[1.17] Fully default gwparams (#9677)

* commentary in deployer * cleanup deployer_test * cleanup inner-GG values.yaml * move proxy container secCtx to default GwP * move envoy container resources to GwP * commentary on internal chart values * remove readiness port value * cleanup and todos for values * remove serviceAccount config * helm tests * oops test focus * remove autoscaling from public facing GwParams * fix broken ggv2 template * kube e2e test * maybe don't commit a panic * more cleanup inner-GG values.yaml * test container sec ctx because pod sec ctx is never set * try deploying the right stuff this time * add changelog * add changelog * commentary * reserve autoscaling field in GwParams, other cleanup * reorder proto * fix nullable defaults in 43-gwp * codegen * rename some stuff * maybe actually run the test * fix the stupid name --------- Co-authored-by: Lawrence Gadban <[email protected]> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
kgateway-dev · Jun 24, 2024 · 9a8e3aa · 9a8e3aa
1 parent 05b7c71
commit 9a8e3aa
Show file tree

Hide file tree

Showing 29 changed files with 611 additions and 394 deletions.
diff --git a/.github/workflows/pr-kubernetes-tests.yaml b/.github/workflows/pr-kubernetes-tests.yaml
@@ -59,7 +59,7 @@ jobs:
         # May 14th: ~ minutes execution time (see load_balancing_tests.md)
         - cluster-name: 'cluster-two'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$'
+          go-test-run-regex: '^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$'
 
         # May 14th: ~ minutes execution time (see load_balancing_tests.md)
         - cluster-name: 'cluster-three'
@@ -112,4 +112,4 @@ jobs:
         cluster-name: ${{ matrix.test.cluster-name }}
         test-args: ${{ matrix.test.go-test-args }}
         run-regex: ${{ matrix.test.go-test-run-regex }}
-        istio-version: ${{ steps.dotenv.outputs.istio_version }}
+        istio-version: ${{ steps.dotenv.outputs.istio_version }}
diff --git a/changelog/v1.17.0-rc7/fully-default-gwparams.yaml b/changelog/v1.17.0-rc7/fully-default-gwparams.yaml
@@ -0,0 +1,7 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/solo-projects/issues/6381
+    resolvesIssue: false
+    description: >-
+      Move remaining non-user-facing default values for dynamically provisioned gateway proxies from internal helm chart
+      to main Gloo Gateway helm chart. This allows features like Security Context to be configured/disabled.
diff --git a/docs/content/reference/values.txt b/docs/content/reference/values.txt
@@ -11,8 +11,31 @@
 |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)|
 |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345....  Only consumed if fips=true|
 |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)|
-|kubeGateway.gatewayParameters.glooGateway.proxyDeployment.replicas|int32|1|number of instances to deploy.|
-|kubeGateway.gatewayParameters.glooGateway.service.type|string|LoadBalancer|K8s service type|
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.add[]|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.drop[]|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.privileged|bool|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.user|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.role|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.type|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.level|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpecName|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpec|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.runAsUserName|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.hostProcess|bool|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsUser|int64|10101||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsGroup|int64|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsNonRoot|bool|true||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.readOnlyRootFilesystem|bool|true||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.allowPrivilegeEscalation|bool|false||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.procMount|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.type|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.localhostProfile|string|||
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.memory|string||amount of memory|
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.cpu|string||amount of CPUs|
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.memory|string||amount of memory|
+|kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.cpu|string||amount of CPUs|
+|kubeGateway.gatewayParameters.glooGateway.proxyDeployment.replicas|int32|1|number of instances to deploy. If set to null, a default of 1 will be imposed.|
+|kubeGateway.gatewayParameters.glooGateway.service.type|string|LoadBalancer|K8s service type. If set to null, a default of LoadBalancer will be imposed.|
 |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tag|string|<release_version, ex: 1.2.3>|The image tag for the container.|
 |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repository|string|sds|The image repository (name) for the container.|
 |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.digest|string||The hash digest of the container's image, ie. sha256:12345....|

diff --git a/install/helm/gloo/crds/gateway.gloo.solo.io_crds.yaml b/install/helm/gloo/crds/gateway.gloo.solo.io_crds.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    crd.solo.io/specHash: e074048f8ccd27da
+    crd.solo.io/specHash: c30098945b4c73d8
   labels:
     app: gloo-gateway
     app.kubernetes.io/name: gloo-gateway
@@ -57,32 +57,6 @@ spec:
             properties:
               kube:
                 properties:
-                  autoscaling:
-                    properties:
-                      horizontalPodAutoscaler:
-                        properties:
-                          maxReplicas:
-                            maximum: 4294967295
-                            minimum: 0
-                            nullable: true
-                            type: integer
-                          minReplicas:
-                            maximum: 4294967295
-                            minimum: 0
-                            nullable: true
-                            type: integer
-                          targetCpuUtilizationPercentage:
-                            maximum: 4294967295
-                            minimum: 0
-                            nullable: true
-                            type: integer
-                          targetMemoryUtilizationPercentage:
-                            maximum: 4294967295
-                            minimum: 0
-                            nullable: true
-                            type: integer
-                        type: object
-                    type: object
                   deployment:
                     properties:
                       replicas:

diff --git a/install/helm/gloo/generate/values.go b/install/helm/gloo/generate/values.go
@@ -331,11 +331,11 @@ type Istio struct {
 }
 
 type ProvisionedDeployment struct {
-	Replicas *int32 `json:"replicas,omitempty" desc:"number of instances to deploy."`
+	Replicas *int32 `json:"replicas,omitempty" desc:"number of instances to deploy. If set to null, a default of 1 will be imposed."`
 }
 
 type ProvisionedService struct {
-	Type *string `json:"type,omitempty" desc:"K8s service type"`
+	Type *string `json:"type,omitempty" desc:"K8s service type. If set to null, a default of LoadBalancer will be imposed."`
 }
 
 type SecurityOpts struct {
@@ -351,6 +351,15 @@ type SecurityContext struct {
 	*SecurityOpts
 }
 
+// GatewayParamsSecurityContext is a passthrough struct that provides the corev1.SecurityContext without
+// exposing the SecurityOpts/MergePolicy. MergePolicy is irrelevant to the GatewayParameters case because
+// there is already a default and merge behavior defined. The "default" GatewayParameters are expected to
+// be the base config, which is where a default policy can defined; each gwapi.Gateway can have specific
+// GatewayParameters which can then override/merge into the default policy
+type GatewayParamsSecurityContext struct {
+	*corev1.SecurityContext
+}
+
 type GlooDeployment struct {
 	XdsPort               *int                `json:"xdsPort,omitempty" desc:"port where gloo serves xDS API to Envoy."`
 	RestXdsPort           *uint32             `json:"restXdsPort,omitempty" desc:"port where gloo serves REST xDS API to Envoy."`
@@ -786,7 +795,9 @@ type Mtls struct {
 }
 
 type EnvoyContainer struct {
-	Image *Image `json:"image,omitempty"`
+	Image           *Image                        `json:"image,omitempty"`
+	SecurityContext *GatewayParamsSecurityContext `json:"securityContext,omitempty" desc:"securityContext for envoy proxy container."`
+	Resources       *ResourceRequirements         `json:"resources,omitempty" desc:"Resource requirements for envoy proxy container."`
 }
 
 type SdsContainer struct {

diff --git a/install/helm/gloo/templates/43-gatewayparameters.yaml b/install/helm/gloo/templates/43-gatewayparameters.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.kubeGateway.enabled -}}
+{{- $global := .Values.global -}}
 kind: GatewayParameters
 apiVersion: gateway.gloo.solo.io/v1alpha1
 metadata:
@@ -8,19 +9,47 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   kube:
-{{- if .Values.kubeGateway.gatewayParameters }}
-{{- if .Values.kubeGateway.gatewayParameters.glooGateway }}
-{{- $gg := .Values.kubeGateway.gatewayParameters.glooGateway -}}
-{{- $global := .Values.global }}
+{{- $gg := dict -}}
+{{- if .Values.kubeGateway.gatewayParameters -}}
+{{- if .Values.kubeGateway.gatewayParameters.glooGateway -}}
+{{- $gg = .Values.kubeGateway.gatewayParameters.glooGateway -}}
+{{- end }}{{/* if .Values.kubeGateway.gatewayParameters.glooGateway */}}
+{{- end }}{{/* if .Values.kubeGateway.gatewayParameters */}}
+{{- $replicas := 1 -}}
+{{- if $gg.proxyDeployment -}}
+{{- if $gg.proxyDeployment.replicas -}}
+{{- $replicas = $gg.proxyDeployment.replicas -}}
+{{- end -}}{{/* if $gg.proxyDeployment.replicas */}}
+{{- end }}{{/* if $gg.proxyDeployment */}}
     deployment:
-      replicas: {{ $gg.proxyDeployment.replicas }}
-{{- if $gg.service }}
-    service:
-      type: {{ $gg.service.type }}
+      replicas: {{ $replicas }}
+{{- $serviceType := "LoadBalancer" -}}
+{{- if $gg.service -}}
+{{- if $gg.service.type -}}
+{{- $serviceType = $gg.service.type -}}
+{{- end -}}{{/* if $gg.service.type */}}
 {{- end }}{{/* if $gg.service */}}
+    service:
+      type: {{ $serviceType }}
     envoyContainer:
       image:
-        {{- merge $gg.envoyContainer.image $global.image | include "gloo-gateway.gatewayParametersImage" | nindent 8 }}
+        {{- $envoyImage := dict -}}
+        {{- if $gg.envoyContainer -}}
+        {{- if $gg.envoyContainer.image -}}
+        {{- $envoyImage = $gg.envoyContainer.image -}}
+        {{- end -}}{{/* if $gg.envoyContainer.image */}}
+        {{- end }}{{/* if $gg.envoyContainer */}}
+        {{- merge $envoyImage $global.image | include "gloo-gateway.gatewayParametersImage" | nindent 8 }}
+{{- if $gg.envoyContainer -}}
+{{- if $gg.envoyContainer.securityContext }}
+      securityContext:
+        {{- toYaml $gg.envoyContainer.securityContext | nindent 8 }}
+{{- end }}{{/* if $gg.envoyContainer.securityContext */}}
+{{- if $gg.envoyContainer.resources }}
+      resources:
+        {{- toYaml $gg.envoyContainer.resources | nindent 8 }}
+{{- end }}{{/* if $gg.envoyContainer.resources */}}
+{{- end }}{{/* if $gg.envoyContainer */}}
     podTemplate:
       extraLabels:
         {{- include "gloo-gateway.constLabels" . | nindent 8 }}
@@ -61,6 +90,4 @@ spec:
         istioMetaClusterId: {{ $gg.istio.istioProxyContainer.istioMetaClusterId }}
 {{- end }}{{/* if and $gg.istio.istioProxyContainer (not $gg.istio.customSidecars) */}}
 {{- end }}{{/* if $gg.sdsContainer */}}
-{{- end }}{{/* if .Values.kubeGateway.gatewayParameters.glooGateway */}}
-{{- end }}{{/* if .Values.kubeGateway.gatewayParameters */}}
-{{- end }}{{/* if .Values.kubeGateway.enabled */}}
+{{- end }}{{/* if .Values.kubeGateway.enabled */}}
diff --git a/install/helm/gloo/values-template.yaml b/install/helm/gloo/values-template.yaml
@@ -12,8 +12,22 @@ kubeGateway:
       envoyContainer:
         image:
           repository: gloo-envoy-wrapper
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10101
+          capabilities:
+            drop:
+              - ALL
+            add:
+              - NET_BIND_SERVICE
+      # If proxyDeployment or proxyDeployment.replicas are null, a default of 1 will be 
+      # imposed by the template.
       proxyDeployment:
         replicas: 1
+      # If service or service.type are null, a default of LoadBalancer will be 
+      # imposed by the template.
       service:
         type: LoadBalancer
       sdsContainer: