From 1577b29365ec41ca0a1ddea724598d792e189c02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Thu, 12 Dec 2024 15:59:25 +0100 Subject: [PATCH] fix(ingress): add missing BackendTLSPolicy and ConfigMap RBAC policy rules (#1193) --- charts/ingress/CHANGELOG.md | 8 + charts/ingress/Chart.lock | 8 +- charts/ingress/Chart.yaml | 6 +- .../gateway-discovery-values.snap | 48 +- .../ci/__snapshots__/kic-3.4-values.snap | 1210 +++++++++++++++++ .../ingress/ci/gateway-discovery-values.yaml | 4 + charts/ingress/ci/kic-3.4-values.yaml | 24 + 7 files changed, 1277 insertions(+), 31 deletions(-) create mode 100644 charts/ingress/ci/__snapshots__/kic-3.4-values.snap create mode 100644 charts/ingress/ci/kic-3.4-values.yaml diff --git a/charts/ingress/CHANGELOG.md b/charts/ingress/CHANGELOG.md index daeaf5850..2d0a98b5f 100644 --- a/charts/ingress/CHANGELOG.md +++ b/charts/ingress/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 0.15.2 + +### Fixes + +- Bumped dependencies on `kong/kong` chart to `==2.44.1`. Review the [kong chart + changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2441) + for details. + ## 0.15.1 ### Improvements diff --git a/charts/ingress/Chart.lock b/charts/ingress/Chart.lock index c9beaa4de..ab63852b3 100644 --- a/charts/ingress/Chart.lock +++ b/charts/ingress/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: kong repository: https://charts.konghq.com - version: 2.44.0 + version: 2.44.1 - name: kong repository: https://charts.konghq.com - version: 2.44.0 -digest: sha256:58a4e8a71ce164f70ccf271bafa1c755c50d268d4b23ae349d6ec05bc7347001 -generated: "2024-12-03T15:12:43.905029+01:00" + version: 2.44.1 +digest: sha256:81f18087a88702437a09db4562d12c2912a030cf6037243118dce13853d26880 +generated: "2024-12-12T15:30:27.400011+01:00" diff --git a/charts/ingress/Chart.yaml b/charts/ingress/Chart.yaml index 83d852e10..ec5f62bdb 100644 --- a/charts/ingress/Chart.yaml +++ b/charts/ingress/Chart.yaml @@ -8,16 +8,16 @@ maintainers: name: ingress sources: - https://github.com/Kong/charts/tree/main/charts/ingress -version: 0.15.1 +version: 0.15.2 appVersion: "3.7" dependencies: - name: kong - version: "=2.44.0" + version: "=2.44.1" repository: https://charts.konghq.com alias: controller condition: controller.enabled - name: kong - version: "=2.44.0" + version: "=2.44.1" repository: https://charts.konghq.com alias: gateway condition: gateway.enabled diff --git a/charts/ingress/ci/__snapshots__/gateway-discovery-values.snap b/charts/ingress/ci/__snapshots__/gateway-discovery-values.snap index d8fc3ba7a..12e95fa73 100644 --- a/charts/ingress/ci/__snapshots__/gateway-discovery-values.snap +++ b/charts/ingress/ci/__snapshots__/gateway-discovery-values.snap @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller namespace: default --- @@ -18,7 +18,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 name: chartsnap-gateway namespace: default --- @@ -33,7 +33,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -49,7 +49,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -65,7 +65,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-admin-api-keypair namespace: default type: kubernetes.io/tls @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-admin-api-ca-keypair namespace: default type: kubernetes.io/tls @@ -94,7 +94,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller rules: - apiGroups: @@ -390,7 +390,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller namespace: default rules: @@ -473,7 +473,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller namespace: default roleRef: @@ -493,7 +493,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-validation-webhook namespace: default spec: @@ -508,7 +508,7 @@ spec: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 --- apiVersion: v1 kind: Service @@ -518,7 +518,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-metrics namespace: default spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 --- apiVersion: v1 kind: Service @@ -547,7 +547,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 name: chartsnap-gateway-admin namespace: default spec: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 name: chartsnap-gateway-manager namespace: default spec: @@ -599,7 +599,7 @@ metadata: app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" enable-metrics: "true" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 name: chartsnap-gateway-proxy namespace: default spec: @@ -627,7 +627,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller namespace: default spec: @@ -653,7 +653,7 @@ spec: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 version: "3.7" spec: automountServiceAccountToken: false @@ -717,8 +717,8 @@ spec: path: /readyz port: 10254 scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 1 + periodSeconds: 1 successThreshold: 1 timeoutSeconds: 5 resources: {} @@ -785,7 +785,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 name: chartsnap-gateway namespace: default spec: @@ -809,7 +809,7 @@ spec: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gateway app.kubernetes.io/version: "3.7" - helm.sh/chart: gateway-2.44.0 + helm.sh/chart: gateway-2.44.1 version: "3.7" spec: automountServiceAccountToken: false @@ -1037,7 +1037,7 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: controller app.kubernetes.io/version: "3.7" - helm.sh/chart: controller-2.44.0 + helm.sh/chart: controller-2.44.1 name: chartsnap-controller-validations namespace: default webhooks: diff --git a/charts/ingress/ci/__snapshots__/kic-3.4-values.snap b/charts/ingress/ci/__snapshots__/kic-3.4-values.snap new file mode 100644 index 000000000..ca3c5bcff --- /dev/null +++ b/charts/ingress/ci/__snapshots__/kic-3.4-values.snap @@ -0,0 +1,1210 @@ +# chartsnap: snapshot_version=v3 +--- +# Source: ingress/charts/controller/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chartsnap-controller + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +--- +# Source: ingress/charts/gateway/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chartsnap-gateway + namespace: default + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +--- +# Source: ingress/charts/controller/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-controller-validation-webhook-ca-keypair + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: ingress/charts/controller/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-controller-validation-webhook-keypair + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: ingress/charts/controller/templates/service-kong-admin.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-controller-admin-api-keypair + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: ingress/charts/controller/templates/service-kong-admin.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-controller-admin-api-ca-keypair + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: ingress/charts/controller/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + name: chartsnap-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + verbs: + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: ingress/charts/controller/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-controller + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-controller +subjects: +- kind: ServiceAccount + name: chartsnap-controller + namespace: default +--- +# Source: ingress/charts/controller/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chartsnap-controller + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "kong-ingress-controller-leader-kong-kong" + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +# Begin KIC 2.x leader permissions +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - get +--- +# Source: ingress/charts/controller/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chartsnap-controller + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-controller +subjects: +- kind: ServiceAccount + name: chartsnap-controller + namespace: default +--- +# Source: ingress/charts/controller/templates/admission-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-controller-validation-webhook + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app +--- +# Source: ingress/charts/controller/templates/controller-service-metrics.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-controller-metrics + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +spec: + ports: + - name: cmetrics + port: 10255 + protocol: TCP + targetPort: cmetrics + - name: status + port: 10254 + protocol: TCP + targetPort: cstatus + selector: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app +--- +# Source: ingress/charts/gateway/templates/service-kong-admin.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-gateway-admin + namespace: default + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +spec: + type: ClusterIP + ports: + - name: kong-admin-tls + port: 8444 + targetPort: 8444 + protocol: TCP + clusterIP: None + selector: + app.kubernetes.io/name: gateway + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: ingress/charts/gateway/templates/service-kong-manager.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-gateway-manager + namespace: default + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +spec: + type: NodePort + ports: + - name: kong-manager + port: 8002 + targetPort: 8002 + protocol: TCP + - name: kong-manager-tls + port: 8445 + targetPort: 8445 + protocol: TCP + selector: + app.kubernetes.io/name: gateway + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: ingress/charts/gateway/templates/service-kong-proxy.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-gateway-proxy + namespace: default + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + enable-metrics: "true" +spec: + type: LoadBalancer + ports: + - name: kong-proxy + port: 80 + targetPort: 8000 + protocol: TCP + - name: kong-proxy-tls + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: gateway + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: ingress/charts/controller/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-controller + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-controller-token + kuma.io/gateway: "enabled" + traffic.kuma.io/exclude-outbound-ports: "8444" + traffic.sidecar.istio.io/excludeOutboundPorts: "8444" + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app + app: chartsnap-controller + version: "3.7" + spec: + serviceAccountName: chartsnap-controller + automountServiceAccountToken: false + containers: + - name: ingress-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + args: + ports: + - name: webhook + containerPort: 8080 + protocol: TCP + - name: cmetrics + containerPort: 10255 + protocol: TCP + - name: cstatus + containerPort: 10254 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: "0.0.0.0:8080" + - name: CONTROLLER_ANONYMOUS_REPORTS + value: "false" + - name: CONTROLLER_ELECTION_ID + value: "kong-ingress-controller-leader-kong" + - name: CONTROLLER_INGRESS_CLASS + value: "kong" + - name: CONTROLLER_KONG_ADMIN_SVC + value: "default/chartsnap-gateway-admin" + - name: CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE + value: "/etc/secrets/admin-api-cert/tls.crt" + - name: CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE + value: "/etc/secrets/admin-api-cert/tls.key" + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: "true" + - name: CONTROLLER_PUBLISH_SERVICE + value: "default/chartsnap-gateway-proxy" + image: kong/nightly-ingress-controller:2024-12-12 + imagePullPolicy: IfNotPresent + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + volumeMounts: + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true + - name: chartsnap-controller-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - name: admin-api-cert + mountPath: /etc/secrets/admin-api-cert + readOnly: true + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: chartsnap-controller-prefix-dir + emptyDir: + sizeLimit: 256Mi + - name: chartsnap-controller-tmp + emptyDir: + sizeLimit: 1Gi + - name: chartsnap-controller-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-controller-validation-webhook-keypair + - name: admin-api-cert + secret: + secretName: chartsnap-controller-admin-api-keypair +--- +# Source: ingress/charts/gateway/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-gateway + namespace: default + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: gateway + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-gateway-token + kuma.io/gateway: "enabled" + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app.kubernetes.io/name: gateway + helm.sh/chart: gateway-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" + app.kubernetes.io/component: app + app: chartsnap-gateway + version: "3.7" + spec: + serviceAccountName: chartsnap-gateway + automountServiceAccountToken: false + initContainers: + - name: clear-stale-pid + image: kong:3.7 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + resources: {} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl" + - name: KONG_ANONYMOUS_REPORTS + value: "off" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROLE + value: "traditional" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + volumeMounts: + - name: chartsnap-gateway-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-gateway-tmp + mountPath: /tmp + containers: + - name: "proxy" + image: kong:3.7 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl" + - name: KONG_ANONYMOUS_REPORTS + value: "off" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROLE + value: "traditional" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + - name: KONG_NGINX_DAEMON + value: "off" + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + ports: + - name: admin-tls + containerPort: 8444 + protocol: TCP + - name: proxy + containerPort: 8000 + protocol: TCP + - name: proxy-tls + containerPort: 8443 + protocol: TCP + - name: status + containerPort: 8100 + protocol: TCP + volumeMounts: + - name: chartsnap-gateway-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-gateway-tmp + mountPath: /tmp + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: chartsnap-gateway-prefix-dir + emptyDir: + sizeLimit: 256Mi + - name: chartsnap-gateway-tmp + emptyDir: + sizeLimit: 1Gi + - name: chartsnap-gateway-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +--- +# Source: ingress/charts/controller/templates/admission-webhook.yaml +kind: ValidatingWebhookConfiguration +apiVersion: admissionregistration.k8s.io/v1 +metadata: + name: chartsnap-controller-validations + namespace: default + labels: + app.kubernetes.io/name: controller + helm.sh/chart: controller-2.44.1 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.7" +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-controller-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-controller-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- name: validations.kong.konghq.com + matchPolicy: Equivalent + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-controller-validation-webhook + namespace: default diff --git a/charts/ingress/ci/gateway-discovery-values.yaml b/charts/ingress/ci/gateway-discovery-values.yaml index cbd0d1489..8f19b14f1 100644 --- a/charts/ingress/ci/gateway-discovery-values.yaml +++ b/charts/ingress/ci/gateway-discovery-values.yaml @@ -1,8 +1,12 @@ controller: ingressController: + readinessProbe: + initialDelaySeconds: 1 + periodSeconds: 1 env: anonymous_reports: "false" enabled: true + image: repository: kong/kubernetes-ingress-controller diff --git a/charts/ingress/ci/kic-3.4-values.yaml b/charts/ingress/ci/kic-3.4-values.yaml new file mode 100644 index 000000000..6d98807e9 --- /dev/null +++ b/charts/ingress/ci/kic-3.4-values.yaml @@ -0,0 +1,24 @@ +controller: + ingressController: + readinessProbe: + initialDelaySeconds: 1 + periodSeconds: 1 + env: + anonymous_reports: "false" + enabled: true + + image: + repository: kong/nightly-ingress-controller + tag: "2024-12-12" + effectiveSemver: "3.4" + + gatewayDiscovery: + enabled: true + adminApi: + tls: + client: + enabled: true + +gateway: + env: + anonymous_reports: "off"