Jwt policy compat (#266)

alibaba · Apr 3, 2023 · 5f32e15 · 5f32e15
1 parent 7fd3f43
commit 5f32e15
Show file tree

Hide file tree

Showing 10 changed files with 31 additions and 22 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -193,7 +193,7 @@ kube-load-image: $(tools/kind) ## Install the EG image to a kind cluster using t
 run-ingress-e2e-test:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
 	go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.7.0
+v0.7.1
diff --git a/helm/core/Chart.yaml b/helm/core/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.7.0
+appVersion: 0.7.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 keywords:
@@ -9,4 +9,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 0.7.0
+version: 0.7.1
diff --git a/helm/core/templates/_helpers.tpl b/helm/core/templates/_helpers.tpl
@@ -86,4 +86,12 @@ higress: {{ include "controller.name" . }}
 {{- else }}
 {{- .Values.controller.serviceAccount.name | default "default" }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{- define "controller.jwtPolicy" -}}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion }}
+{{- .Values.global.jwtPolicy | default "third-party-jwt" }}
+{{- else }}
+{{- print "first-party-jwt" }}
+{{- end }}
+{{- end }}
diff --git a/helm/core/templates/configmap.yaml b/helm/core/templates/configmap.yaml
@@ -4,6 +4,7 @@
     trustDomain: "cluster.local"
     accessLogEncoding: TEXT
     accessLogFile: "/dev/stdout"
+    ingressControllerMode: "OFF"
     accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
 
     '

diff --git a/helm/core/templates/controller-deployment.yaml b/helm/core/templates/controller-deployment.yaml
@@ -80,7 +80,7 @@ spec:
           - name: REVISION
             value: "{{ .Values.revision | default `default` }}"
           - name: JWT_POLICY
-            value: {{ .Values.global.jwtPolicy }}
+            value: {{ include "controller.jwtPolicy" . }}
           - name: PILOT_CERT_PROVIDER
             value: "istiod"
           - name: POD_NAME
@@ -147,7 +147,7 @@ spec:
           volumeMounts:
           - name: config
             mountPath: /etc/istio/config
-          {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
             readOnly: true
@@ -241,14 +241,15 @@ spec:
       - emptyDir:
           medium: Memory
         name: local-certs
-      {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
       - name: istio-token
         projected:
           sources:
             - serviceAccountToken:
                 audience: {{ .Values.global.sds.token.aud }}
                 expirationSeconds: 43200
                 path: istio-token
+      {{- end }}
       # Optional: user-generated root
       - name: cacerts
         secret:
@@ -264,4 +265,3 @@ spec:
           name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- end }}
       {{- end }}
-      {{- end }}
diff --git a/helm/core/templates/deployment.yaml b/helm/core/templates/deployment.yaml
@@ -129,7 +129,7 @@ spec:
           - name: ENABLE_INGRESS_GATEWAY_SDS
             value: "false"
           - name: JWT_POLICY
-            value: {{ .Values.global.jwtPolicy }}
+            value: {{ include "controller.jwtPolicy" . }}
           - name: ISTIO_META_HTTP10
             value: "1"
           - name: ISTIO_META_CLUSTER_ID
@@ -177,7 +177,7 @@ spec:
             {{- toYaml .Values.gateway.resources | nindent 12 }}
           {{- end }}
           volumeMounts:
-          {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
             readOnly: true
@@ -213,7 +213,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-      {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
       - name: istio-token
         projected:
           sources:

diff --git a/helm/core/values.yaml b/helm/core/values.yaml
@@ -455,7 +455,7 @@ controller:
   name: "higress-controller"
   replicas: 1
   image: higress
-  tag: "0.7.0"
+  tag: "0.7.1"
   env: {}
 
   labels: {}

diff --git a/helm/higress/Chart.lock b/helm/higress/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
   repository: file://../core
-  version: 0.7.0
+  version: 0.7.1
 - name: higress-console
   repository: https://higress.io/helm-charts/
-  version: 0.1.0
-digest: sha256:3fd6cfb0fd10178927569d57e0cbff5250870dd677cbf30995c49ced83e38f7c
-generated: "2023-03-15T15:09:02.878072+08:00"
+  version: 0.1.1
+digest: sha256:051fbd7b2916d1d0c26839d0e27653f6e42d20e9294bd9eed9628f24c5a7b228
+generated: "2023-04-03T13:42:23.705379+08:00"
diff --git a/helm/higress/Chart.yaml b/helm/higress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.7.0
+appVersion: 0.7.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 keywords:
@@ -11,9 +11,9 @@ sources:
 dependencies:
 - name: higress-core
   repository: "file://../core"
-  version: 0.7.0
+  version: 0.7.1
 - name: higress-console
   repository: "https://higress.io/helm-charts/"
-  version: 0.1.0
+  version: 0.1.1
 type: application
-version: 0.7.0
+version: 0.7.1