Merge pull request #65 from signadot/release-v0.18.0

Changes for release v0.18.0
signadot · Aug 15, 2024 · e7aa806 · e7aa806
2 parents 84a93a7 + b546561
commit e7aa806
Show file tree

Hide file tree

Showing 13 changed files with 74 additions and 22 deletions.
diff --git a/signadot/operator/Chart.yaml b/signadot/operator/Chart.yaml
@@ -6,10 +6,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.17.0"
+version: "0.18.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.17.0"
+appVersion: "0.18.0"
diff --git a/signadot/operator/README.md b/signadot/operator/README.md
@@ -117,6 +117,9 @@ style resources and are not needed in an installation which uses the new
 | `jobExecutorInit.image`               | Job Executor Init container image override              | `signadot/job-executor-init:vX.Y.Z`    |
 | `jobExecutorInit.imagePullPolicy`     | Job Executor Init container image pull policy           | `IfNotPresent`                         |
 | `jobExecutorInit.imagePullSecret`     | Job Executor Init container image pull secret           | `""`                                   |
+| `jobExecutorProxy.image`              | Job Executor Proxy container image override             | `signadot/job-executor-proxy:vX.Y.Z`   |
+| `jobExecutorProxy.imagePullPolicy`    | Job Executor Proxy container image pull policy          | `IfNotPresent`                         |
+| `jobExecutorProxy.imagePullSecret`    | Job Executor Proxy container image pull secret          | `""`                                   |
 
 
 ### Tunnel parameters
@@ -142,8 +145,10 @@ style resources and are not needed in an installation which uses the new
 
 When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator.  Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities.
 
-| Name                          | Description                                                | Default |
-| ----------------------------- | ---------------------------------------------------------  | ------- |
-| `istio.enabled`               | Enable Istio integration                                   | `false` |
-| `istio.additionalAnnotations` | Annotations to add to istio VirtualServices if not present | `{}`    |
-| `istio.additionalLabels`      | Labels to add to istio VirtualServices if not present      | `{}`    |
+| Name                                | Description                                                                                               | Default |
+| ----------------------------------- | --------------------------------------------------------------------------------------------------------- | ------- |
+| `istio.enabled`                     | Enable Istio integration                                                                                  | `false` |
+| `istio.additionalAnnotations`       | Annotations to add to istio VirtualServices if not present                                                | `{}`    |
+| `istio.additionalLabels`            | Labels to add to istio VirtualServices if not present                                                     | `{}`    |
+| `istio.enableDeprecatedHostRouting` | Enable sandbox routing by matching the `VirtualService.host` field. **This feature has been deprecated**. | `false` |
+
diff --git a/signadot/operator/templates/agent-deployment.yaml b/signadot/operator/templates/agent-deployment.yaml
@@ -48,7 +48,7 @@ spec:
             secretKeyRef:
               key: token
               name: cluster-agent
-        image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.17.0{{- end }}{{- else -}}signadot/agent:v0.17.0{{- end }}{{- else -}}signadot/agent:v0.17.0{{- end }}
+        image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.18.0{{- end }}{{- else -}}signadot/agent:v0.18.0{{- end }}{{- else -}}signadot/agent:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         livenessProbe:
           httpGet:

diff --git a/signadot/operator/templates/io-context-server-deployment.yaml b/signadot/operator/templates/io-context-server-deployment.yaml
@@ -40,7 +40,7 @@ spec:
         - /app/io-context-server
         - -tls=secretns=signadot
         - -port=8443
-        image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.17.0{{- end }}{{- else -}}signadot/io-context-server:v0.17.0{{- end }}{{- else -}}signadot/io-context-server:v0.17.0{{- end }}
+        image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.18.0{{- end }}{{- else -}}signadot/io-context-server:v0.18.0{{- end }}{{- else -}}signadot/io-context-server:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: io-context-server
         ports:

diff --git a/signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/istioroutes.signadot.com-customresourcedefinition.yaml
@@ -147,11 +147,15 @@ spec:
                     name:
                       description: This is the virtual service name
                       type: string
+                    namespace:
+                      description: This is the virtual service namespace
+                      type: string
                     status:
                       description: Status information about the virtual service configuration
                       type: string
                   required:
                   - name
+                  - namespace
                   - status
                   type: object
                 type: array

diff --git a/signadot/operator/templates/jobs.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/jobs.signadot.com-customresourcedefinition.yaml
@@ -140,6 +140,21 @@ spec:
                 x-kubernetes-validations:
                 - message: Timeout is immutable
                   rule: self == oldSelf
+              trafficManager:
+                description: Traffic manager settings
+                properties:
+                  injectRoutingKey:
+                    default: Disabled
+                    description: Enable the automatic insertion of routing key headers
+                      for HTTP and gRPC (H2C) traffic
+                    enum:
+                    - Disabled
+                    - Auto
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: Timeout is immutable
+                  rule: self == oldSelf
             required:
             - canceled
             - content

diff --git a/signadot/operator/templates/routeserver-deployment.yaml b/signadot/operator/templates/routeserver-deployment.yaml
@@ -36,7 +36,7 @@ spec:
         {{- end }}
     spec:
       containers:
-      - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.17.0{{- end }}{{- else -}}signadot/route-server:v0.17.0{{- end }}{{- else -}}signadot/route-server:v0.17.0{{- end }}
+      - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.18.0{{- end }}{{- else -}}signadot/route-server:v0.18.0{{- end }}{{- else -}}signadot/route-server:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: routeserver
         ports:

diff --git a/signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/routingconfigs.signadot.com-customresourcedefinition.yaml
@@ -205,12 +205,17 @@ spec:
                                           description: This is the virtual service
                                             name
                                           type: string
+                                        namespace:
+                                          description: This is the virtual service
+                                            namespace
+                                          type: string
                                         status:
                                           description: Status information about the
                                             virtual service configuration
                                           type: string
                                       required:
                                       - name
+                                      - namespace
                                       - status
                                       type: object
                                     type: array

diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml
@@ -62,6 +62,8 @@ spec:
           value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}
         - name: ISTIO_ENABLED
           value: {{ with .Values }}{{ with .istio }}{{ with .enabled }}{{ toString . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}
+        - name: ISTIO_HOST_ROUTING
+          value: {{ with .Values }}{{ with .istio }}{{ with .enableDeprecatedHostRouting }}{{ toString . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}
         - name: ISTIO_ADDITIONAL_LABELS
           value: {{ with .Values }}{{ with .istio }}{{ with .additionalLabels }}{{ mustToJson . | quote}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}
         - name: ISTIO_ADDITIONAL_ANNOTATIONS
@@ -70,21 +72,27 @@ spec:
           value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}
         - name: JOB_EXECUTOR_INIT_IMAGE_PULL_SECRET
           value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}
+        - name: JOB_EXECUTOR_PROXY_IMAGE_PULL_POLICY
+          value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}
+        - name: JOB_EXECUTOR_PROXY_IMAGE_PULL_SECRET
+          value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}
         - name: SIDECAR_INIT_IMAGE
-          value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.18.0{{- end }}
         - name: LEGACY_SIDECAR_INIT_IMAGE
           value: {{ with .Values }}{{ with .routeInit }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}
         - name: ROUTE_SIDECAR_IMAGE
-          value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar:v0.18.0{{- end }}
         - name: LEGACY_ROUTE_SIDECAR_IMAGE
-          value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.17.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.18.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.18.0{{- end }}
         - name: IO_INIT_IMAGE
-          value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.17.0{{- end }}{{- else -}}signadot/io-init:v0.17.0{{- end }}{{- else -}}signadot/io-init:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.18.0{{- end }}{{- else -}}signadot/io-init:v0.18.0{{- end }}{{- else -}}signadot/io-init:v0.18.0{{- end }}
         - name: IO_SIDECAR_IMAGE
-          value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.17.0{{- end }}{{- else -}}signadot/io-sidecar:v0.17.0{{- end }}{{- else -}}signadot/io-sidecar:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.18.0{{- end }}{{- else -}}signadot/io-sidecar:v0.18.0{{- end }}{{- else -}}signadot/io-sidecar:v0.18.0{{- end }}
         - name: JOB_EXECUTOR_INIT_IMAGE
-          value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-init:v0.17.0{{- end }}{{- else -}}signadot/job-executor-init:v0.17.0{{- end }}{{- else -}}signadot/job-executor-init:v0.17.0{{- end }}
-        image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.17.0{{- end }}{{- else -}}signadot/operator:v0.17.0{{- end }}{{- else -}}signadot/operator:v0.17.0{{- end }}
+          value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-init:v0.18.0{{- end }}{{- else -}}signadot/job-executor-init:v0.18.0{{- end }}{{- else -}}signadot/job-executor-init:v0.18.0{{- end }}
+        - name: JOB_EXECUTOR_PROXY_IMAGE
+          value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-proxy:v0.18.0{{- end }}{{- else -}}signadot/job-executor-proxy:v0.18.0{{- end }}{{- else -}}signadot/job-executor-proxy:v0.18.0{{- end }}
+        image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.18.0{{- end }}{{- else -}}signadot/operator:v0.18.0{{- end }}{{- else -}}signadot/operator:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .operator }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         livenessProbe:
           httpGet:

diff --git a/signadot/operator/templates/signadot-routeserver-clusterrole.yaml b/signadot/operator/templates/signadot-routeserver-clusterrole.yaml
@@ -20,3 +20,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/signadot/operator/templates/tunnel-api-deployment.yaml b/signadot/operator/templates/tunnel-api-deployment.yaml
@@ -45,7 +45,7 @@ spec:
 {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}
 {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .externalDNS }}{{ with .syncInterval }}        - --external-dns-resync-interval={{ . }}
 {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}
-        image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.17.0{{- end }}{{- else -}}signadot/tunnel-api:v0.17.0{{- end }}{{- else -}}signadot/tunnel-api:v0.17.0{{- end }}{{- else -}}signadot/tunnel-api:v0.17.0{{- end }}
+        image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.18.0{{- end }}{{- else -}}signadot/tunnel-api:v0.18.0{{- end }}{{- else -}}signadot/tunnel-api:v0.18.0{{- end }}{{- else -}}signadot/tunnel-api:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: tunnel-api
         ports:

diff --git a/signadot/operator/templates/tunnel-auditor-config-configmap.yaml b/signadot/operator/templates/tunnel-auditor-config-configmap.yaml
@@ -125,7 +125,6 @@ data:
                       idleTimeout: 3600s
                       maxStreamDuration:
                         maxStreamDuration: 0s
-                        maxStreamDuration: 0s
 
           # TCP proxy
         - filters:
@@ -246,6 +245,14 @@ data:
               - name: envoy.filters.http.router
                 typed_config:
                   "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+              # enable HTTP CONNECT and Websockets
+              http2_protocol_options:
+                allow_connect: true
+              upgrade_configs:
+              - upgrade_type: CONNECT
+              - upgrade_type: websocket
+
               route_config:
                 name: local_route
                 virtual_hosts:
@@ -260,7 +267,6 @@ data:
                       idleTimeout: 3600s
                       maxStreamDuration:
                         maxStreamDuration: 0s
-                        maxStreamDuration: 0s
 
           # TCP filter
         - filters:

diff --git a/signadot/operator/templates/tunnel-proxy-deployment.yaml b/signadot/operator/templates/tunnel-proxy-deployment.yaml
@@ -60,7 +60,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.17.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.17.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.17.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.17.0{{- end }}
+        image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.18.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.18.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.18.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: tunnel-proxy
         ports:
@@ -108,7 +108,7 @@ spec:
           value: "10000"
         - name: OUTBOUND_AUDITOR_PORT
           value: "10001"
-        image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.17.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.17.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.17.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.17.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.17.0{{- end }}
+        image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.18.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.18.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.18.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.18.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.18.0{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}
         name: auditor-init
         securityContext: