_SIDECAR_IMAGE_PULL_SECRET value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + - name: ISTIO_ENABLED + value: {{ with .Values }}{{ with .istio }}{{ with .enabled }}{{ toString . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }} + - name: ISTIO_ADDITIONAL_LABELS + value: {{ with .Values }}{{ with .istio }}{{ with .additionalLabels }}{{ mustToJson . | quote}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + - name: ISTIO_ADDITIONAL_ANNOTATIONS + value: {{ with .Values }}{{ with .istio }}{{ with .additionalAnnotations }}{{ mustToJson . | quote}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: SIDECAR_INIT_IMAGE - value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar-init:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar-init:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.14.0{{- end }} - name: LEGACY_SIDECAR_INIT_IMAGE value: {{ with .Values }}{{ with .routeInit }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }} - name: ROUTE_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar:v0.14.0{{- end }} - name: LEGACY_ROUTE_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.13.3{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.14.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.14.0{{- end }} - name: EXECPOD_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/execpod-sidecar:v0.13.3{{- end }}{{- else -}}signadot/execpod-sidecar:v0.13.3{{- end }}{{- else -}}signadot/execpod-sidecar:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/execpod-sidecar:v0.14.0{{- end }}{{- else -}}signadot/execpod-sidecar:v0.14.0{{- end }}{{- else -}}signadot/execpod-sidecar:v0.14.0{{- end }} - name: IO_INIT_IMAGE - value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.13.3{{- end }}{{- else -}}signadot/io-init:v0.13.3{{- end }}{{- else -}}signadot/io-init:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.14.0{{- end }}{{- else -}}signadot/io-init:v0.14.0{{- end }}{{- else -}}signadot/io-init:v0.14.0{{- end }} - name: IO_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.13.3{{- end }}{{- else -}}signadot/io-sidecar:v0.13.3{{- end }}{{- else -}}signadot/io-sidecar:v0.13.3{{- end }} - image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.13.3{{- end }}{{- else -}}signadot/operator:v0.13.3{{- end }}{{- else -}}signadot/operator:v0.13.3{{- end }} + value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.14.0{{- end }}{{- else -}}signadot/io-sidecar:v0.14.0{{- end }}{{- else -}}signadot/io-sidecar:v0.14.0{{- end }} + image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.14.0{{- end }}{{- else -}}signadot/operator:v0.14.0{{- end }}{{- else -}}signadot/operator:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .operator }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: diff --git a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml index c0e7875..d086a79 100644 --- a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml +++ b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml @@ -12,6 +12,18 @@ metadata: {{- end }} name: signadot-manager-role rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - admissionregistration.k8s.io resourceNames: @@ -22,6 +34,58 @@ rules: - get - patch - update +- apiGroups: + - signadot.com + resources: + - forkedworkloads + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - forkedworkloads/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - forkedworkloads/status + verbs: + - get + - patch + - update +- apiGroups: + - signadot.com + resources: + - istioroutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - istioroutes/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - istioroutes/status + verbs: + - get + - patch + - update - apiGroups: - signadot.com resources: @@ -48,6 +112,32 @@ rules: - get - patch - update +- apiGroups: + - signadot.com + resources: + - routingconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - routingconfigs/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - routingconfigs/status + verbs: + - get + - patch + - update - apiGroups: - signadot.com resources: @@ -190,20 +280,6 @@ rules: - patch - update - watch -- apiGroups: - - signadot.com - resources: - - signadotroutes/finalizers - verbs: - - update -- apiGroups: - - signadot.com - resources: - - signadotroutes/status - verbs: - - get - - patch - - update - apiGroups: - signadot.com resources: diff --git a/signadot/operator/templates/signadot-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/signadot/operator/templates/signadot-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 812e88f..680cc1c 100644 --- a/signadot/operator/templates/signadot-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/signadot/operator/templates/signadot-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -22,6 +22,17 @@ webhooks: path: /mutate-v1-pod failurePolicy: Ignore name: sidecar-injector.signadot.com + namespaceSelector: + matchExpressions: + - key: signadot.com/admission-webhooks + operator: NotIn + values: + - disabled + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - kube-node-lease rules: - apiGroups: - "" diff --git a/signadot/operator/templates/signadot-routeserver-clusterrole.yaml b/signadot/operator/templates/signadot-routeserver-clusterrole.yaml index 006080b..54c3e26 100644 --- a/signadot/operator/templates/signadot-routeserver-clusterrole.yaml +++ b/signadot/operator/templates/signadot-routeserver-clusterrole.yaml @@ -15,7 +15,7 @@ rules: - apiGroups: - signadot.com resources: - - signadotroutes + - routingconfigs verbs: - get - list diff --git a/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml index aee25c9..0606ae9 100644 --- a/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml @@ -72,8 +72,7 @@ spec: pattern: ^$|^[a-z]([a-z0-9-]*[a-zA-Z0-9])?$ type: string routingKey: - description: RoutingKey is a unique short key that can be provided - to context propagation mechanisms. + description: 'DEPRECATED: this field is no longer needed.' type: string tunnel: description: Tunnel defines that this external workload will be accessed @@ -100,7 +99,7 @@ spec: - baselineToLocals type: object workloadID: - description: WorkloadID is the UID of the underlying workload. + description: 'DEPRECATED: this field is no longer needed.' type: string required: - baseline @@ -109,8 +108,23 @@ spec: - workloadID type: object status: - description: ResourceStatus defines status of a Resource + description: ExternalWorkloadStatus defines status of an external workload properties: + baseline: + description: Baseline provides information about the baseline workload + properties: + generation: + description: Generation is the latest generation of the underlying + baseline workload as seen by the controller + format: int64 + type: integer + workloadID: + description: WorkloadID is the UID of the underlying baseline + workload. + type: string + required: + - workloadID + type: object conditions: description: 'Conditions is a list of conditions that matches the conventions expected by kubectl, allowing our CRDs to work with: @@ -143,9 +157,62 @@ spec: type: array observedGeneration: description: ObservedGeneration provides the Generation of the last - Resource seen by the controller. + ExternalWorkload seen by the controller. format: int64 type: integer + routingConfig: + description: This is routing information about the workload, exposed + to the RoutingConfig controller. + properties: + devMeshSidecarPresent: + description: DevMeshSidecarPresent defines if the DevMesh sidecar + is present in the baseline workload + type: boolean + services: + description: Services provides the list of matching services for + the baseline + items: + properties: + from: + description: Name of the baseline service + type: string + missingPorts: + description: List of ports in the baseline service which + do not have a corresponding TargetPort in the workload. + items: + format: int32 + type: integer + type: array + ports: + description: List of ports included in the service + items: + properties: + port: + description: Service port + format: int32 + type: integer + targetPort: + description: Service target port (container port) + format: int32 + type: integer + required: + - port + - targetPort + type: object + type: array + to: + description: Name of the service created for the forked + or external workload An empty name means that no service + was created because there were no ports in the baseline + service which resolved to ports in the baseline workload. + type: string + required: + - from + type: object + type: array + required: + - devMeshSidecarPresent + type: object tunnel: description: Tunnel exposes the status of the tunnel behind this external workload diff --git a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml index 43acd2d..f405f16 100644 --- a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml @@ -55,10 +55,8 @@ spec: running in the cluster should be customized for this sandbox. properties: images: - description: "Images to replace when cloning workloads (e.g. Deployments) - for this sandbox. \n Any live Deployment (one that isn't part - of a sandbox) that uses an image from this list will be cloned - and the clone will use the new image name and/or tag specified." + description: 'DEPRECATED: this feature has been deprecated, image + replacement commands will be ignored.' items: description: ImageReplacement describes a rule for replacing images in cloned containers. @@ -7106,8 +7104,7 @@ spec: readyManagedResources: additionalProperties: type: boolean - description: ReadyManagedResources is a map from resource name to - ready status This field has been deprecated. + description: 'DEPRECATED: use ManagedResources instead.' type: object readyResources: description: ReadyResources is the number of signadot resources which diff --git a/signadot/operator/templates/tunnel-api-deployment.yaml b/signadot/operator/templates/tunnel-api-deployment.yaml index 8e119d1..45e7d31 100644 --- a/signadot/operator/templates/tunnel-api-deployment.yaml +++ b/signadot/operator/templates/tunnel-api-deployment.yaml @@ -45,7 +45,7 @@ spec: {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }} {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .externalDNS }}{{ with .syncInterval }} - --external-dns-resync-interval={{ . }} {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }} - image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.13.3{{- end }}{{- else -}}signadot/tunnel-api:v0.13.3{{- end }}{{- else -}}signadot/tunnel-api:v0.13.3{{- end }}{{- else -}}signadot/tunnel-api:v0.13.3{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.14.0{{- end }}{{- else -}}signadot/tunnel-api:v0.14.0{{- end }}{{- else -}}signadot/tunnel-api:v0.14.0{{- end }}{{- else -}}signadot/tunnel-api:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: tunnel-api ports: diff --git a/signadot/operator/templates/tunnel-proxy-deployment.yaml b/signadot/operator/templates/tunnel-proxy-deployment.yaml index 36011ee..86b7dc3 100644 --- a/signadot/operator/templates/tunnel-proxy-deployment.yaml +++ b/signadot/operator/templates/tunnel-proxy-deployment.yaml @@ -53,7 +53,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.13.3{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.3{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.3{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.3{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.14.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.14.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.14.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: tunnel-proxy ports: @@ -70,7 +70,8 @@ spec: - /etc/config.yaml command: - envoy - image: envoyproxy/envoy:v1.26.1 + image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .image }}{{ . | quote}}{{- else -}}envoyproxy/envoy:v1.26.1{{- end }}{{- else -}}envoyproxy/envoy:v1.26.1{{- end }}{{- else -}}envoyproxy/envoy:v1.26.1{{- end }}{{- else -}}envoyproxy/envoy:v1.26.1{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} name: auditor securityContext: allowPrivilegeEscalation: false @@ -97,7 +98,7 @@ spec: value: "10000" - name: OUTBOUND_AUDITOR_PORT value: "10001" - image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.13.3{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.3{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.3{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.3{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.3{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.14.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.14.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.14.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.14.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.14.0{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} name: auditor-init securityContext: From 266c3a3866e39072c9f7b0fda432f3038485d607 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Thu, 12 Oct 2023 18:12:41 -0300 Subject: [PATCH 7/7] Update chart version --- signadot/operator/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/signadot/operator/Chart.yaml b/signadot/operator/Chart.yaml index a0ff95c..fe1a5ab 100644 --- a/signadot/operator/Chart.yaml +++ b/signadot/operator/Chart.yaml @@ -6,10 +6,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.13.3" +version: "0.14.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.13.3" +appVersion: "0.14.0"