diff --git a/charts/gateway-helm/templates/certgen-rbac.yaml b/charts/gateway-helm/templates/certgen-rbac.yaml index ff805dad3db7..81bf1a820b8c 100644 --- a/charts/gateway-helm/templates/certgen-rbac.yaml +++ b/charts/gateway-helm/templates/certgen-rbac.yaml @@ -5,8 +5,14 @@ metadata: namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} + {{- if .Values.certgen.rbac.labels }} + {{- toYaml .Values.certgen.rbac.labels | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install + {{- if .Values.certgen.rbac.annotations }} + {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}} + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -15,8 +21,14 @@ metadata: namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} + {{- if .Values.certgen.rbac.labels }} + {{- toYaml .Values.certgen.rbac.labels | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install + {{- if .Values.certgen.rbac.annotations }} + {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}} + {{- end }} rules: - apiGroups: - "" @@ -34,8 +46,14 @@ metadata: namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} + {{- if .Values.certgen.rbac.labels }} + {{- toYaml .Values.certgen.rbac.labels | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install + {{- if .Values.certgen.rbac.annotations }} + {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index c1e9b16fd6d7..4d49597fec0b 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -7,6 +7,9 @@ metadata: {{- include "eg.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-install + {{- if .Values.certgen.job.annotations }} + {{- toYaml .Values.certgen.job.annotations | nindent 4 -}} + {{- end }} spec: backoffLimit: 1 completions: 1 @@ -37,4 +40,6 @@ spec: runAsNonRoot: true runAsUser: 65534 serviceAccountName: {{ include "eg.fullname" . }}-certgen - ttlSecondsAfterFinished: 0 + {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }} + ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }} + {{- end }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 5dc0e579af0f..d4836f96c795 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -55,3 +55,11 @@ envoyGatewayMetricsService: createNamespace: false kubernetesClusterDomain: cluster.local + +certgen: + job: + annotations: {} + ttlSecondsAfterFinished: 0 + rbac: + annotations: {} + labels: {} diff --git a/internal/envoygateway/scheme.go b/internal/envoygateway/scheme.go index b50af115570b..911ae7083513 100644 --- a/internal/envoygateway/scheme.go +++ b/internal/envoygateway/scheme.go @@ -10,6 +10,7 @@ import ( clientgoscheme "k8s.io/client-go/kubernetes/scheme" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -37,6 +38,9 @@ func init() { if err := gwapiv1.AddToScheme(scheme); err != nil { panic(err) } + if err := gwapiv1b1.AddToScheme(scheme); err != nil { + panic(err) + } if err := gwapiv1a2.AddToScheme(scheme); err != nil { panic(err) } diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go index cf9810b2d703..6379590686d2 100644 --- a/internal/gatewayapi/resource.go +++ b/internal/gatewayapi/resource.go @@ -11,6 +11,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -33,7 +34,7 @@ type Resources struct { TLSRoutes []*gwapiv1a2.TLSRoute `json:"tlsRoutes,omitempty" yaml:"tlsRoutes,omitempty"` TCPRoutes []*gwapiv1a2.TCPRoute `json:"tcpRoutes,omitempty" yaml:"tcpRoutes,omitempty"` UDPRoutes []*gwapiv1a2.UDPRoute `json:"udpRoutes,omitempty" yaml:"udpRoutes,omitempty"` - ReferenceGrants []*gwapiv1a2.ReferenceGrant `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"` + ReferenceGrants []*gwapiv1b1.ReferenceGrant `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"` Namespaces []*v1.Namespace `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` Services []*v1.Service `json:"services,omitempty" yaml:"services,omitempty"` ServiceImports []*mcsapi.ServiceImport `json:"serviceImports,omitempty" yaml:"serviceImports,omitempty"` @@ -56,7 +57,7 @@ func NewResources() *Resources { Services: []*v1.Service{}, EndpointSlices: []*discoveryv1.EndpointSlice{}, Secrets: []*v1.Secret{}, - ReferenceGrants: []*gwapiv1a2.ReferenceGrant{}, + ReferenceGrants: []*gwapiv1b1.ReferenceGrant{}, Namespaces: []*v1.Namespace{}, RateLimitFilters: []*egv1a1.RateLimitFilter{}, AuthenticationFilters: []*egv1a1.AuthenticationFilter{}, diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 3449873cee23..ed30fb531423 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -25,7 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/intstr" - "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/apis/v1beta1" "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -537,7 +537,7 @@ func TestIsValidCrossNamespaceRef(t *testing.T) { name string from crossNamespaceFrom to crossNamespaceTo - referenceGrant *v1alpha2.ReferenceGrant + referenceGrant *v1beta1.ReferenceGrant want bool } @@ -559,20 +559,20 @@ func TestIsValidCrossNamespaceRef(t *testing.T) { namespace: "default", name: "tls-secret-1", }, - referenceGrant: &v1alpha2.ReferenceGrant{ + referenceGrant: &v1beta1.ReferenceGrant{ ObjectMeta: metav1.ObjectMeta{ Name: "referencegrant-1", Namespace: "default", }, - Spec: v1alpha2.ReferenceGrantSpec{ - From: []v1alpha2.ReferenceGrantFrom{ + Spec: v1beta1.ReferenceGrantSpec{ + From: []v1beta1.ReferenceGrantFrom{ { Group: "gateway.networking.k8s.io", Kind: "Gateway", Namespace: "envoy-gateway-system", }, }, - To: []v1alpha2.ReferenceGrantTo{ + To: []v1beta1.ReferenceGrantTo{ { Group: "", Kind: "Secret", @@ -642,7 +642,7 @@ func TestIsValidCrossNamespaceRef(t *testing.T) { for _, tc := range testcases { tc := tc t.Run(tc.name, func(t *testing.T) { - var referenceGrants []*v1alpha2.ReferenceGrant + var referenceGrants []*v1beta1.ReferenceGrant if tc.referenceGrant != nil { referenceGrants = append(referenceGrants, tc.referenceGrant) } diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index d835dea1518c..a6d18487e765 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -16,6 +16,7 @@ import ( "k8s.io/apimachinery/pkg/util/validation" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func (t *Translator) validateBackendRef(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext, @@ -629,7 +630,7 @@ func (t *Translator) validateConflictedLayer4Listeners(gateways []*GatewayContex } } -func (t *Translator) validateCrossNamespaceRef(from crossNamespaceFrom, to crossNamespaceTo, referenceGrants []*gwapiv1a2.ReferenceGrant) bool { +func (t *Translator) validateCrossNamespaceRef(from crossNamespaceFrom, to crossNamespaceTo, referenceGrants []*gwapiv1b1.ReferenceGrant) bool { for _, referenceGrant := range referenceGrants { // The ReferenceGrant must be defined in the namespace of // the "to" (the referent). diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go index b69bd8fdffb6..5fa57b086567 100644 --- a/internal/gatewayapi/zz_generated.deepcopy.go +++ b/internal/gatewayapi/zz_generated.deepcopy.go @@ -16,6 +16,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/apis/v1beta1" "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) @@ -95,11 +96,11 @@ func (in *Resources) DeepCopyInto(out *Resources) { } if in.ReferenceGrants != nil { in, out := &in.ReferenceGrants, &out.ReferenceGrants - *out = make([]*v1alpha2.ReferenceGrant, len(*in)) + *out = make([]*v1beta1.ReferenceGrant, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(v1alpha2.ReferenceGrant) + *out = new(v1beta1.ReferenceGrant) (*in).DeepCopyInto(*out) } } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 27f7dd35b5d9..4517f1e7522b 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -27,6 +27,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/source" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -133,7 +134,7 @@ type resourceMappings struct { // Map for storing backendRefs' NamespaceNames referred by various Route objects. allAssociatedBackendRefs map[gwapiv1.BackendObjectReference]struct{} // Map for storing referenceGrant NamespaceNames for BackendRefs, SecretRefs. - allAssociatedRefGrants map[types.NamespacedName]*gwapiv1a2.ReferenceGrant + allAssociatedRefGrants map[types.NamespacedName]*gwapiv1b1.ReferenceGrant // authenFilters is a map of AuthenticationFilters, where the key is the // namespaced name of the AuthenticationFilter. authenFilters map[types.NamespacedName]*egv1a1.AuthenticationFilter @@ -150,7 +151,7 @@ func newResourceMapping() *resourceMappings { return &resourceMappings{ allAssociatedNamespaces: map[string]struct{}{}, allAssociatedBackendRefs: map[gwapiv1.BackendObjectReference]struct{}{}, - allAssociatedRefGrants: map[types.NamespacedName]*gwapiv1a2.ReferenceGrant{}, + allAssociatedRefGrants: map[types.NamespacedName]*gwapiv1b1.ReferenceGrant{}, authenFilters: map[types.NamespacedName]*egv1a1.AuthenticationFilter{}, rateLimitFilters: map[types.NamespacedName]*egv1a1.RateLimitFilter{}, extensionRefFilters: map[types.NamespacedName]unstructured.Unstructured{}, @@ -445,8 +446,8 @@ func (r *gatewayAPIReconciler) statusUpdateForGateway(ctx context.Context, gtw * }) } -func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to ObjectKindNamespacedName) (*gwapiv1a2.ReferenceGrant, error) { - refGrantList := new(gwapiv1a2.ReferenceGrantList) +func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to ObjectKindNamespacedName) (*gwapiv1b1.ReferenceGrant, error) { + refGrantList := new(gwapiv1b1.ReferenceGrantList) opts := &client.ListOptions{FieldSelector: fields.OneTermEqualSelector(targetRefGrantRouteIndex, to.kind)} if err := r.client.List(ctx, refGrantList, opts); err != nil { return nil, fmt.Errorf("failed to list ReferenceGrants: %v", err) @@ -454,7 +455,7 @@ func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to refGrants := refGrantList.Items if len(r.namespaceLabels) != 0 { - var rgs []gwapiv1a2.ReferenceGrant + var rgs []gwapiv1b1.ReferenceGrant for _, refGrant := range refGrants { ns := refGrant.GetNamespace() ok, err := r.checkObjectNamespaceLabels(ns) @@ -607,8 +608,8 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, acceptedGC * } func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error { - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string { - refGrant := rawObj.(*gwapiv1a2.ReferenceGrant) + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string { + refGrant := rawObj.(*gwapiv1b1.ReferenceGrant) var referredServices []string for _, target := range refGrant.Spec.To { referredServices = append(referredServices, string(target.Kind)) @@ -1478,7 +1479,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M rgPredicates = append(rgPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels)) } if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.ReferenceGrant{}), + source.Kind(mgr.GetCache(), &gwapiv1b1.ReferenceGrant{}), handler.EnqueueRequestsFromMapFunc(r.enqueueClass), rgPredicates..., ); err != nil { diff --git a/internal/xds/translator/cors.go b/internal/xds/translator/cors.go index d8eedd779f89..b95070b9be26 100644 --- a/internal/xds/translator/cors.go +++ b/internal/xds/translator/cors.go @@ -26,7 +26,7 @@ const ( ) // patchHCMWithCorsFilter builds and appends the Cors Filter to the HTTP -// Connection Manager if applicable, and it does not already exist. +// Connection Manager if applicable. func patchHCMWithCorsFilter(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error { if mgr == nil { return errors.New("hcm is nil") @@ -43,7 +43,9 @@ func patchHCMWithCorsFilter(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTT // Return early if filter already exists. for _, httpFilter := range mgr.HttpFilters { if httpFilter.Name == corsFilter { - return nil + // This should not happen since this is the only place where the cors + // filter is added in a listener. + return fmt.Errorf("cors filter already exists in hcm: %+v", mgr) } } @@ -106,6 +108,8 @@ func patchRouteWithCorsConfig(route *routev3.Route, irRoute *ir.HTTPRoute) error filterCfg := route.GetTypedPerFilterConfig() if _, ok := filterCfg[corsFilter]; ok { + // This should not happen since this is the only place where the cors + // filter is added in a route. return fmt.Errorf("route already contains cors config: %+v", route) } diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md index 857a00817351..d1a2b6601893 100644 --- a/site/content/en/latest/install/api.md +++ b/site/content/en/latest/install/api.md @@ -24,6 +24,10 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| certgen.job.annotations | object | `{}` | | +| certgen.job.ttlSecondsAfterFinished | int | `0` | | +| certgen.rbac.annotations | object | `{}` | | +| certgen.rbac.labels | object | `{}` | | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | diff --git a/site/content/en/latest/user/rate-limit.md b/site/content/en/latest/user/rate-limit.md index a2781fe0a906..cee28080b9c7 100644 --- a/site/content/en/latest/user/rate-limit.md +++ b/site/content/en/latest/user/rate-limit.md @@ -734,11 +734,17 @@ for i in {1..4}; do grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOS ``` ```console -Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo": +{ + "text": "pong" +} -Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo": +{ + "text": "pong" +} -Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo": +{ + "text": "pong" +} Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo": diff --git a/site/content/en/latest/user/secure-gateways.md b/site/content/en/latest/user/secure-gateways.md index 25f6808292f7..c2b91f0b9376 100644 --- a/site/content/en/latest/user/secure-gateways.md +++ b/site/content/en/latest/user/secure-gateways.md @@ -173,7 +173,7 @@ namespace to reference Secrets in the "envoy-gateway-system" namespace: ```console $ cat <