Merge pull request #396 from Kong/next

[kong] release 2.2.0

.github/workflows/main.yaml

@@ -40,7 +40,7 @@ jobs:
         run: ct lint $COMMON_CT_ARGS
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.0.0
+        uses: helm/kind-action@v1.2.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)

.github/workflows/non-main.yaml

@@ -44,7 +44,7 @@ jobs:
         run: ct lint $COMMON_CT_ARGS --check-version-increment=false
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.0.0
+        uses: helm/kind-action@v1.2.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)

charts/kong/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## 2.2.0
+
+### Breaking changes
+
+* Removed default `maxUnavailable` setting for pod disruption budget
+  configuration. This is necessary to allow usage of the `minUnavailable`
+  setting, but means that there is no longer any default availability
+  constraint. If you set `podDisruptionBudget.enabled=true` in your values and
+  did not previously set any `podDisruptionBudget.maxUnavailable` value, you
+  must add `podDisruptionBudget.maxUnavailable="50%"` to your values.
+
+### Improvements
+
+* Added host alias injection to override DNS and/or add DNS entries not
+  available from the DNS resolver.
+  ([#366](https://github.com/Kong/charts/pull/366))
+* Added support for custom labels.
+  ([#370](https://github.com/Kong/charts/pull/370))
+* Only add paths to Ingresses if configured, for OpenShift 4.x compatibility.
+  ([#375](https://github.com/Kong/charts/pull/375))
+* Kong containers no longer the image ENTRYPOINT. This allows the stock image
+  bootstrap scripts to run normally.
+  ([#377](https://github.com/Kong/charts/pull/377))
+* Added security context settings for containers.
+  ([#387](https://github.com/Kong/charts/pull/387))
+* Bumped Kong and controller image defaults to the latest versions.
+  ([#378](https://github.com/Kong/charts/pull/378))
+* Added support for user-provided admission webhook certificates.
+  ([#385](https://github.com/Kong/charts/pull/385))
+* Disable service account tokens when it is unnecessary.
+  ([#389](https://github.com/Kong/charts/pull/389))
+
+### Fixed
+
+* Admission webhook port is now listed under the controller container, where
+  the admission webhook runs.
+  ([#384](https://github.com/Kong/charts/pull/384))
+
+### Documentation
+
+* Removed a duplicate key from example values.
+  ([#360](https://github.com/Kong/charts/pull/360))
+* Clarified Enterprise free mode usage.
+  ([#362](https://github.com/Kong/charts/pull/362))
+* Expand EKS Service annotation examples for proxy.
+  ([#376](https://github.com/Kong/charts/pull/375))
+
 ## 2.1.0
 
 ### Improvements

charts/kong/Chart.yaml

@@ -10,5 +10,5 @@ maintainers:
   email: [email protected]
 name: kong
 sources:
-version: 2.1.0
+version: 2.2.0
 appVersion: "2.4"

charts/kong/README.md

@@ -44,6 +44,7 @@ $ helm install kong/kong --generate-name
   - [Ingress Controller Parameters](#ingress-controller-parameters)
   - [General Parameters](#general-parameters)
   - [The `env` section](#the-env-section)
+  - [The `extraLabels` section](#the-extralabels-section)
 - [Kong Enterprise Parameters](#kong-enterprise-parameters)
   - [Prerequisites](#prerequisites-1)
     - [Kong Enterprise License](#kong-enterprise-license)
@@ -100,7 +101,7 @@ installing the chart:
 
 - Set `enterprise.enabled` to `true` in `values.yaml` file.
 - Update values.yaml to use a Kong Enterprise image.
-- Satisfy the two  prerequsisites below for
+- Satisfy the two prerequisites below for
   [Enterprise License](#kong-enterprise-license) and
   [Enterprise Docker Registry](#kong-enterprise-docker-registry-access).
 - (Optional) [set a `password` environment variable](#rbac) to create the
@@ -434,6 +435,11 @@ event you need to recover from unintended CRD deletion.
 
 The chart able to deploy initcontainers along with Kong. This can be very useful when require to setup additional custom initialization. The `deployment.initcontainers` field in values.yaml takes an array of objects that get appended as-is to the existing `spec.template.initContainers` array in the kong deployment resource. 
 
+### HostAliases
+
+The chart able to inject host aliases into containers. This can be very useful when require to resolve additional domain name which can't
+be looked-up directly from dns server. The `deployment.hostAliases` field in values.yaml takes an array of objects that set to `spec.template.hostAliases` field in the kong deployment resource.
+
 ### Sidecar Containers
 
 The chart can deploy additional containers along with the Kong and Ingress
@@ -499,6 +505,7 @@ individual services: see values.yaml for their individual default values.
 
 `SVC` below can be substituted with each of:
 * `proxy`
+* `udpProxy`
 * `admin`
 * `manager`
 * `portal`
@@ -519,6 +526,10 @@ authentication, which cannot pass through an ingress proxy). `clustertelemetry`
 is similar, and used when Vitals is enabled on Kong Enterprise control plane
 nodes.
 
+`udpProxy` is used for UDP stream listens (Kubernetes does not yet support
+mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`,
+or `ingress` sections, as it is used only for stream listens.
+
 | Parameter                          | Description                                                                           | Default             |
 | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
 | SVC.enabled                        | Create Service resource for SVC (admin, proxy, manager, etc.)                         |                     |
@@ -552,10 +563,11 @@ nodes.
 #### Stream listens
 
 The proxy configuration additionally supports creating stream listens. These
-are configured using an array of objects under `proxy.stream`:
+are configured using an array of objects under `proxy.stream` and `udpProxy.stream`:
 
 | Parameter                          | Description                                                                           | Default             |
 | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| protocol                           | The listen protocol, either "TCP" or "UDP"                                            |                     |
 | containerPort                      | Container port to use for a stream listen                                             |                     |
 | servicePort                        | Service port to use for a stream listen                                               |                     |
 | nodePort                           | Node port to use for a stream listen                                                  |                     |
@@ -584,6 +596,9 @@ section of `values.yaml` file:
 | admissionWebhook.enabled           | Whether to enable the validating admission webhook                                    | false                                                                        |
 | admissionWebhook.failurePolicy     | How unrecognized errors from the admission endpoint are handled (Ignore or Fail)      | Fail                                                                         |
 | admissionWebhook.port              | The port the ingress controller will listen on for admission webhooks                 | 8080                                                                         |
+| admissionWebhook.certificate.provided   | Whether to generate the admission webhook certificate if not provided            | false                                                                        |
+| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate                      |                                                                            |
+| admissionWebhook.certificate.caBundle   | PEM encoded CA bundle which will be used to validate the provided webhook certificate |                                                                            |
 
 For a complete list of all configuration values you can set in the
 `env` section, please read the Kong Ingress Controller's
@@ -625,6 +640,7 @@ For a complete list of all configuration values you can set in the
 | priorityClassName                  | Set pod scheduling priority class for Kong pods                                       | `""`                |
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
 | securityContext                    | Set the securityContext for Kong Pods                                                 | `{}`                |
+| containerSecurityContext           | Set the securityContext for Containers                                                | `{}`                |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.interval            | Scraping interval                                                                     | `30s`               |
 | serviceMonitor.namespace           | Where to create ServiceMonitor                                                        |                     |
@@ -655,14 +671,25 @@ kong:
          secretKeyRef:
             key: kong
             name: postgres
-  nginx_worker_processes: "2"
+     nginx_worker_processes: "2"
 ```
 
 For complete list of Kong configurations please check the
 [Kong configuration docs](https://docs.konghq.com/latest/configuration).
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
 
+#### The `extraLabels` section
+
+The `extraLabels` section can be used to configure some extra labels that will be added to each Kubernetes object generated.
+
+For example, you can add the `acme.com/some-key: some-value` label to each Kubernetes object by putting the following in your Helm values:
+
+```yaml
+extraLabels:
+  acme.com/some-key: some-value
+```
+
 ## Kong Enterprise Parameters
 
 ### Overview
@@ -673,7 +700,7 @@ you need to do the following:
 
 - Set `enterprise.enabled` to `true` in `values.yaml` file.
 - Update values.yaml to use a Kong Enterprise image.
-- Satisfy the two prerequsisites below for Enterprise License and
+- Satisfy the two prerequisites below for Enterprise License and
   Enterprise Docker Registry.
 - (Optional) [set a `password` environment variable](#rbac) to create the
   initial super-admin. Though not required, this is recommended for users that
@@ -693,7 +720,7 @@ configuration can be placed under the `.env` key.
 
 Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+
 without a license, you can skip this step and leave `enterprise.license_secret`
-unset. Earlier versions require a license.
+unset. In this case only a limited subset of features will be available. Earlier versions require a license.
 
 If you have paid for a license, but you do not have a copy of yours, please
 contact Kong Support. Once you have it, you will need to store it in a Secret:
@@ -791,7 +818,7 @@ as it contains an HMAC key.
 Kong Manager's session configuration must be configured via values.yaml,
 whereas this is optional for the Developer Portal on versions 0.36+. Providing
 Portal session configuration in values.yaml provides the default session
-configuration, which can be overriden on a per-workspace basis.
+configuration, which can be overridden on a per-workspace basis.
 
 ```
 $ cat admin_gui_session_conf

charts/kong/UPGRADE.md

@@ -17,6 +17,7 @@ upgrading from a previous version.
 ## Table of contents
 
 - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
+- [2.2.0](#220)
 - [2.1.0](#210)
 - [2.0.0](#200)
 - [1.14.0](#1140)
@@ -58,6 +59,19 @@ text ending with `field is immutable`. This is typically due to a bug with the
 If you encounter this error, deleting any existing `init-migrations` jobs will
 clear it.
 
+## 2.2.0
+
+### Changes to pod disruption budget defaults
+
+Prior to 2.2.0, the default values.yaml included
+`podDisruptionBudget.maxUnavailable: 50%`. This prevented setting
+`podDisruptionBudget.minUnavailable` at all. To allow use of
+`podDisruptionBudget.minUnavailable`, we have removed the
+`podDisruptionBudget.maxUnavailable` default. If you previously relied on this
+default (you set `podDisruptionBudget.enabled: true` but did not set
+`podDisruptionBudget.maxUnavailable`), you now must explicitly set
+`podDisruptionBudget.maxUnavailable: 50%` in your values.yaml.
+
 ## 2.1.0
 
 ### Migration off Bintray

charts/kong/ci/custom-labels.yaml

@@ -0,0 +1,6 @@
+
+# install chart with some extra labels
+
+extraLabels:
+  acme.com/some-key: some-value
+

charts/kong/ci/single-image-default.yaml

@@ -12,5 +12,5 @@ ingressController:
   env:
     anonymous_reports: "false"
   image:
-    unifiedRepoTag: kong/kubernetes-ingress-controller:1.2.0
+    unifiedRepoTag: kong/kubernetes-ingress-controller:1.3.1
   installCRDs: false

charts/kong/example-values/full-k4k8s-with-kong-enterprise.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "2.3.3.2-alpine"
+  tag: "2.4.1.1-alpine"
 
 env:
   prefix: /kong_prefix/
@@ -160,8 +160,6 @@ portalapi:
   annotations:
     konghq.com/protocol: "https"
 
-  http:
-
   http:
     enabled: true
     servicePort: 8004

charts/kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml

@@ -9,7 +9,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "2.3.3.2-alpine"
+  tag: "2.4.1.1-alpine"
 
 admin:
   enabled: true

charts/kong/example-values/minimal-kong-enterprise-dbless.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "2.3.3.2-alpine"
+  tag: "2.4.1.1-alpine"
 
 enterprise:
   enabled: true