diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 3297b7dc6..d4759e74d 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -11,28 +11,38 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + with: + fetch-depth: 0 - - name: Fetch history - run: git fetch --prune --unshallow + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.2.4 - - name: Run chart-testing (lint) - id: lint - uses: helm/chart-testing-action@v1.0.0 + - uses: actions/setup-python@v2 with: - command: lint - config: ct-main.yaml + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --remote origin - name: Create kind cluster - uses: helm/kind-action@v1.0.0-alpha.3 - with: - install_local_path_provisioner: true - if: steps.lint.outputs.changed == 'true' + uses: helm/kind-action@v1.0.0 + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.0.0 - with: - command: install - config: ct-main.yaml + run: ct install release: needs: lint-test runs-on: ubuntu-latest @@ -49,18 +59,16 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # See https://github.com/helm/chart-releaser-action/issues/6 - - name: Install Helm - run: | - curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get - chmod 700 get_helm.sh - ./get_helm.sh - helm init --client-only + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.2.4 - name: Add dependency chart repos run: | helm repo add bitnami https://charts.bitnami.com/bitnami - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.0.0-alpha.2 + uses: helm/chart-releaser-action@v1.1.0 env: CR_TOKEN: "${{ secrets.CR_TOKEN }}" diff --git a/.github/workflows/non-main.yaml b/.github/workflows/non-main.yaml index 998fbe8be..27c9044be 100644 --- a/.github/workflows/non-main.yaml +++ b/.github/workflows/non-main.yaml @@ -4,6 +4,7 @@ on: push: branches-ignore: - 'main' + - 'kong-1.x' pull_request: branches: - '**' @@ -14,23 +15,35 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + with: + fetch-depth: 0 - - name: Fetch history - run: git fetch --prune --unshallow + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.2.4 - - name: Run chart-testing (lint) - id: lint - uses: helm/chart-testing-action@v1.0.0 + - uses: actions/setup-python@v2 with: - command: lint + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --chart-repos bitnami=https://charts.bitnami.com/bitnami --check-version-increment false --remote origin - name: Create kind cluster - uses: helm/kind-action@v1.0.0-alpha.3 - with: - install_local_path_provisioner: true - if: steps.lint.outputs.changed == 'true' + uses: helm/kind-action@v1.0.0 + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.0.0 - with: - command: install + run: ct install diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index f67f43f81..e299aa497 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -1,5 +1,51 @@ # Changelog +## 2.0.0-rc.1 + +### Breaking changes + +* Helm 2 is no longer supported. You **must** [migrate your Kong chart releases + to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to + this release. +* Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) + are no longer supported. +* The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration) + is no longer supported. +* Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) + is no longer supported. +* Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) + is no longer supported. + +`helm upgrade` with the previous version (1.15.0) will print a warning message +if you still use any of the removed values.yaml configuration. If you do not +see any warnings after the upgrade completes, you are already using the modern +equivalents of these settings and can proceed with upgrading to 2.0.0-rc1. + +### Improvements + +* Admission webhook certificates persist after their initial creation. This + prevents an unnecessary restart of Kong Pods on upgrades that do not actually + modify the deployment. + ([#256](https://github.com/Kong/charts/pull/256)) +* `ingressController.installCRDs` now defaults to `false`, simplifying + installation on Helm 3. Installs now default to using Helm 3's CRD management + system, and do not require changes to values or install flags to install + successfully. + ([#305](https://github.com/Kong/charts/pull/305)) +* Added support for Pod `topologySpreadConstraints`. + ([#308](https://github.com/Kong/charts/pull/308)) + +### Fixed + +* Generated admission webhook certificates now include SANs for compatibility + with Go 1.15 controller builds. + ([#312](https://github.com/Kong/charts/pull/312)). + +### Documentation + +* Clarified use of `terminationGracePeriodSeconds`. + ([#302](https://github.com/Kong/charts/pull/302)) + ## 1.15.0 1.15.0 is an interim release before the planned release of 2.0.0. There were diff --git a/charts/kong/Chart.yaml b/charts/kong/Chart.yaml index dba9bac27..13397bf58 100644 --- a/charts/kong/Chart.yaml +++ b/charts/kong/Chart.yaml @@ -10,5 +10,5 @@ maintainers: email: traines@konghq.com name: kong sources: -version: 1.15.0 +version: 2.0.0-rc.1 appVersion: 2.3 diff --git a/charts/kong/README.md b/charts/kong/README.md index de965975e..d3804f9d6 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -14,17 +14,12 @@ This chart bootstraps all the components needed to run Kong on a $ helm repo add kong https://charts.konghq.com $ helm repo update -# Helm 2 -$ helm install kong/kong - -# Helm 3 -$ helm install kong/kong --generate-name --set ingressController.installCRDs=false +$ helm install kong/kong --generate-name ``` ## Table of contents - [Prerequisites](#prerequisites) -- [Helm 2 vs Helm 3](#important-helm-2-vs-helm-3) - [Install](#install) - [Uninstall](#uninstall) - [Kong Enterprise](#kong-enterprise) @@ -36,7 +31,7 @@ $ helm install kong/kong --generate-name --set ingressController.installCRDs=fal - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes) - [Standalone controller nodes](#standalone-controller-nodes) - [Hybrid mode](#hybrid-mode) - - [CRDs only](#crds-only) + - [CRD management](#crd-management) - [Sidecar containers](#sidecar-containers) - [Example configurations](#example-configurations) - [Configuration](#configuration) @@ -64,30 +59,6 @@ $ helm install kong/kong --generate-name --set ingressController.installCRDs=fal - PV provisioner support in the underlying infrastructure if persistence is needed for Kong datastore. -## Important: Helm 2 vs Helm 3 - -Custom Resource Definitions (CRDs) are handled differently in Helm 2 vs Helm 3. - -#### Helm 2 - -If you want CRDs to be installed, -make sure `ingressController.installCRDs` is set to `true` (the default value). -Set this value to `false` to skip installing CRDs. - -#### Helm 3 - -Make sure `ingressController.installCRDs` is set to `false`, -note that the default is `true`. -You can do so either by passing in a custom `values.yaml` -(`-f` when running helm) -or by passing `--set ingressController.installCRDs=false` -at the command line. - -**If you do not set this value to `false`, the helm chart will not install correctly.** - -Use helm CLI flag `--skip-crds` with `helm install` if you want to skip -CRD creation while creating a release. - ## Install To install Kong: @@ -96,10 +67,6 @@ To install Kong: $ helm repo add kong https://charts.konghq.com $ helm repo update -# Helm 2 -$ helm install kong/kong - -# Helm 3 $ helm install kong/kong --generate-name --set ingressController.installCRDs=false ``` @@ -427,17 +394,37 @@ documentation on Service DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) for more detail. -### CRDs only - -For Helm 2 installations, CRDs are managed as part of a release, and are -deleted if the release is. This can cause issues for clusters with multiple -Kong installations, as one release must remain in place for the rest to -function. To avoid this, you can create a CRD-only release by setting -`deployment.kong.enabled: false` and `ingressController.enabled: false`. - -On Helm 3, CRDs are created if necessary, but are not managed along with the -release. Releases can be deleted without affecting CRDs; CRDs are only removed -if you delete them manually. +### CRD management + +Earlier versions of this chart (<2.0) created CRDs associated with the ingress +controller as part of the release. This raised two challenges: + +- Multiple release of the chart would conflict with one another, as each would + attempt to create its own set of CRDs. +- Because deleting a CRD also deletes any custom resources associated with it, + deleting a release of the chart could destroy user configuration without + providing any means to restore it. + +Helm 3 introduced a simplified CRD management method that was safer, but +requires some manual work when a chart added or modified CRDs: CRDs are created +on install if they are not already present, but are not modified during +release upgrades or deletes. Our chart release upgrade instructions call out +when manual action is necessary to update CRDs. This CRD handling strategy is +recommended for most users. + +Some users may wish to manage their CRDs automatically. If you manage your CRDs +this way, we _strongly_ recommend that you back up all associated custom +resources in the event you need to recover from unintended CRD deletion. + +While Helm 3's CRD management system is recommended, there is no simple means +of migrating away from release-managed CRDs if you previously installed your +release with the old system (you would need to back up your existing custom +resources, delete your release, reinstall, and restore your custom resources +after). As such, the chart detects if you currently use release-managed CRDs +and continues to use the old CRD templates when using chart version 2.0+. If +you do (your resources will have a `meta.helm.sh/release-name` annotation), we +_strongly_ recommend that you back up all associated custom resources in the +event you need to recover from unintended CRD deletion. ### Sidecar Containers @@ -564,7 +551,7 @@ section of `values.yaml` file: | image.tag | Version of the ingress controller | 0.9.1 | | readinessProbe | Kong ingress controllers readiness probe | | | livenessProbe | Kong ingress controllers liveness probe | | -| installCRDs | Create CRDs. **FOR HELM3, MAKE SURE THIS VALUE IS SET TO `false`.** Regardless of value of this, Helm v3+ will install the CRDs if those are not present already. Use `--skip-crds` with `helm install` if you want to skip CRD creation. | true | +| installCRDs | Creates managed CRDs. | false | serviceAccount.create | Create Service Account for ingress controller | true | serviceAccount.name | Use existing Service Account, specify its name | "" | serviceAccount.annotations | Annotations for Service Account | {} @@ -594,8 +581,9 @@ For a complete list of all configuration values you can set in the | readinessProbe | Kong readiness probe | | | livenessProbe | Kong liveness probe | | | lifecycle | Proxy container lifecycle hooks | see `values.yaml` | -| terminationGracePeriodSeconds | Related to lifecycle hook | 30 | +| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | | affinity | Node/pod affinities | | +| topologySpreadConstraints | Control how Pods are spread across cluster among failure-domains | | | nodeSelector | Node labels for pod assignment | `{}` | | deploymentAnnotations | Annotations to add to deployment | see `values.yaml` | | podAnnotations | Annotations to add to each pod | `{}` | @@ -676,9 +664,12 @@ configuration can be placed under the `.env` key. #### Kong Enterprise License -All Kong Enterprise deployments require a license. If you do not have a copy -of yours, please contact Kong Support. Once you have it, you will need to -store it in a Secret: +Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+ +without a license, you can skip this step and leave `enterprise.license_secret` +unset. Earlier versions require a license. + +If you have paid for a license, but you do not have a copy of yours, please +contact Kong Support. Once you have it, you will need to store it in a Secret: ```bash $ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json diff --git a/charts/kong/UPGRADE.md b/charts/kong/UPGRADE.md index a42858e0e..8a35f6c73 100644 --- a/charts/kong/UPGRADE.md +++ b/charts/kong/UPGRADE.md @@ -17,6 +17,7 @@ upgrading from a previous version. ## Table of contents - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) +- [2.0.0-rc.1](#200-rc1) - [1.14.0](#1140) - [1.11.0](#1110) - [1.10.0](#1100) @@ -56,6 +57,43 @@ text ending with `field is immutable`. This is typically due to a bug with the If you encounter this error, deleting any existing `init-migrations` jobs will clear it. +## 2.0.0-rc1 + +### Support for Helm 2 dropped + +2.0.0 takes advantage of template functionality that is only available in Helm +3 and reworks values defaults to target Helm 3 CRD handling, and requires Helm +3 as such. If you are not already using Helm 3, you must migrate to it before +updating to 2.0.0 or later: + +https://helm.sh/docs/topics/v2_v3_migration/ + +If desired, you can migrate your Kong chart releases without migrating charts' +releases. + +### Support for deprecated 1.x features removed + +Several previous 1.x chart releases reworked sections of values.yaml while +maintaining support for the older version of those settings. 2.x drops support +for the older versions of these settings entirely: + +* [Portal auth settings](#removal-of-dedicated-portal-authentication-configuration-parameters) +* [The `runMigrations` setting](#changes-to-migration-job-configuration) +* [Single-stack admin API Service configuration](#changes-to-kong-service-configuration) +* [Multi-host proxy configuration](#removal-of-multi-host-proxy-ingress) + +Each deprecated setting is accompanied by a warning that appears at the end of +`helm upgrade` output on a 1.x release: + +``` +WARNING: You are currently using legacy ... +``` + +If you do not see any such warnings when upgrading a release using chart +1.15.0, you are not using deprecated configuration and are ready to upgrade to +2.0.0. If you do see these warnings, follow the linked instructions to migrate +to the current settings format. + ## 1.14.0 ### Removal of multi-host proxy Ingress diff --git a/charts/kong/ci/test4-values.yaml b/charts/kong/ci/test4-values.yaml index a9ecbe3fa..6c0cd63ad 100644 --- a/charts/kong/ci/test4-values.yaml +++ b/charts/kong/ci/test4-values.yaml @@ -1,20 +1,10 @@ # CI test for testing dbless deployment without ingress controllers using legacy admin listen and stream listens -# TODO: remove legacy admin listen behavior at a future date # - disable ingress controller ingressController: enabled: false installCRDs: false env: anonymous_reports: "false" -# - use legacy admin listen config -admin: - enabled: true - useTLS: true - servicePort: 8444 - containerPort: 8444 - ingress: - enabled: true - hostname: admin.kong.example # - disable DB for kong env: @@ -52,6 +42,3 @@ proxy: - ssl ingress: enabled: true - hosts: - - foo.kong.example - - bar.kong.example diff --git a/charts/kong/templates/NOTES.txt b/charts/kong/templates/NOTES.txt index c1df737c2..1e0bde66b 100644 --- a/charts/kong/templates/NOTES.txt +++ b/charts/kong/templates/NOTES.txt @@ -13,24 +13,4 @@ Kong: https://bit.ly/k4k8s-get-started {{ $warnings := list -}} -{{- if and (.Values.enterprise.portal.enabled) (or (.Values.enterprise.portal.portal_auth) (.Values.enterprise.portal.session_conf_secret)) -}} -{{/* Legacy Portal auth handling */}} -{{- $warnings = append $warnings "You are currently using legacy Portal authentication configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters" -}} -{{- end -}} - -{{- if .Values.admin.containerPort -}} -{{/* Legacy admin API listen */}} -{{- $warnings = append $warnings "You are currently using legacy admin API configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-kong-service-configuration" -}} -{{- end -}} - -{{- if .Values.runMigrations -}} -{{/* Legacy migration toggle */}} -{{- $warnings = append $warnings "You are currently using the legacy runMigrations setting in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-migration-job-configuration" -}} -{{- end -}} - -{{ if (hasKey .Values "proxy.ingress.hosts") -}} -{{/* Legacy proxy ingress */}} -{{- $warnings = append $warnings "You are currently using legacy proxy Ingress configuration in values.yaml. Support for this will be removed in a future release. Please see the upgrade guide for instructions to update your configuration: https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress" -}} -{{- end -}} - {{- include "kong.deprecation-warnings" $warnings -}} diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 8a2394531..0ea629acc 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -276,20 +276,12 @@ Create a single listen (IP+port+parameter combo) Return the local admin API URL, preferring HTTPS if available */}} {{- define "kong.adminLocalURL" -}} - {{- if .Values.admin.containerPort -}} {{/* TODO: Remove legacy admin behavior */}} - {{- if .Values.admin.useTLS -}} -https://localhost:{{ .Values.admin.containerPort }} - {{- else -}} -http://localhost:{{ .Values.admin.containerPort }} - {{- end -}} - {{- else -}} - {{- if .Values.admin.tls.enabled -}} + {{- if .Values.admin.tls.enabled -}} https://localhost:{{ .Values.admin.tls.containerPort }} - {{- else if .Values.admin.http.enabled -}} + {{- else if .Values.admin.http.enabled -}} http://localhost:{{ .Values.admin.http.containerPort }} - {{- else -}} + {{- else -}} http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true! - {{- end -}} {{- end -}} {{- end -}} @@ -580,27 +572,15 @@ the template that it itself is using form the above sections. {{- $_ := set $autoEnv "KONG_KIC" "on" -}} {{- end -}} -{{/* -TODO: remove legacy admin listen behavior at a future date -*/}} - {{- with .Values.admin -}} {{- $address := "0.0.0.0" -}} {{- if (not .enabled) -}} {{- $address = "127.0.0.1" -}} {{- end -}} - {{- if .containerPort -}} {{/* Legacy admin listener */}} - {{- if .useTLS -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (printf "%s:%d ssl" $address (int64 .containerPort)) -}} - {{- else -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (printf "%s:%d" $address (int64 .containerPort)) -}} - {{- end -}} - {{- else -}} {{/* Modern admin listener */}} - {{- $listenConfig := dict -}} - {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" $address -}} - {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} - {{- end -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig . -}} + {{- $_ := set $listenConfig "address" $address -}} + {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} {{- end -}} {{- if .Values.admin.ingress.enabled }} @@ -647,12 +627,6 @@ TODO: remove legacy admin listen behavior at a future date {{- if .Values.portalapi.ingress.enabled }} {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}} {{- end }} - - {{- if .Values.enterprise.portal.portal_auth }} {{/* TODO: deprecated, remove in a future version */}} - {{- $_ := set $autoEnv "KONG_PORTAL_AUTH" .Values.enterprise.portal.portal_auth -}} - {{- $portalSession := include "secretkeyref" (dict "name" .Values.enterprise.portal.session_conf_secret "key" "portal_session_conf") -}} - {{- $_ := set $autoEnv "KONG_PORTAL_SESSION_CONF" $portalSession -}} - {{- end }} {{- end }} {{- if .Values.enterprise.rbac.enabled }} @@ -689,8 +663,10 @@ TODO: remove legacy admin listen behavior at a future date {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}} {{- end }} - {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}} - {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- if .Values.enterprise.license_secret -}} + {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}} + {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- end }} {{- end }} {{/* End of the Enterprise settings block */}} diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index a9f2e2d76..78e930ab7 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -1,7 +1,20 @@ -{{- if .Values.ingressController.admissionWebhook.enabled }} -{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) }} +{{- if .Values.ingressController.admissionWebhook.enabled -}} +{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}} {{- $ca := genCA "kong-admission-ca" 3650 -}} -{{- $cert := genSignedCert $cn nil nil 3650 $ca -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} +{{- $certCert := $cert.Cert -}} +{{- $certKey := $cert.Key -}} +{{- $caCert := $ca.Cert -}} +{{- $caKey := $ca.Key -}} + +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}} +{{- if $certSecret -}} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end -}} kind: ValidatingWebhookConfiguration {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -30,7 +43,7 @@ webhooks: - kongconsumers - kongplugins clientConfig: - caBundle: {{ b64enc $ca.Cert }} + caBundle: {{ b64enc $caCert }} service: name: {{ template "kong.service.validationWebhook" . }} namespace: {{ template "kong.namespace" . }} @@ -54,6 +67,18 @@ spec: --- apiVersion: v1 kind: Secret +metadata: + name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +--- +apiVersion: v1 +kind: Secret metadata: name: {{ template "kong.fullname" . }}-validation-webhook-keypair namespace: {{ template "kong.namespace" . }} @@ -61,6 +86,6 @@ metadata: {{- include "kong.metaLabels" . | nindent 4 }} type: kubernetes.io/tls data: - tls.crt: {{ b64enc $cert.Cert }} - tls.key: {{ b64enc $cert.Key }} + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} {{ end }} diff --git a/charts/kong/templates/custom-resource-definitions.yaml b/charts/kong/templates/custom-resource-definitions.yaml index 28321662a..b56039dec 100644 --- a/charts/kong/templates/custom-resource-definitions.yaml +++ b/charts/kong/templates/custom-resource-definitions.yaml @@ -1,9 +1,34 @@ -{{/* -This handles two cases where we should render this template. These map to the two top-level or clauses: -- This is a controller-managed Helm 2 install. The controller is enabled and installCRDs is enabled. -- This is a CRD-only install. Neither the controller nor Kong are enabled (the "not or") and installCRDs is enabled. -*/}} -{{- if (or (and .Values.ingressController.enabled .Values.ingressController.installCRDs) (and (not (or .Values.deployment.kong.enabled .Values.ingressController.enabled )) .Values.ingressController.installCRDs)) -}} +{{- $installCRDs := false -}} +{{- if .Values.ingressController.installCRDs -}} + {{- if .Values.ingressController.enabled -}} + {{/* Managed CRD installation is enabled, and the controller is enabled. + */}} + {{- $installCRDs = true -}} + {{- else if (not .Values.deployment.kong.enabled) -}} + {{/* Managed CRD installation is enabled, and neither the controller nor Kong or enabled. + This is a CRD-only release. + */}} + {{- $installCRDs = true -}} + {{- end -}} +{{- else -}} + {{/* Legacy default handling. CRD installation is _not_ enabled, but CRDs are already present + and are managed by this release. This release previously relied on the <2.0 default + .Values.ingressController.installCRDs=true. The default change would delete CRDs on upgrade, + which would cascade delete all associated CRs. This unexpected loss of configuration is bad, + so this clause pretends the default didn't change if you have an existing release that relied + on it + */}} + {{- $kongPluginCRD := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}} + {{- if $kongPluginCRD -}} + {{- if (hasKey $kongPluginCRD.metadata "annotations") -}} + {{- if (eq .Release.Name (get $kongPluginCRD.metadata.annotations "meta.helm.sh/release-name")) -}} + {{- $installCRDs = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- if $installCRDs -}} {{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} {{ $.Files.Get $path }} --- diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index d64c192ed..be2825930 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -28,9 +28,6 @@ spec: template: metadata: annotations: - {{- if .Values.ingressController.admissionWebhook.enabled }} - checksum/admission-webhook.yaml: {{ include (print $.Template.BasePath "/admission-webhook.yaml") . | sha256sum }} - {{- end }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} {{- if .Values.dblessConfig.config }} checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} @@ -80,15 +77,6 @@ spec: lifecycle: {{- toYaml .Values.lifecycle | nindent 10 }} ports: - {{/* TODO: remove legacy admin port template */}} - {{- if (and .Values.admin.containerPort .Values.admin.enabled) }} - - name: admin - containerPort: {{ .Values.admin.containerPort }} - {{- if .Values.admin.hostPort }} - hostPort: {{ .Values.admin.hostPort }} - {{- end}} - protocol: TCP - {{- end }} {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} - name: admin containerPort: {{ .Values.admin.http.containerPort }} @@ -228,6 +216,10 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- end }} securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} diff --git a/charts/kong/templates/migrations-post-upgrade.yaml b/charts/kong/templates/migrations-post-upgrade.yaml index c3adcd771..25be0d086 100644 --- a/charts/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/templates/migrations-post-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and (or (.Values.runMigrations) (.Values.migrations.postUpgrade)) (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 diff --git a/charts/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/templates/migrations-pre-upgrade.yaml index 7d7e29005..9273becdf 100644 --- a/charts/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/templates/migrations-pre-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and (or (.Values.runMigrations) (.Values.migrations.preUpgrade)) (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 diff --git a/charts/kong/templates/migrations.yaml b/charts/kong/templates/migrations.yaml index 6edd1622c..093fadea1 100644 --- a/charts/kong/templates/migrations.yaml +++ b/charts/kong/templates/migrations.yaml @@ -9,8 +9,6 @@ {{- $runInit := true -}} {{- if (hasKey .Values.migrations "init") -}} {{- $runInit = .Values.migrations.init -}} -{{- else if (hasKey .Values "runMigrations") -}} - {{- $runInit = .Values.runMigrations -}} {{- end -}} {{- if (and ($runInit) (not (eq .Values.env.database "off"))) }} diff --git a/charts/kong/templates/service-kong-admin.yaml b/charts/kong/templates/service-kong-admin.yaml index 854e245e7..c3f292528 100644 --- a/charts/kong/templates/service-kong-admin.yaml +++ b/charts/kong/templates/service-kong-admin.yaml @@ -1,83 +1,3 @@ -{{- if .Values.admin.containerPort -}} {{/* TODO: remove legacy admin handling */}} -{{- if .Values.deployment.kong.enabled }} -{{- if .Values.admin.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kong.fullname" . }}-admin - namespace: {{ template "kong.namespace" . }} - {{- if .Values.admin.annotations }} - annotations: - {{- range $key, $value := .Values.admin.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} -spec: - type: {{ .Values.admin.type }} - {{- if eq .Values.admin.type "LoadBalancer" }} - {{- if .Values.admin.loadBalancerIP }} - loadBalancerIP: {{ .Values.admin.loadBalancerIP }} - {{- end }} - {{- if .Values.admin.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.admin.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} - {{- end }} - {{- end }} - ports: - - name: kong-admin - port: {{ .Values.admin.servicePort }} - targetPort: {{ .Values.admin.containerPort }} - {{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }} - nodePort: {{ .Values.admin.nodePort }} - {{- end }} - protocol: TCP - selector: - {{- include "kong.selectorLabels" . | nindent 4 }} -{{- end -}} -{{- end }} ---- -{{ if .Values.admin.ingress.enabled -}} -{{- $serviceName := include "kong.fullname" . -}} -{{- $servicePort := .Values.admin.servicePort -}} -{{- $path := .Values.admin.ingress.path -}} -{{- $tls := .Values.admin.ingress.tls -}} -{{- $hostname := .Values.admin.ingress.hostname -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "kong.fullname" . }}-admin - namespace: {{ template "kong.namespace" . }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} - {{- if .Values.admin.ingress.annotations }} - annotations: - {{- range $key, $value := .Values.admin.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - rules: - - host: {{ $hostname }} - http: - paths: - - path: {{ $path }} - backend: - serviceName: {{ $serviceName }}-admin - servicePort: {{ $servicePort }} - {{- if $tls }} - tls: - - hosts: - - {{ $hostname }} - secretName: {{ $tls }} - {{- end -}} -{{- end -}} - -{{- else -}} {{/* Modern admin handler */}} - {{- if .Values.deployment.kong.enabled }} {{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}} {{- $serviceConfig := dict -}} @@ -94,4 +14,3 @@ spec: {{- end -}} {{- end -}} {{- end -}} -{{- end -}} diff --git a/charts/kong/templates/service-kong-proxy.yaml b/charts/kong/templates/service-kong-proxy.yaml index 688e138df..58a255ea2 100644 --- a/charts/kong/templates/service-kong-proxy.yaml +++ b/charts/kong/templates/service-kong-proxy.yaml @@ -10,41 +10,7 @@ {{- include "kong.service" $serviceConfig }} {{ if .Values.proxy.ingress.enabled }} --- -{{ if (not (hasKey .Values.proxy.ingress "hosts")) -}} {{ include "kong.ingress" $serviceConfig }} -{{ else -}} {{/* TODO remove legacy proxy ingress handling */}} -{{- $serviceName := include "kong.fullname" . -}} -{{- $servicePort := include "kong.ingress.servicePort" .Values.proxy -}} -{{- $path := .Values.proxy.ingress.path -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "kong.fullname" . }}-proxy - namespace: {{ template "kong.namespace" . }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} - {{- if .Values.proxy.ingress.annotations }} - annotations: - {{- range $key, $value := .Values.proxy.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - rules: - {{- range $host := .Values.proxy.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: {{ $path }} - backend: - serviceName: {{ $serviceName }}-proxy - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.proxy.ingress.tls }} - tls: -{{ toYaml .Values.proxy.ingress.tls | indent 2 }} - {{- end -}} -{{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index c4e7f2eb9..3ff74ddd5 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -358,8 +358,6 @@ ingressController: # The annotations for service account annotations: {} - installCRDs: true - # general properties livenessProbe: httpGet: @@ -483,7 +481,7 @@ lifecycle: # Note kong quit has a default timeout of 10 seconds command: ["/bin/sh", "-c", "/bin/sleep 15 && kong quit"] -# terminationGracePeriodSeconds is closely related to the lifecycle preStop hook +# Sets the termination grace period for pods spawned by the Kubernetes Deployment. # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution terminationGracePeriodSeconds: 30 @@ -491,6 +489,10 @@ terminationGracePeriodSeconds: 30 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # affinity: {} +# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) +# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +# topologySpreadConstraints: [] + # Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] @@ -591,8 +593,9 @@ enterprise: enabled: false # Kong Enterprise license secret name # This secret must contain a single 'license' key, containing your base64-encoded license data - # The license secret is required for all Kong Enterprise deployments - license_secret: kong-enterprise-license + # The license secret is required to unlock all Enterprise features. If you omit it, + # Kong will run in free mode, with some Enterprise features disabled. + # license_secret: kong-enterprise-license vitals: enabled: true portal: diff --git a/ct-main.yaml b/ct-main.yaml deleted file mode 100644 index 96c4b069e..000000000 --- a/ct-main.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# See https://github.com/helm/chart-testing#configuration -remote: origin -chart-dirs: - - charts -chart-repos: - - bitnami=https://charts.bitnami.com/bitnami -helm-extra-args: --timeout 200s -check-version-increment: true diff --git a/ct.yaml b/ct.yaml deleted file mode 100644 index ccead6d06..000000000 --- a/ct.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# See https://github.com/helm/chart-testing#configuration -remote: origin -chart-dirs: - - charts -chart-repos: - - bitnami=https://charts.bitnami.com/bitnami -helm-extra-args: --timeout 200s -check-version-increment: false