From a17ce01ad2909a1890e8dd5c2e774de2c2174b27 Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 21:31:49 -0600 Subject: [PATCH 1/9] breakout kgw from gloo deps --- .github/workflows/pr-unit-tests.yaml | 4 +- .goreleaser.yaml | 4 +- Makefile | 185 ++-------- ci/kind/setup-kind.sh | 2 +- .../gloo/templates/1-gloo-deployment.yaml | 10 - .../gloo/templates/43-gatewayparameters.yaml | 12 +- .../helm/gloo/templates/44-gatewayclass.yaml | 2 - install/helm/gloo/templates/44-rbac.yaml | 2 - install/helm/gloo/values-template.yaml | 2 + pkg/schemes/scheme.go | 16 +- pkg/utils/envoyutils/admincli/client.go | 8 +- pkg/utils/envoyutils/bootstrap/bootstrap.go | 2 +- .../envoyutils/bootstrap/bootstrap_test.go | 161 ++++----- pkg/utils/namespaces/namespaces.go | 52 --- pkg/utils/regexutils/regex.go | 81 ++--- pkg/utils/regexutils/regex_test.go | 54 ++- projects/gateway2/admin/resources.go | 28 +- projects/gateway2/cmd/Dockerfile | 23 ++ projects/gateway2/cmd/Dockerfile.distroless | 19 + projects/gateway2/cmd/main.go | 20 ++ projects/gateway2/deployer/deployer_test.go | 335 +++++++++++++++++- .../directresponse/direct_response_plugin.go | 2 +- .../extensions2/plugins/istio/plugin.go | 18 +- .../listenerpolicy/listener_policy_plugin.go | 2 +- .../routepolicy/route_policy_plugin.go | 2 +- .../extensions2/plugins/upstream/aws.go | 19 +- .../extensions2/plugins/upstream/plugin.go | 4 +- .../extensions2/pluginutils/pluginutils.go | 57 +++ projects/gateway2/filters/filters.go | 88 +++++ projects/gateway2/install.sh | 6 +- projects/gateway2/ir/gw2.go | 2 +- projects/gateway2/ir/iface.go | 2 +- projects/gateway2/krtcollections/builtin.go | 2 +- projects/gateway2/krtcollections/endpoints.go | 8 +- .../gateway2/krtcollections/uniqueclients.go | 2 +- .../krtcollections/uniqueclients_test.go | 10 +- projects/gateway2/plugins/stages.go | 238 +++++++++++++ .../gateway2/proxy_syncer/proxy_syncer.go | 11 +- projects/gateway2/setup/controlplane.go | 2 +- projects/gateway2/setup/ggv2setup.go | 50 ++- projects/gateway2/setup/ggv2setup_test.go | 5 +- .../translator/gateway/gateway_translator.go | 4 +- .../gateway2/translator/irtranslator/fc.go | 6 +- .../gateway2/translator/irtranslator/route.go | 2 +- .../translator/irtranslator/upstream.go | 8 +- .../listener/gateway_listener_translator.go | 2 +- projects/gateway2/translator/translator.go | 4 +- projects/gateway2/utils/any.go | 70 ++++ projects/gateway2/utils/ip.go | 40 +++ projects/gateway2/utils/sanitize.go | 24 ++ projects/gateway2/utils/stopwatch.go | 71 ++++ projects/gateway2/wellknown/constants.go | 28 ++ projects/gateway2/wellknown/kube.go | 15 + projects/gateway2/wellknown/translator.go | 7 + projects/gateway2/xds/utils.go | 58 +++ 55 files changed, 1401 insertions(+), 490 deletions(-) create mode 100644 projects/gateway2/cmd/Dockerfile create mode 100644 projects/gateway2/cmd/Dockerfile.distroless create mode 100644 projects/gateway2/cmd/main.go create mode 100644 projects/gateway2/extensions2/pluginutils/pluginutils.go create mode 100644 projects/gateway2/filters/filters.go create mode 100644 projects/gateway2/plugins/stages.go create mode 100644 projects/gateway2/utils/any.go create mode 100644 projects/gateway2/utils/ip.go create mode 100644 projects/gateway2/utils/sanitize.go create mode 100644 projects/gateway2/utils/stopwatch.go create mode 100644 projects/gateway2/wellknown/constants.go create mode 100644 projects/gateway2/wellknown/kube.go create mode 100644 projects/gateway2/wellknown/translator.go create mode 100644 projects/gateway2/xds/utils.go diff --git a/.github/workflows/pr-unit-tests.yaml b/.github/workflows/pr-unit-tests.yaml index 4b306ae2fb8..af436d12b1a 100644 --- a/.github/workflows/pr-unit-tests.yaml +++ b/.github/workflows/pr-unit-tests.yaml @@ -23,14 +23,14 @@ jobs: with: go-version-file: go.mod - name: Build - run: go build -v ./projects/gateway2/... ./projects/gloo/cli/cmd + run: go build -v ./projects/gateway2/... - name: Install Test Utils shell: bash run: make -C ./projects/gateway2/ install-go-tools - name: Run Tests shell: bash env: - TEST_PKG: "./projects/gateway2/... ./test/kubernetes/testutils/helper" + TEST_PKG: "./projects/gateway2/..." run: make go-test-with-coverage - name: Validate Test Coverage shell: bash diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 7d579f290f4..82ab34602d3 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -5,7 +5,7 @@ before: - go mod download builds: - id: controller - main: ./projects/gloo/cmd/ + main: ./projects/gateway2/cmd/ binary: gloo-linux-{{ .Arch }} gcflags: "{{ .Env.GCFLAGS }}" ldflags: "{{ .Env.LDFLAGS }}" @@ -24,7 +24,7 @@ dockers: - image_templates: - &arm_image "{{ .Env.IMAGE_REGISTRY }}/{{ .Env.GLOO_IMAGE_REPO }}:{{ .Env.VERSION }}-arm64" use: buildx - dockerfile: &dockerfile projects/gloo/cmd/Dockerfile + dockerfile: &dockerfile projects/gateway2/cmd/Dockerfile goos: linux goarch: arm64 build_flag_templates: diff --git a/Makefile b/Makefile index 97df5b68105..3c31b2f6ce5 100644 --- a/Makefile +++ b/Makefile @@ -327,9 +327,9 @@ generate-all-debug: generate-all # Generates all required code, cleaning and formatting as well; this target is executed in CI .PHONY: generated-code generated-code: check-go-version -generated-code: go-generate-all generate-cli-docs getter-check mod-tidy +generated-code: go-generate-all getter-check mod-tidy generated-code: update-licenses -generated-code: generate-crd-reference-docs +# generated-code: generate-crd-reference-docs generated-code: fmt .PHONY: go-generate-all @@ -414,62 +414,26 @@ distroless-with-utils-docker: distroless-docker $(DISTROLESS_OUTPUT_DIR)/Dockerf --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_IMAGE) \ -t $(GLOO_DISTROLESS_BASE_WITH_UTILS_IMAGE) $(QUAY_EXPIRATION_LABEL) -#---------------------------------------------------------------------------------- -# Discovery -#---------------------------------------------------------------------------------- - -DISCOVERY_DIR=projects/discovery -DISCOVERY_SOURCES=$(call get_sources,$(DISCOVERY_DIR)) -DISCOVERY_OUTPUT_DIR=$(OUTPUT_DIR)/$(DISCOVERY_DIR) - -$(DISCOVERY_OUTPUT_DIR)/discovery-linux-$(GOARCH): $(DISCOVERY_SOURCES) - $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(DISCOVERY_DIR)/cmd/main.go - -.PHONY: discovery -discovery: $(DISCOVERY_OUTPUT_DIR)/discovery-linux-$(GOARCH) - -$(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery: $(DISCOVERY_DIR)/cmd/Dockerfile - cp $< $@ - -.PHONY: discovery-docker -discovery-docker: $(DISCOVERY_OUTPUT_DIR)/discovery-linux-$(GOARCH) $(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery - docker buildx build --load $(PLATFORM) $(DISCOVERY_OUTPUT_DIR) -f $(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery \ - --build-arg GOARCH=$(GOARCH) \ - --build-arg BASE_IMAGE=$(ALPINE_BASE_IMAGE) \ - -t $(IMAGE_REGISTRY)/discovery:$(VERSION) $(QUAY_EXPIRATION_LABEL) - -$(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery.distroless: $(DISCOVERY_DIR)/cmd/Dockerfile.distroless - cp $< $@ - -.PHONY: discovery-distroless-docker -discovery-distroless-docker: $(DISCOVERY_OUTPUT_DIR)/discovery-linux-$(GOARCH) $(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery.distroless distroless-docker - docker buildx build --load $(PLATFORM) $(DISCOVERY_OUTPUT_DIR) -f $(DISCOVERY_OUTPUT_DIR)/Dockerfile.discovery.distroless \ - --build-arg GOARCH=$(GOARCH) \ - --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_IMAGE) \ - -t $(IMAGE_REGISTRY)/discovery:$(VERSION)-distroless $(QUAY_EXPIRATION_LABEL) - #---------------------------------------------------------------------------------- # Gloo #---------------------------------------------------------------------------------- -GLOO_DIR=projects/gloo -EDGE_GATEWAY_DIR=projects/gateway K8S_GATEWAY_DIR=projects/gateway2 -GLOO_SOURCES=$(call get_sources,$(GLOO_DIR)) +# GLOO_SOURCES=$(call get_sources,$(GLOO_DIR)) EDGE_GATEWAY_SOURCES=$(call get_sources,$(EDGE_GATEWAY_DIR)) K8S_GATEWAY_SOURCES=$(call get_sources,$(K8S_GATEWAY_DIR)) -GLOO_OUTPUT_DIR=$(OUTPUT_DIR)/$(GLOO_DIR) +GLOO_OUTPUT_DIR=$(OUTPUT_DIR)/$(K8S_GATEWAY_DIR) export GLOO_IMAGE_REPO ?= gloo # We include the files in EDGE_GATEWAY_DIR and K8S_GATEWAY_DIR as dependencies to the gloo build # so changes in those directories cause the make target to rebuild -$(GLOO_OUTPUT_DIR)/gloo-linux-$(GOARCH): $(GLOO_SOURCES) $(EDGE_GATEWAY_SOURCES) $(K8S_GATEWAY_SOURCES) - $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(GLOO_DIR)/cmd/main.go +$(GLOO_OUTPUT_DIR)/gloo-linux-$(GOARCH): $(K8S_GATEWAY_SOURCES) + $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(K8S_GATEWAY_DIR)/cmd/main.go .PHONY: gloo gloo: $(GLOO_OUTPUT_DIR)/gloo-linux-$(GOARCH) -$(GLOO_OUTPUT_DIR)/Dockerfile.gloo: $(GLOO_DIR)/cmd/Dockerfile +$(GLOO_OUTPUT_DIR)/Dockerfile.gloo: $(K8S_GATEWAY_DIR)/cmd/Dockerfile cp $< $@ .PHONY: gloo-docker @@ -578,99 +542,40 @@ sds-distroless-docker: $(SDS_OUTPUT_DIR)/sds-linux-$(GOARCH) $(SDS_OUTPUT_DIR)/D # Envoy init (BASE/SIDECAR) #---------------------------------------------------------------------------------- -ENVOYINIT_DIR=projects/envoyinit/cmd -ENVOYINIT_SOURCES=$(call get_sources,$(ENVOYINIT_DIR)) -ENVOYINIT_OUTPUT_DIR=$(OUTPUT_DIR)/$(ENVOYINIT_DIR) +# ENVOYINIT_DIR=projects/envoyinit/cmd +# ENVOYINIT_SOURCES=$(call get_sources,$(ENVOYINIT_DIR)) +# ENVOYINIT_OUTPUT_DIR=$(OUTPUT_DIR)/$(ENVOYINIT_DIR) -$(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH): $(ENVOYINIT_SOURCES) - $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(ENVOYINIT_DIR)/main.go +# $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH): $(ENVOYINIT_SOURCES) +# $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(ENVOYINIT_DIR)/main.go -.PHONY: envoyinit -envoyinit: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) +# .PHONY: envoyinit +# envoyinit: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) -$(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit: $(ENVOYINIT_DIR)/Dockerfile.envoyinit - cp $< $@ +# $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit: $(ENVOYINIT_DIR)/Dockerfile.envoyinit +# cp $< $@ -$(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh: $(ENVOYINIT_DIR)/docker-entrypoint.sh - cp $< $@ +# $(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh: $(ENVOYINIT_DIR)/docker-entrypoint.sh +# cp $< $@ -.PHONY: gloo-envoy-wrapper-docker -gloo-envoy-wrapper-docker: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit $(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh - docker buildx build --load $(PLATFORM) $(ENVOYINIT_OUTPUT_DIR) -f $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit \ - --build-arg GOARCH=$(GOARCH) \ - --build-arg ENVOY_IMAGE=$(ENVOY_GLOO_IMAGE) \ - -t $(IMAGE_REGISTRY)/gloo-envoy-wrapper:$(VERSION) $(QUAY_EXPIRATION_LABEL) +# .PHONY: gloo-envoy-wrapper-docker +# gloo-envoy-wrapper-docker: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit $(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh +# docker buildx build --load $(PLATFORM) $(ENVOYINIT_OUTPUT_DIR) -f $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit \ +# --build-arg GOARCH=$(GOARCH) \ +# --build-arg ENVOY_IMAGE=$(ENVOY_GLOO_IMAGE) \ +# -t $(IMAGE_REGISTRY)/gloo-envoy-wrapper:$(VERSION) $(QUAY_EXPIRATION_LABEL) -$(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless: $(ENVOYINIT_DIR)/Dockerfile.envoyinit.distroless - cp $< $@ - -# Explicitly specify the base image is amd64 as we only build the amd64 flavour of gloo envoy -.PHONY: gloo-envoy-wrapper-distroless-docker -gloo-envoy-wrapper-distroless-docker: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless $(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh distroless-with-utils-docker - docker buildx build --load $(PLATFORM) $(ENVOYINIT_OUTPUT_DIR) -f $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless \ - --build-arg GOARCH=$(GOARCH) \ - --build-arg ENVOY_IMAGE=$(ENVOY_GLOO_IMAGE) \ - --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_WITH_UTILS_IMAGE) \ - -t $(IMAGE_REGISTRY)/gloo-envoy-wrapper:$(VERSION)-distroless $(QUAY_EXPIRATION_LABEL) +# $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless: $(ENVOYINIT_DIR)/Dockerfile.envoyinit.distroless +# cp $< $@ -#---------------------------------------------------------------------------------- -# Certgen - Job for creating TLS Secrets in Kubernetes -#---------------------------------------------------------------------------------- - -CERTGEN_DIR=jobs/certgen/cmd -CERTGEN_SOURCES=$(call get_sources,$(CERTGEN_DIR)) -CERTGEN_OUTPUT_DIR=$(OUTPUT_DIR)/$(CERTGEN_DIR) - -$(CERTGEN_OUTPUT_DIR)/certgen-linux-$(GOARCH): $(CERTGEN_SOURCES) - $(GO_BUILD_FLAGS) GOOS=linux go build -ldflags='$(LDFLAGS)' -gcflags='$(GCFLAGS)' -o $@ $(CERTGEN_DIR)/main.go - -.PHONY: certgen -certgen: $(CERTGEN_OUTPUT_DIR)/certgen-linux-$(GOARCH) - -$(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen: $(CERTGEN_DIR)/Dockerfile - cp $< $@ - -.PHONY: certgen-docker -certgen-docker: $(CERTGEN_OUTPUT_DIR)/certgen-linux-$(GOARCH) $(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen - docker buildx build $(LOAD_OR_PUSH) $(PLATFORM_MULTIARCH) $(CERTGEN_OUTPUT_DIR) -f $(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen \ - --build-arg BASE_IMAGE=$(ALPINE_BASE_IMAGE) \ - -t $(IMAGE_REGISTRY)/certgen:$(VERSION) $(QUAY_EXPIRATION_LABEL) - -$(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen.distroless: $(CERTGEN_DIR)/Dockerfile.distroless - cp $< $@ - -.PHONY: certgen-distroless-docker -certgen-distroless-docker: $(CERTGEN_OUTPUT_DIR)/certgen-linux-$(GOARCH) $(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen.distroless distroless-docker - docker buildx build $(LOAD_OR_PUSH) $(PLATFORM_MULTIARCH) $(CERTGEN_OUTPUT_DIR) -f $(CERTGEN_OUTPUT_DIR)/Dockerfile.certgen.distroless \ - --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_IMAGE) \ - -t $(IMAGE_REGISTRY)/certgen:$(VERSION)-distroless $(QUAY_EXPIRATION_LABEL) - -#---------------------------------------------------------------------------------- -# Kubectl - Used in jobs during helm install/upgrade/uninstall -#---------------------------------------------------------------------------------- - -KUBECTL_DIR=jobs/kubectl -KUBECTL_OUTPUT_DIR=$(OUTPUT_DIR)/$(KUBECTL_DIR) - -$(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl: $(KUBECTL_DIR)/Dockerfile - mkdir -p $(KUBECTL_OUTPUT_DIR) - cp $< $@ - -.PHONY: kubectl-docker -kubectl-docker: $(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl - docker buildx build $(LOAD_OR_PUSH) $(PLATFORM_MULTIARCH) $(KUBECTL_OUTPUT_DIR) -f $(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl \ - --build-arg BASE_IMAGE=$(ALPINE_BASE_IMAGE) \ - -t $(IMAGE_REGISTRY)/kubectl:$(VERSION) $(QUAY_EXPIRATION_LABEL) - -$(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl.distroless: $(KUBECTL_DIR)/Dockerfile.distroless - mkdir -p $(KUBECTL_OUTPUT_DIR) - cp $< $@ - -.PHONY: kubectl-distroless-docker -kubectl-distroless-docker: $(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl.distroless distroless-with-utils-docker - docker buildx build $(LOAD_OR_PUSH) $(PLATFORM_MULTIARCH) $(KUBECTL_OUTPUT_DIR) -f $(KUBECTL_OUTPUT_DIR)/Dockerfile.kubectl.distroless \ - --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_WITH_UTILS_IMAGE) \ - -t $(IMAGE_REGISTRY)/kubectl:$(VERSION)-distroless $(QUAY_EXPIRATION_LABEL) +# # Explicitly specify the base image is amd64 as we only build the amd64 flavour of gloo envoy +# .PHONY: gloo-envoy-wrapper-distroless-docker +# gloo-envoy-wrapper-distroless-docker: $(ENVOYINIT_OUTPUT_DIR)/envoyinit-linux-$(GOARCH) $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless $(ENVOYINIT_OUTPUT_DIR)/docker-entrypoint.sh distroless-with-utils-docker +# docker buildx build --load $(PLATFORM) $(ENVOYINIT_OUTPUT_DIR) -f $(ENVOYINIT_OUTPUT_DIR)/Dockerfile.envoyinit.distroless \ +# --build-arg GOARCH=$(GOARCH) \ +# --build-arg ENVOY_IMAGE=$(ENVOY_GLOO_IMAGE) \ +# --build-arg BASE_IMAGE=$(GLOO_DISTROLESS_BASE_WITH_UTILS_IMAGE) \ +# -t $(IMAGE_REGISTRY)/gloo-envoy-wrapper:$(VERSION)-distroless $(QUAY_EXPIRATION_LABEL) #---------------------------------------------------------------------------------- # Deployment Manifests / Helm @@ -812,20 +717,14 @@ docker-push-%: .PHONY: docker-standard docker-standard: check-go-version ## Build docker images (standard only) docker-standard: gloo-docker -docker-standard: discovery-docker -docker-standard: gloo-envoy-wrapper-docker +# docker-standard: gloo-envoy-wrapper-docker docker-standard: sds-docker -docker-standard: certgen-docker -docker-standard: kubectl-docker .PHONY: docker-distroless docker-distroless: check-go-version ## Build docker images (distroless only) docker-distroless: gloo-distroless-docker -docker-distroless: discovery-distroless-docker docker-distroless: gloo-envoy-wrapper-distroless-docker docker-distroless: sds-distroless-docker -docker-distroless: certgen-distroless-docker -docker-distroless: kubectl-distroless-docker IMAGE_VARIANT ?= all # Build docker images using the defined IMAGE_REGISTRY, VERSION @@ -960,19 +859,15 @@ kind-reload-gloo-envoy-wrapper: .PHONY: kind-build-and-load-standard kind-build-and-load-standard: kind-build-and-load-gloo -kind-build-and-load-standard: kind-build-and-load-discovery -kind-build-and-load-standard: kind-build-and-load-gloo-envoy-wrapper -kind-build-and-load-standard: kind-build-and-load-sds -kind-build-and-load-standard: kind-build-and-load-certgen -kind-build-and-load-standard: kind-build-and-load-kubectl +# kind-build-and-load-standard: kind-build-and-load-gloo-envoy-wrapper +# kind-build-and-load-standard: kind-build-and-load-sds +# kind-build-and-load-standard: kind-build-and-load-certgen .PHONY: kind-build-and-load-distroless kind-build-and-load-distroless: kind-build-and-load-gloo-distroless -kind-build-and-load-distroless: kind-build-and-load-discovery-distroless kind-build-and-load-distroless: kind-build-and-load-gloo-envoy-wrapper-distroless kind-build-and-load-distroless: kind-build-and-load-sds-distroless kind-build-and-load-distroless: kind-build-and-load-certgen-distroless -kind-build-and-load-distroless: kind-build-and-load-kubectl-distroless .PHONY: kind-build-and-load ## Use to build all images and load them into kind kind-build-and-load: # Standard images @@ -989,19 +884,15 @@ kind-build-and-load: kind-build-and-load-sds # Load existing images. This can speed up development if the images have already been built / are unchanged .PHONY: kind-load-standard kind-load-standard: kind-load-gloo -kind-load-standard: kind-load-discovery kind-load-standard: kind-load-gloo-envoy-wrapper kind-load-standard: kind-load-sds kind-load-standard: kind-load-certgen -kind-load-standard: kind-load-kubectl .PHONY: kind-build-and-load-distroless kind-load-distroless: kind-load-gloo-distroless -kind-load-distroless: kind-load-discovery-distroless kind-load-distroless: kind-load-gloo-envoy-wrapper-distroless kind-load-distroless: kind-load-sds-distroless kind-load-distroless: kind-load-certgen-distroless -kind-load-distroless: kind-load-kubectl-distroless .PHONY: kind-load ## Use to build all images and load them into kind kind-load: # Standard images diff --git a/ci/kind/setup-kind.sh b/ci/kind/setup-kind.sh index 3a7ad9beb00..77a9e54cb0f 100755 --- a/ci/kind/setup-kind.sh +++ b/ci/kind/setup-kind.sh @@ -77,7 +77,7 @@ else fi # 4. Build the gloo command line tool, ensuring we have one in the `_output` folder -make -s build-cli-local +# make -s build-cli-local # 5. Apply the Kubernetes Gateway API CRDs # Note, we're using kustomize to apply the CRDs from the k8s gateway api repo as diff --git a/install/helm/gloo/templates/1-gloo-deployment.yaml b/install/helm/gloo/templates/1-gloo-deployment.yaml index 5acbc0653ea..0a9f666e6ac 100644 --- a/install/helm/gloo/templates/1-gloo-deployment.yaml +++ b/install/helm/gloo/templates/1-gloo-deployment.yaml @@ -68,12 +68,6 @@ spec: - path: "labels" fieldRef: fieldPath: metadata.labels - {{- if and .Values.gateway.enabled .Values.gateway.validation.enabled }} - - name: validation-certs - secret: - defaultMode: 420 - secretName: {{ .Values.gateway.validation.secretName }} - {{- end }} containers: {{- if .Values.global.glooMtls.enabled }} {{- $sdsImage := merge .Values.global.glooMtls.sds.image .Values.global.image }} @@ -201,10 +195,6 @@ spec: protocol: TCP {{- end }} volumeMounts: - {{- if and .Values.gateway.validation.enabled .Values.gateway.enabled }} - - mountPath: /etc/gateway/validation-certs - name: validation-certs - {{- end }} - name: labels-volume mountPath: /etc/gloo readOnly: true diff --git a/install/helm/gloo/templates/43-gatewayparameters.yaml b/install/helm/gloo/templates/43-gatewayparameters.yaml index b7cb803fa48..57e9608eb27 100644 --- a/install/helm/gloo/templates/43-gatewayparameters.yaml +++ b/install/helm/gloo/templates/43-gatewayparameters.yaml @@ -1,4 +1,3 @@ -{{- if .Values.kubeGateway.enabled -}} {{- $global := .Values.global -}} kind: GatewayParameters apiVersion: gateway.gloo.solo.io/v1alpha1 @@ -53,13 +52,9 @@ spec: floatingUserId: {{ hasKey $global.securitySettings "floatingUserId" | ternary $global.securitySettings.floatingUserId (or $gg.floatingUserId false) }} envoyContainer: image: - {{- $envoyImage := dict -}} - {{- if $gg.envoyContainer -}} - {{- if $gg.envoyContainer.image -}} - {{- $envoyImage = $gg.envoyContainer.image -}} - {{- end -}}{{/* if $gg.envoyContainer.image */}} - {{- end }}{{/* if $gg.envoyContainer */}} - {{- merge $envoyImage $global.image | include "gloo-gateway.gatewayParametersImage" | nindent 8 }} + registry: quay.io/solo-io + repository: gloo-envoy-wrapper + tag: 1.18.5 {{- if $gg.envoyContainer -}} {{- if $gg.envoyContainer.securityContext }} securityContext: @@ -163,4 +158,3 @@ spec: {{ toYaml $gg.aiExtension.ports | indent 6 }} {{- end }} {{/* if $gg.aiExtension.ports */}} {{- end }}{{/* if $gg.aiExtension */}} -{{- end }}{{/* if .Values.kubeGateway.enabled */}} \ No newline at end of file diff --git a/install/helm/gloo/templates/44-gatewayclass.yaml b/install/helm/gloo/templates/44-gatewayclass.yaml index 98a518fd47f..e9193995164 100644 --- a/install/helm/gloo/templates/44-gatewayclass.yaml +++ b/install/helm/gloo/templates/44-gatewayclass.yaml @@ -1,4 +1,3 @@ -{{- if .Values.kubeGateway.enabled -}} kind: GatewayClass apiVersion: gateway.networking.k8s.io/v1 metadata: @@ -12,4 +11,3 @@ spec: kind: GatewayParameters name: gloo-gateway namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.kubeGateway.enabled */}} diff --git a/install/helm/gloo/templates/44-rbac.yaml b/install/helm/gloo/templates/44-rbac.yaml index a1e4e766be3..1afd0121d31 100644 --- a/install/helm/gloo/templates/44-rbac.yaml +++ b/install/helm/gloo/templates/44-rbac.yaml @@ -1,4 +1,3 @@ -{{- if .Values.kubeGateway.enabled -}} {{- $labels := include "gloo-gateway.constLabels" . | fromYaml }} {{- $labels = merge $labels (include "gloo-gateway.labels" . | fromYaml) }} {{- $data := fromYaml (.Files.Get "files/rbac/role.yaml") -}} @@ -139,4 +138,3 @@ roleRef: kind: ClusterRole name: k8sgw-controller.{{.Release.Namespace}} apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/install/helm/gloo/values-template.yaml b/install/helm/gloo/values-template.yaml index 541e79eba54..bbeec2f83aa 100644 --- a/install/helm/gloo/values-template.yaml +++ b/install/helm/gloo/values-template.yaml @@ -11,7 +11,9 @@ kubeGateway: glooGateway: envoyContainer: image: + registry: quay.io/solo-io repository: gloo-envoy-wrapper + tag: 1.18.5 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/pkg/schemes/scheme.go b/pkg/schemes/scheme.go index 9bc80124608..8c1e5f3fee0 100644 --- a/pkg/schemes/scheme.go +++ b/pkg/schemes/scheme.go @@ -12,12 +12,7 @@ import ( gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - sologatewayv1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1/kube/apis/gateway.solo.io/v1" sologatewayv1alpha1 "github.com/solo-io/gloo/projects/gateway2/api/v1alpha1" - extauthkubev1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/kube/apis/enterprise.gloo.solo.io/v1" - graphqlv1beta1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/enterprise/options/graphql/v1beta1/kube/apis/graphql.gloo.solo.io/v1beta1" - gloov1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/apis/gloo.solo.io/v1" - ratelimitv1alpha1 "github.com/solo-io/solo-apis/pkg/api/ratelimit.solo.io/v1alpha1" ) // SchemeBuilder contains all the Schemes for registering the CRDs with which Gloo Gateway interacts. @@ -38,17 +33,14 @@ var SchemeBuilder = runtime.SchemeBuilder{ // Solo Kubernetes Gateway API resources sologatewayv1alpha1.AddToScheme, - // Solo Edge Gateway API resources - sologatewayv1.AddToScheme, - // Solo Edge Gloo API resources - gloov1.AddToScheme, + // gloov1.AddToScheme, // Enterprise Extensions // These are packed in the OSS Helm Chart, and therefore we register the schemes here as well - graphqlv1beta1.AddToScheme, - extauthkubev1.AddToScheme, - ratelimitv1alpha1.AddToScheme, + // graphqlv1beta1.AddToScheme, + // extauthkubev1.AddToScheme, + // ratelimitv1alpha1.AddToScheme, } func AddToScheme(s *runtime.Scheme) error { diff --git a/pkg/utils/envoyutils/admincli/client.go b/pkg/utils/envoyutils/admincli/client.go index cd37affcc44..c34a9cc2c61 100644 --- a/pkg/utils/envoyutils/admincli/client.go +++ b/pkg/utils/envoyutils/admincli/client.go @@ -17,7 +17,6 @@ import ( "github.com/solo-io/gloo/pkg/utils/kubeutils/kubectl" "github.com/solo-io/gloo/pkg/utils/kubeutils/portforward" - "github.com/solo-io/gloo/projects/gloo/pkg/defaults" ) const ( @@ -30,6 +29,9 @@ const ( HealthCheckPath = "healthcheck" LoggingPath = "logging" ServerInfoPath = "server_info" + + // TODO: directly copied from previous constants file, this should probably actually be defined in envoy-gloo? + EnvoyAdminPort uint32 = 19000 ) // DumpOptions should have flags for any kind of underlying optional @@ -56,7 +58,7 @@ func NewClient() *Client { curlOptions: []curl.Option{ curl.WithScheme("http"), curl.WithHost("127.0.0.1"), - curl.WithPort(int(defaults.EnvoyAdminPort)), + curl.WithPort(int(EnvoyAdminPort)), // 3 retries, exponential back-off, 10 second max curl.WithRetries(3, 0, 10), }, @@ -75,7 +77,7 @@ func NewPortForwardedClient(ctx context.Context, proxySelector, namespace string // 1. Open a port-forward to the Kubernetes Deployment, so that we can query the Envoy Admin API directly portForwarder, err := kubectl.NewCli().StartPortForward(ctx, selector, - portforward.WithRemotePort(int(defaults.EnvoyAdminPort))) + portforward.WithRemotePort(int(EnvoyAdminPort))) if err != nil { return nil, nil, err } diff --git a/pkg/utils/envoyutils/bootstrap/bootstrap.go b/pkg/utils/envoyutils/bootstrap/bootstrap.go index 02d6454ee1d..6d22d3f519b 100644 --- a/pkg/utils/envoyutils/bootstrap/bootstrap.go +++ b/pkg/utils/envoyutils/bootstrap/bootstrap.go @@ -17,7 +17,7 @@ import ( "github.com/golang/protobuf/proto" anypb "github.com/golang/protobuf/ptypes/any" "github.com/rotisserie/eris" - "github.com/solo-io/gloo/projects/gloo/pkg/utils" + "github.com/solo-io/gloo/projects/gateway2/utils" envoycache "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" ) diff --git a/pkg/utils/envoyutils/bootstrap/bootstrap_test.go b/pkg/utils/envoyutils/bootstrap/bootstrap_test.go index bb2791b58fc..42082867f98 100644 --- a/pkg/utils/envoyutils/bootstrap/bootstrap_test.go +++ b/pkg/utils/envoyutils/bootstrap/bootstrap_test.go @@ -3,9 +3,7 @@ package bootstrap import ( "context" - envoytransformation "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/extensions/transformation" - "github.com/solo-io/gloo/projects/gloo/pkg/utils" - + "github.com/solo-io/gloo/projects/gateway2/utils" envoycache "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/resource" "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/types" @@ -217,88 +215,91 @@ var _ = Describe("Static bootstrap generation", func() { }) }) }) - Context("From Filter", func() { - It("produces correct bootstrap", func() { - inTransformation := &envoytransformation.RouteTransformations{ - ClearRouteCache: true, - Transformations: []*envoytransformation.RouteTransformations_RouteTransformation{ - { - Match: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch_{ - RequestMatch: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch{ClearRouteCache: true}, - }, - }, - }, - } - filterName := "transformation" - actual, err := FromFilter(filterName, inTransformation) - Expect(err).NotTo(HaveOccurred()) + // TODO: reimplement with transformation + // Context("From Filter", func() { + // It("produces correct bootstrap", func() { + // inTransformation := &envoytransformation.RouteTransformations{ + // ClearRouteCache: true, + // Transformations: []*envoytransformation.RouteTransformations_RouteTransformation{ + // { + // Match: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch_{ + // RequestMatch: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch{ClearRouteCache: true}, + // }, + // }, + // }, + // } - expectedBootstrap := &envoy_config_bootstrap_v3.Bootstrap{ - Node: &envoy_config_core_v3.Node{ - Id: "validation-node-id", - Cluster: "validation-cluster", - }, - StaticResources: &envoy_config_bootstrap_v3.Bootstrap_StaticResources{ - Listeners: []*envoy_config_listener_v3.Listener{{ - Name: "placeholder_listener", - Address: &envoy_config_core_v3.Address{ - Address: &envoy_config_core_v3.Address_SocketAddress{SocketAddress: &envoy_config_core_v3.SocketAddress{ - Address: "0.0.0.0", - PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{PortValue: 8081}, - }}, - }, - FilterChains: []*envoy_config_listener_v3.FilterChain{ - { - Name: "placeholder_filter_chain", - Filters: []*envoy_config_listener_v3.Filter{ - { - Name: wellknown.HTTPConnectionManager, - ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ - TypedConfig: func() *anypb.Any { - hcmAny, err := utils.MessageToAny(&envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager{ - StatPrefix: "placeholder", - RouteSpecifier: &envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ - RouteConfig: &envoy_config_route_v3.RouteConfiguration{ - VirtualHosts: []*envoy_config_route_v3.VirtualHost{ - { - Name: "placeholder_host", - Domains: []string{"*"}, - TypedPerFilterConfig: map[string]*anypb.Any{ - filterName: { - TypeUrl: "type.googleapis.com/envoy.api.v2.filter.http.RouteTransformations", - Value: func() []byte { - tformany, err := utils.MessageToAny(inTransformation) - Expect(err).NotTo(HaveOccurred()) - return tformany.GetValue() - }(), - }, - }, - }, - }, - }, - }, - }) - Expect(err).NotTo(HaveOccurred()) - return hcmAny - }(), - }, - }, - }, - }, - }, - }}, - }, - } + // filterName := "transformation" + // actual, err := FromFilter(filterName, inTransformation) + // Expect(err).NotTo(HaveOccurred()) - actualBootstrap := &envoy_config_bootstrap_v3.Bootstrap{} + // expectedBootstrap := &envoy_config_bootstrap_v3.Bootstrap{ + // Node: &envoy_config_core_v3.Node{ + // Id: "validation-node-id", + // Cluster: "validation-cluster", + // }, + // StaticResources: &envoy_config_bootstrap_v3.Bootstrap_StaticResources{ + // Listeners: []*envoy_config_listener_v3.Listener{{ + // Name: "placeholder_listener", + // Address: &envoy_config_core_v3.Address{ + // Address: &envoy_config_core_v3.Address_SocketAddress{SocketAddress: &envoy_config_core_v3.SocketAddress{ + // Address: "0.0.0.0", + // PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{PortValue: 8081}, + // }}, + // }, + // FilterChains: []*envoy_config_listener_v3.FilterChain{ + // { + // Name: "placeholder_filter_chain", + // Filters: []*envoy_config_listener_v3.Filter{ + // { + // Name: wellknown.HTTPConnectionManager, + // ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ + // TypedConfig: func() *anypb.Any { + // hcmAny, err := utils.MessageToAny(&envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager{ + // StatPrefix: "placeholder", + // RouteSpecifier: &envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ + // RouteConfig: &envoy_config_route_v3.RouteConfiguration{ + // VirtualHosts: []*envoy_config_route_v3.VirtualHost{ + // { + // Name: "placeholder_host", + // Domains: []string{"*"}, + // TypedPerFilterConfig: map[string]*anypb.Any{ + // filterName: { + // TypeUrl: "type.googleapis.com/envoy.api.v2.filter.http.RouteTransformations", + // Value: func() []byte { + // tformany, err := utils.MessageToAny(inTransformation) + // Expect(err).NotTo(HaveOccurred()) + // return tformany.GetValue() + // }(), + // }, + // }, + // }, + // }, + // }, + // }, + // }) + // Expect(err).NotTo(HaveOccurred()) + // return hcmAny + // }(), + // }, + // }, + // }, + // }, + // }, + // }}, + // }, + // } - err = protojson.Unmarshal([]byte(actual), actualBootstrap) - Expect(err).NotTo(HaveOccurred()) + // actualBootstrap := &envoy_config_bootstrap_v3.Bootstrap{} + + // err = protojson.Unmarshal([]byte(actual), actualBootstrap) + // Expect(err).NotTo(HaveOccurred()) + + // Expect(proto.Equal(expectedBootstrap, actualBootstrap)).To(BeTrue()) + // }) + // }) - Expect(proto.Equal(expectedBootstrap, actualBootstrap)).To(BeTrue()) - }) - }) Context("From Snapshot", func() { var ( snap *fakeSnapshot diff --git a/pkg/utils/namespaces/namespaces.go b/pkg/utils/namespaces/namespaces.go index 073b9ffdf76..ac5e3a0c07c 100644 --- a/pkg/utils/namespaces/namespaces.go +++ b/pkg/utils/namespaces/namespaces.go @@ -1,18 +1,7 @@ package namespaces import ( - "context" - "errors" "os" - - "github.com/solo-io/gloo/projects/gloo/cli/pkg/helpers" - "github.com/solo-io/solo-kit/pkg/api/external/kubernetes/namespace" - "github.com/solo-io/solo-kit/pkg/api/v1/clients/kube/cache" - "github.com/solo-io/solo-kit/pkg/api/v1/resources/common/kubernetes" - - authv1 "k8s.io/api/authorization/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - k8s_kubernetes "k8s.io/client-go/kubernetes" ) // AllNamespaces returns true if the list of namespaces watched is empty or contains only a blank string @@ -54,44 +43,3 @@ func GetPodNamespace() string { } return "gloo-system" } - -// NewKubeNamespaceClient creates and returns the `namespace.NewNamespaceClient` if it has permissions to list namespaces -// This entails creating a kubeclient, kubecorecache and calling a SelfSubjectAccessReview to verify if it has the appropriate RBAC -func NewKubeNamespaceClient(ctx context.Context) (kubernetes.KubeNamespaceClient, error) { - kubeClient, err := helpers.KubeClientWithKubecontext("") - if err != nil { - return nil, err - } - - clientset, ok := kubeClient.(*k8s_kubernetes.Clientset) - if !ok { - return nil, errors.New("unable to create kube client to list namespaces") - } - - action := authv1.ResourceAttributes{ - Namespace: "", - Verb: "list", - Resource: "namespaces", - } - - selfCheck := authv1.SelfSubjectAccessReview{ - Spec: authv1.SelfSubjectAccessReviewSpec{ - ResourceAttributes: &action, - }, - } - - resp, err := clientset.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, &selfCheck, metav1.CreateOptions{}) - if err != nil { - return nil, err - } - - if resp.Status.Allowed { - kubeCache, err := cache.NewKubeCoreCache(ctx, kubeClient) - if err != nil { - return nil, err - } - - return namespace.NewNamespaceClient(kubeClient, kubeCache), nil - } - return nil, errors.New("the caller does not have permissions to list namespaces") -} diff --git a/pkg/utils/regexutils/regex.go b/pkg/utils/regexutils/regex.go index 139bf503aaa..989e0e97154 100644 --- a/pkg/utils/regexutils/regex.go +++ b/pkg/utils/regexutils/regex.go @@ -6,10 +6,6 @@ import ( envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" wrappers "github.com/golang/protobuf/ptypes/wrappers" - "github.com/solo-io/gloo/pkg/utils/settingsutil" - v32 "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type/matcher/v3" - v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" - "github.com/solo-io/solo-kit/pkg/errors" ) // NewCheckedRegex creates a new regex matcher with the given regex. @@ -35,21 +31,24 @@ func CheckRegexString(candidateRegex string) error { // Wraps NewRegexFromSettings which wraps NewRegexWithProgramSize which leads to the tight coupling. // NOTE: Call this after having checked regex with CheckRegexString. func NewRegex(ctx context.Context, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { - settings := settingsutil.MaybeFromContext(ctx) - return NewRegexFromSettings(settings, candidateRegex) + // TODO: we need to figure out if the programsize as a global setting is still relevant + // settings := settingsutil.MaybeFromContext(ctx) + // return NewRegexFromSettings(settings, candidateRegex) + return NewRegexWithProgramSize(candidateRegex, nil) + } // NewRegexFromSettings wraps NewRegexWithProgramSize with the program size from the settings. // NOTE: Call this after having checked regex with CheckRegexString. -func NewRegexFromSettings(settings *v1.Settings, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { - var programsize *uint32 - if settings != nil { - if max_size := settings.GetGloo().GetRegexMaxProgramSize(); max_size != nil { - programsize = &max_size.Value - } - } - return NewRegexWithProgramSize(candidateRegex, programsize) -} +// func NewRegexFromSettings(settings *v1.Settings, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { +// var programsize *uint32 +// if settings != nil { +// if max_size := settings.GetGloo().GetRegexMaxProgramSize(); max_size != nil { +// programsize = &max_size.Value +// } +// } +// return NewRegexWithProgramSize(candidateRegex, programsize) +// } // NewRegexWithProgramSize creates a new regex matcher with the given program size. // This means its tightly coupled to envoy's implementation of regex. @@ -71,34 +70,36 @@ func NewRegexWithProgramSize(candidateRegex string, programsize *uint32) *envoy_ } } +// TODO: audit this stuff, is it even still needed?? + // ConvertRegexMatchAndSubstitute into safe variant consumable by envoy. // By default we use the RegexMatcher_GoogleRe2 matcher which as of // envoy 1.21 is the only engine supported. -func ConvertRegexMatchAndSubstitute(ctx context.Context, in *v32.RegexMatchAndSubstitute) (*envoy_type_matcher_v3.RegexMatchAndSubstitute, error) { - if in == nil { - return nil, nil - } +// func ConvertRegexMatchAndSubstitute(ctx context.Context, in *v32.RegexMatchAndSubstitute) (*envoy_type_matcher_v3.RegexMatchAndSubstitute, error) { +// if in == nil { +// return nil, nil +// } - out := &envoy_type_matcher_v3.RegexMatchAndSubstitute{ - Pattern: NewRegex(ctx, in.GetPattern().GetRegex()), - Substitution: in.GetSubstitution(), - } - switch inET := in.GetPattern().GetEngineType().(type) { - case nil: - // we do nothing here as it defaults to googleRe2 but we dont have any of the extra settings on it. - case *v32.RegexMatcher_GoogleRe2: - // note that this is likely to be deprecated soon anyways... So if engines no longer matter we may eventually - // be able to remove most of this. - outET := out.GetPattern().GetEngineType().(*envoy_type_matcher_v3.RegexMatcher_GoogleRe2) - if inET.GoogleRe2.GetMaxProgramSize() != nil && (outET.GoogleRe2.GetMaxProgramSize() == nil || inET.GoogleRe2.GetMaxProgramSize().GetValue() < outET.GoogleRe2.GetMaxProgramSize().GetValue()) { - out.Pattern = NewRegexWithProgramSize(in.GetPattern().GetRegex(), &inET.GoogleRe2.GetMaxProgramSize().Value) - } +// out := &envoy_type_matcher_v3.RegexMatchAndSubstitute{ +// Pattern: NewRegex(ctx, in.GetPattern().GetRegex()), +// Substitution: in.GetSubstitution(), +// } +// switch inET := in.GetPattern().GetEngineType().(type) { +// case nil: +// // we do nothing here as it defaults to googleRe2 but we dont have any of the extra settings on it. +// case *v32.RegexMatcher_GoogleRe2: +// // note that this is likely to be deprecated soon anyways... So if engines no longer matter we may eventually +// // be able to remove most of this. +// outET := out.GetPattern().GetEngineType().(*envoy_type_matcher_v3.RegexMatcher_GoogleRe2) +// if inET.GoogleRe2.GetMaxProgramSize() != nil && (outET.GoogleRe2.GetMaxProgramSize() == nil || inET.GoogleRe2.GetMaxProgramSize().GetValue() < outET.GoogleRe2.GetMaxProgramSize().GetValue()) { +// out.Pattern = NewRegexWithProgramSize(in.GetPattern().GetRegex(), &inET.GoogleRe2.GetMaxProgramSize().Value) +// } - default: - // this will only happen if there is a new type of engine that our current envoy implementation does not know how to handle. - // This should be thrown as we are unsure that we are passing the right info to envoy which could cause crashes. - return nil, errors.Errorf("Invalid regex EngineType: %v", in.GetPattern().GetEngineType()) - } +// default: +// // this will only happen if there is a new type of engine that our current envoy implementation does not know how to handle. +// // This should be thrown as we are unsure that we are passing the right info to envoy which could cause crashes. +// return nil, errors.Errorf("Invalid regex EngineType: %v", in.GetPattern().GetEngineType()) +// } - return out, nil -} +// return out, nil +// } diff --git a/pkg/utils/regexutils/regex_test.go b/pkg/utils/regexutils/regex_test.go index b9f2e9be301..609d6ba29a4 100644 --- a/pkg/utils/regexutils/regex_test.go +++ b/pkg/utils/regexutils/regex_test.go @@ -1,15 +1,9 @@ package regexutils_test import ( - "context" - - "github.com/golang/protobuf/ptypes/wrappers" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/solo-io/gloo/pkg/utils/regexutils" - "github.com/solo-io/gloo/pkg/utils/settingsutil" - v32 "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type/matcher/v3" - v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" ) var _ = Describe("Regex", func() { @@ -30,28 +24,28 @@ var _ = Describe("Regex", func() { Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(Equal(number)) }) - It("should create regex from settings in context", func() { - ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ - Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, - }) - regex := NewRegex(ctx, "foo") - Expect(regex.GetRegex()).To(Equal("foo")) - Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(BeEquivalentTo(123)) - }) - It("should create regex even without engine", func() { - ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ - Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, - }) - subPattern := v32.RegexMatcher{ - Regex: "(.*)", - } - in := v32.RegexMatchAndSubstitute{ - Substitution: "123", - Pattern: &subPattern, - } - out, err := ConvertRegexMatchAndSubstitute(ctx, &in) - Expect(err).NotTo(HaveOccurred()) - Expect(out.Pattern.Regex).To(Equal(in.Pattern.Regex)) - Expect(out.Substitution).To(Equal(in.Substitution)) - }) + // It("should create regex from settings in context", func() { + // ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ + // Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, + // }) + // regex := NewRegex(ctx, "foo") + // Expect(regex.GetRegex()).To(Equal("foo")) + // Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(BeEquivalentTo(123)) + // }) + // It("should create regex even without engine", func() { + // ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ + // Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, + // }) + // subPattern := v32.RegexMatcher{ + // Regex: "(.*)", + // } + // in := v32.RegexMatchAndSubstitute{ + // Substitution: "123", + // Pattern: &subPattern, + // } + // out, err := ConvertRegexMatchAndSubstitute(ctx, &in) + // Expect(err).NotTo(HaveOccurred()) + // Expect(out.Pattern.Regex).To(Equal(in.Pattern.Regex)) + // Expect(out.Substitution).To(Equal(in.Substitution)) + // }) }) diff --git a/projects/gateway2/admin/resources.go b/projects/gateway2/admin/resources.go index 0fd62fd4f97..7ffe0a69288 100644 --- a/projects/gateway2/admin/resources.go +++ b/projects/gateway2/admin/resources.go @@ -3,36 +3,26 @@ package admin import ( "slices" - gatewayv1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" "github.com/solo-io/gloo/projects/gateway2/api/v1alpha1" "github.com/solo-io/gloo/projects/gateway2/wellknown" - gloov1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" - wellknownkube "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/wellknown" "k8s.io/apimachinery/pkg/runtime/schema" ) // TODO: these need to be updated var ( KubernetesCoreGVKs = []schema.GroupVersionKind{ - wellknownkube.SecretGVK, - wellknownkube.ConfigMapGVK, - } - - GlooGVKs = []schema.GroupVersionKind{ - gloov1.SettingsGVK, - gloov1.UpstreamGVK, - gloov1.UpstreamGroupGVK, - gloov1.ProxyGVK, + wellknown.SecretGVK, + wellknown.ConfigMapGVK, } // PolicyGVKs is the set of GVKs that are used by a classic Gloo Gateway installation. // This is the common set of GVKs that are available when Edge Gateway APIs are being // used. See KubernetesGatewayIntegrationPolicyGVKs for the set of GVKs that are added // when the Kubernetes Gateway API is enabled - PolicyGVKs = []schema.GroupVersionKind{ - gatewayv1.VirtualHostOptionGVK, - gatewayv1.RouteOptionGVK, - } + // PolicyGVKs = []schema.GroupVersionKind{ + // gatewayv1.VirtualHostOptionGVK, + // gatewayv1.RouteOptionGVK, + // } KubernetesGatewayGVKs = []schema.GroupVersionKind{ wellknown.GatewayClassGVK, @@ -45,15 +35,13 @@ var ( v1alpha1.GatewayParametersGVK, // While these are in fact Policy APIs, they are only enabled if the Kubernetes Gateway Integration is turned on - gatewayv1.ListenerOptionGVK, - gatewayv1.HttpListenerOptionGVK, + // gatewayv1.ListenerOptionGVK, + // gatewayv1.HttpListenerOptionGVK, } // CompleteInputSnapshotGVKs is the list of GVKs that will be returned by the InputSnapshot API CompleteInputSnapshotGVKs = slices.Concat( KubernetesCoreGVKs, - GlooGVKs, - PolicyGVKs, KubernetesGatewayGVKs, KubernetesGatewayIntegrationPolicyGVKs, ) diff --git a/projects/gateway2/cmd/Dockerfile b/projects/gateway2/cmd/Dockerfile new file mode 100644 index 00000000000..a06affe8bdf --- /dev/null +++ b/projects/gateway2/cmd/Dockerfile @@ -0,0 +1,23 @@ +ARG ENVOY_IMAGE + +FROM $ENVOY_IMAGE + +ARG GOARCH=amd64 +# eventually may matter for now https://unix.stackexchange.com/a/701288 +# means its not too useful +ENV DEBIAN_FRONTEND=noninteractive + +# Update our deps to make cve toil lower +#install wget for our default probes +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y ca-certificates \ + && apt-get install wget -y \ + && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old + + +COPY gloo-linux-$GOARCH /usr/local/bin/gloo + +USER 10101 + +ENTRYPOINT ["/usr/local/bin/gloo"] \ No newline at end of file diff --git a/projects/gateway2/cmd/Dockerfile.distroless b/projects/gateway2/cmd/Dockerfile.distroless new file mode 100644 index 00000000000..0f920b3c684 --- /dev/null +++ b/projects/gateway2/cmd/Dockerfile.distroless @@ -0,0 +1,19 @@ +ARG ENVOY_IMAGE +ARG BASE_IMAGE + +FROM $ENVOY_IMAGE as envoy + +FROM $BASE_IMAGE +ARG GOARCH=amd64 + +COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy + +# Copy over the required libraries +# lib64z1 - Required by libsaxon for xslt transformations +COPY --from=envoy /usr/lib/x86_64-linux-gnu/libz.so* /usr/lib/x86_64-linux-gnu/ + +COPY gloo-linux-$GOARCH /usr/local/bin/gloo + +USER 10101 + +ENTRYPOINT ["/usr/local/bin/gloo"] \ No newline at end of file diff --git a/projects/gateway2/cmd/main.go b/projects/gateway2/cmd/main.go new file mode 100644 index 00000000000..44ec14320be --- /dev/null +++ b/projects/gateway2/cmd/main.go @@ -0,0 +1,20 @@ +package main + +import ( + "context" + + "github.com/solo-io/gloo/pkg/utils/probes" + "github.com/solo-io/gloo/projects/gateway2/setup" + "github.com/solo-io/go-utils/log" +) + +func main() { + ctx := context.Background() + + // Start a server which is responsible for responding to liveness probes + probes.StartLivenessProbeServer(ctx) + + if err := setup.Main(ctx); err != nil { + log.Fatalf("err in main: %v", err.Error()) + } +} diff --git a/projects/gateway2/deployer/deployer_test.go b/projects/gateway2/deployer/deployer_test.go index 2417a5a62ab..061519883d1 100644 --- a/projects/gateway2/deployer/deployer_test.go +++ b/projects/gateway2/deployer/deployer_test.go @@ -16,9 +16,7 @@ import ( gw2_v1alpha1 "github.com/solo-io/gloo/projects/gateway2/api/v1alpha1" "github.com/solo-io/gloo/projects/gateway2/deployer" "github.com/solo-io/gloo/projects/gateway2/wellknown" - wellknownkube "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/wellknown" - glooutils "github.com/solo-io/gloo/projects/gloo/pkg/utils" - "github.com/solo-io/gloo/projects/gloo/pkg/xds" + "github.com/solo-io/gloo/projects/gateway2/xds" jsonpb "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/proto" appsv1 "k8s.io/api/apps/v1" @@ -38,7 +36,324 @@ import ( // // There is some import within this package that this suite relies on. Chasing that down is // *hard* tho due to the import tree, and best done in a followup. - _ "github.com/solo-io/gloo/projects/gloo/pkg/translator" + // _ "github.com/solo-io/gloo/projects/gloo/pkg/translator" + // + // TODO: these imports are effectively copied over from envoyinit/filter_types.gen.go + // they are needed to register the proto types, in this case used in unmarshaling + // once envoyinit is readded, this should be a simple import elsewhere. + // Per note above, it sounds like we were getting this for free via the translator import as well + + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/compression/qatzip/compressor/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/config/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/checksum/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/dynamo/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/golang/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/language/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/squash/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/sxg/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/client_ssl_auth/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/golang/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_broker/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/mysql_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/rocketmq_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/sip_proxy/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/network/connection_balance/dlb/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/private_key_providers/qat/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/regex_engines/hyperscan/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/vcl/v3alpha" + _ "github.com/envoyproxy/go-control-plane/envoy/admin/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/common/key_value/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/grpc_credential/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/overload/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/config/upstream/local_address_selector/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/data/cluster/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/data/core/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/data/dns/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/data/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/file/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/cel/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/fluentd/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/grpc/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/open_telemetry/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/wasm/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/internal_listener/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/dynamic_forward_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/redis/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/async_files/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/dynamic_forward_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/matching/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/common/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/brotli/compressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/brotli/decompressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/gzip/compressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/gzip/decompressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/zstd/compressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/zstd/decompressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/config/validators/minimum_clusters/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/early_data/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/dependency/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/matcher/action/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/set_filter_state/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/adaptive_concurrency/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/admission_control/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/alternate_protocols_cache/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/aws_lambda/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/aws_request_signing/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/bandwidth_limit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/basic_auth/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/buffer/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cache/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cdn_loop/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/composite/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/compressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/connect_grpc_bridge/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/credential_injector/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/csrf/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/custom_response/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/decompressor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_forward_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/file_system_buffer/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/gcp_authn/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/geoip/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_field_extraction/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_http1_bridge/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_json_transcoder/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/gzip/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/header_mutation/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/header_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/health_check/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ip_tagging/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/json_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/kill_request/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/local_ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/original_src/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_extraction/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rate_limit_quota/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/set_filter_state/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/set_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/stateful_session/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/thrift_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/upstream_codec/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/local_ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_src/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/connection_limit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/direct_response/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/dubbo_proxy/router/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/dubbo_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/echo/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ext_authz/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/local_ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/mongo_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/redis_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/set_filter_state/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/sni_cluster/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/thrift_proxy/router/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/thrift_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/wasm/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/zookeeper_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/dns_filter/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/session/dynamic_forward_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/cel/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/req_without_query/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/maxmind/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/health_check/event_sinks/file/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/health_checkers/redis/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/health_checkers/thrift/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/cache/file_system_http_cache/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/cache/simple_http_cache/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/custom_response/local_response_policy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/custom_response/redirect_policy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/early_header_mutation/header_mutation/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_formatters/preserve_case/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_validators/envoy_default/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/generic/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/oauth2/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/custom_header/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/xff/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/stateful_session/cookie/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/http/stateful_session/header/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/internal_redirect/allow_listed_routes/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/internal_redirect/previous_routes/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/internal_redirect/safe_cross_scheme/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/key_value/file_based/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/cluster_provided/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/maglev/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/random/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/round_robin/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/subset/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/environment_variable/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/ssl/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/consistent_hashing/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/runtime_fraction/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/apple/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/getaddrinfo/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/socket_interface/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/common/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/consecutive_errors/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/path/match/uri_template/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/path/rewrite/uri_template/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/connection_debug_visitor/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/connection_id_generator/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/crypto_stream/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/proof_source/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/server_preferred_address/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/rate_limit_descriptors/expr/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/matchers/upstream_ip_port/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/regex_engines/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/request_id/uuid/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/cpu_utilization/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/downstream_connections/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/fixed_heap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/injected_resource/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/host/omit_canary_hosts/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/host/omit_host_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/host/previous_hosts/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/priority/previous_priorities/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/router/cluster_specifiers/lua/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/graphite_statsd/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/open_telemetry/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/wasm/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/string_matcher/lua/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/resource_detectors/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/samplers/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/alts/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/http_11_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/internal_upstream/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/proxy_protocol/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/quic/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/raw_buffer/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/s2a/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/starttls/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tcp_stats/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/udp_packet_writer/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/generic/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/http/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/tcp/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/udp/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/tcp/generic/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/tcp/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/wasm/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/watchdog/profile_action/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/cluster/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/endpoint/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/event_reporting/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/extension/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/health/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/listener/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/load_stats/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/metrics/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/rate_limit_quota/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/redis_auth/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/route/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/runtime/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/status/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/tap/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/trace/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/type/http/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/type/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/watchdog/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/cache/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/client/sotw/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/resource/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/server/delta/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/server/rest/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/server/sotw/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/server/stream/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/server/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/test/resource/v3" + _ "github.com/envoyproxy/go-control-plane/pkg/test/v3" + _ "github.com/envoyproxy/go-control-plane/ratelimit/config/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/ratelimit/service/ratelimit/v3" ) // testBootstrap implements resources.Resource in order to use protoutils.UnmarshalYAML @@ -443,10 +758,10 @@ var _ = Describe("Deployer", func() { Expect(err).NotTo(HaveOccurred()) Expect(gvks).To(HaveLen(4)) Expect(gvks).To(ConsistOf( - wellknownkube.DeploymentGVK, - wellknownkube.ServiceGVK, - wellknownkube.ServiceAccountGVK, - wellknownkube.ConfigMapGVK, + wellknown.DeploymentGVK, + wellknown.ServiceGVK, + wellknown.ServiceAccountGVK, + wellknown.ConfigMapGVK, )) }) @@ -1339,7 +1654,7 @@ var _ = Describe("Deployer", func() { // make sure the envoy node metadata looks right node := envoyConfig["node"].(map[string]any) Expect(node).To(HaveKeyWithValue("metadata", map[string]any{ - xds.RoleKey: fmt.Sprintf("%s~%s~%s", glooutils.GatewayApiProxyValue, gw.Namespace, gw.Name), + xds.RoleKey: fmt.Sprintf("%s~%s~%s", wellknown.GatewayApiProxyValue, gw.Namespace, gw.Name), })) // make sure the stats listener is enabled @@ -1384,7 +1699,7 @@ var _ = Describe("Deployer", func() { // make sure the envoy node metadata looks right node := envoyConfig["node"].(map[string]any) Expect(node).To(HaveKeyWithValue("metadata", map[string]any{ - xds.RoleKey: fmt.Sprintf("%s~%s~%s", glooutils.GatewayApiProxyValue, gw.Namespace, gw.Name), + xds.RoleKey: fmt.Sprintf("%s~%s~%s", wellknown.GatewayApiProxyValue, gw.Namespace, gw.Name), })) // make sure the stats listener is enabled diff --git a/projects/gateway2/extensions2/plugins/directresponse/direct_response_plugin.go b/projects/gateway2/extensions2/plugins/directresponse/direct_response_plugin.go index 668f42ab6c4..af8f0afaade 100644 --- a/projects/gateway2/extensions2/plugins/directresponse/direct_response_plugin.go +++ b/projects/gateway2/extensions2/plugins/directresponse/direct_response_plugin.go @@ -16,7 +16,7 @@ import ( extensionplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" "github.com/solo-io/gloo/projects/gateway2/pkg/client/clientset/versioned" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" + "github.com/solo-io/gloo/projects/gateway2/plugins" skubeclient "istio.io/istio/pkg/config/schema/kubeclient" "istio.io/istio/pkg/kube/kclient" "istio.io/istio/pkg/kube/krt" diff --git a/projects/gateway2/extensions2/plugins/istio/plugin.go b/projects/gateway2/extensions2/plugins/istio/plugin.go index f51e3e24c70..836fb3b963e 100644 --- a/projects/gateway2/extensions2/plugins/istio/plugin.go +++ b/projects/gateway2/extensions2/plugins/istio/plugin.go @@ -20,7 +20,7 @@ import ( "github.com/solo-io/gloo/projects/gateway2/extensions2/common" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" - "github.com/solo-io/gloo/projects/gloo/constants" + ourwellknown "github.com/solo-io/gloo/projects/gateway2/wellknown" "github.com/solo-io/go-utils/contextutils" corev1 "k8s.io/api/core/v1" ) @@ -64,7 +64,7 @@ func NewPlugin(ctx context.Context, commoncol *common.CommonCollections) extensi // TODO: if plumb settings from gw class; then they should be in the new translation pass // the problem is that they get applied to an upstream, and currently we don't have access to the gateway // when translating upstreams. if we want we can add the gateway to the context of PerClientProcessUpstream - sidecarEnabled := envutils.IsEnvTruthy(constants.IstioInjectionEnabled) + sidecarEnabled := envutils.IsEnvTruthy(ourwellknown.IstioInjectionEnabled) istioSettings := IstioSettings{ EnableAutoMTLS: commoncol.Settings.EnableAutoMTLS, EnableIstioIntegration: commoncol.Settings.EnableIstioIntegration, @@ -142,7 +142,7 @@ func (p plugin) processUpstream(ctx context.Context, ir ir.PolicyIR, in ir.Upstr func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSocketMatch { istioMtlsTransportSocketMatch := &structpb.Struct{ Fields: map[string]*structpb.Value{ - constants.TLSModeLabelShortname: {Kind: &structpb.Value_StringValue{StringValue: constants.IstioMutualTLSModeLabel}}, + ourwellknown.TLSModeLabelShortname: {Kind: &structpb.Value_StringValue{StringValue: ourwellknown.IstioMutualTLSModeLabel}}, }, } @@ -153,7 +153,7 @@ func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSock TlsParams: &tlsv3.TlsParameters{}, ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{ ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{ - Name: constants.IstioValidationContext, + Name: ourwellknown.IstioValidationContext, SdsConfig: &envoy_config_core_v3.ConfigSource{ ResourceApiVersion: envoy_config_core_v3.ApiVersion_V3, ConfigSourceSpecifier: &envoy_config_core_v3.ConfigSource_ApiConfigSource{ @@ -165,7 +165,7 @@ func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSock GrpcServices: []*envoy_config_core_v3.GrpcService{ { TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{ - EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{ClusterName: constants.SdsClusterName}, + EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{ClusterName: ourwellknown.SdsClusterName}, }, }, }, @@ -176,7 +176,7 @@ func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSock }, TlsCertificateSdsSecretConfigs: []*tlsv3.SdsSecretConfig{ { - Name: constants.IstioCertSecret, + Name: ourwellknown.IstioCertSecret, SdsConfig: &envoy_config_core_v3.ConfigSource{ ResourceApiVersion: envoy_config_core_v3.ApiVersion_V3, ConfigSourceSpecifier: &envoy_config_core_v3.ConfigSource_ApiConfigSource{ @@ -189,7 +189,7 @@ func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSock { TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{ EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{ - ClusterName: constants.SdsClusterName, + ClusterName: ourwellknown.SdsClusterName, }, }, }, @@ -209,7 +209,7 @@ func createIstioMatch(sni string) *envoy_config_cluster_v3.Cluster_TransportSock } return &envoy_config_cluster_v3.Cluster_TransportSocketMatch{ - Name: fmt.Sprintf("%s-%s", constants.TLSModeLabelShortname, constants.IstioMutualTLSModeLabel), + Name: fmt.Sprintf("%s-%s", ourwellknown.TLSModeLabelShortname, ourwellknown.IstioMutualTLSModeLabel), Match: istioMtlsTransportSocketMatch, TransportSocket: transportSocket, } @@ -224,7 +224,7 @@ func createDefaultIstioMatch() *envoy_config_cluster_v3.Cluster_TransportSocketM } return &envoy_config_cluster_v3.Cluster_TransportSocketMatch{ - Name: fmt.Sprintf("%s-disabled", constants.TLSModeLabelShortname), + Name: fmt.Sprintf("%s-disabled", ourwellknown.TLSModeLabelShortname), Match: &structpb.Struct{}, TransportSocket: rawBufferTransportSocket, } diff --git a/projects/gateway2/extensions2/plugins/listenerpolicy/listener_policy_plugin.go b/projects/gateway2/extensions2/plugins/listenerpolicy/listener_policy_plugin.go index c5e614d3527..df9e849a5ae 100644 --- a/projects/gateway2/extensions2/plugins/listenerpolicy/listener_policy_plugin.go +++ b/projects/gateway2/extensions2/plugins/listenerpolicy/listener_policy_plugin.go @@ -13,8 +13,8 @@ import ( extensionplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" + "github.com/solo-io/gloo/projects/gateway2/plugins" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" wrapperspb "google.golang.org/protobuf/types/known/wrapperspb" "istio.io/istio/pkg/kube/krt" ) diff --git a/projects/gateway2/extensions2/plugins/routepolicy/route_policy_plugin.go b/projects/gateway2/extensions2/plugins/routepolicy/route_policy_plugin.go index 043dea274a6..1a139575346 100644 --- a/projects/gateway2/extensions2/plugins/routepolicy/route_policy_plugin.go +++ b/projects/gateway2/extensions2/plugins/routepolicy/route_policy_plugin.go @@ -14,8 +14,8 @@ import ( extensionplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" + "github.com/solo-io/gloo/projects/gateway2/plugins" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" "istio.io/istio/pkg/kube/krt" ) diff --git a/projects/gateway2/extensions2/plugins/upstream/aws.go b/projects/gateway2/extensions2/plugins/upstream/aws.go index 8d694738624..f9a162c359b 100644 --- a/projects/gateway2/extensions2/plugins/upstream/aws.go +++ b/projects/gateway2/extensions2/plugins/upstream/aws.go @@ -11,11 +11,10 @@ import ( envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoyauth "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" + awspb "github.com/solo-io/envoy-gloo/go/config/filter/http/aws_lambda/v2" "github.com/solo-io/gloo/projects/gateway2/api/v1alpha1" + "github.com/solo-io/gloo/projects/gateway2/extensions2/pluginutils" "github.com/solo-io/gloo/projects/gateway2/ir" - awspb "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/extensions/aws" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins/pluginutils" - "github.com/solo-io/gloo/projects/gloo/pkg/utils" "google.golang.org/protobuf/types/known/anypb" ) @@ -38,13 +37,15 @@ func processAws(ctx context.Context, in *v1alpha1.AwsUpstream, ir *UpstreamIr, o out.DnsLookupFamily = envoy_config_cluster_v3.Cluster_V4_ONLY pluginutils.EnvoySingleEndpointLoadAssignment(out, lambdaHostname, 443) - commonTlsContext, err := utils.GetCommonTlsContextFromUpstreamOptions(nil) - if err != nil { - // return err - return - } + // TODO: this returns nil anyway, so don't worry about temporarily migrating legacy util function + // that still relied on gloo v1 types + // commonTlsContext, err := utils.GetCommonTlsContextFromUpstreamOptions(nil) + // if err != nil { + // // return err + // return + // } tlsContext := &envoyauth.UpstreamTlsContext{ - CommonTlsContext: commonTlsContext, + CommonTlsContext: nil, // TODO(yuval-k): Add verification context Sni: lambdaHostname, } diff --git a/projects/gateway2/extensions2/plugins/upstream/plugin.go b/projects/gateway2/extensions2/plugins/upstream/plugin.go index b3b1044aad1..61f76eb3439 100644 --- a/projects/gateway2/extensions2/plugins/upstream/plugin.go +++ b/projects/gateway2/extensions2/plugins/upstream/plugin.go @@ -6,7 +6,6 @@ import ( "maps" "time" - awspb "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/extensions/aws" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/watch" @@ -14,13 +13,14 @@ import ( envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + awspb "github.com/solo-io/envoy-gloo/go/config/filter/http/aws_lambda/v2" "github.com/solo-io/gloo/projects/gateway2/api/v1alpha1" "github.com/solo-io/gloo/projects/gateway2/extensions2/common" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" "github.com/solo-io/gloo/projects/gateway2/krtcollections" "github.com/solo-io/gloo/projects/gateway2/pkg/client/clientset/versioned" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" + "github.com/solo-io/gloo/projects/gateway2/plugins" skubeclient "istio.io/istio/pkg/config/schema/kubeclient" "istio.io/istio/pkg/kube/kclient" "istio.io/istio/pkg/kube/krt" diff --git a/projects/gateway2/extensions2/pluginutils/pluginutils.go b/projects/gateway2/extensions2/pluginutils/pluginutils.go new file mode 100644 index 00000000000..2e95ca2db6a --- /dev/null +++ b/projects/gateway2/extensions2/pluginutils/pluginutils.go @@ -0,0 +1,57 @@ +package pluginutils + +import ( + envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" + envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" + "github.com/golang/protobuf/proto" + anypb "github.com/golang/protobuf/ptypes/any" + "github.com/pkg/errors" + "github.com/solo-io/gloo/projects/gateway2/utils" +) + +func EnvoySingleEndpointLoadAssignment(out *envoy_config_cluster_v3.Cluster, address string, port uint32) { + out.LoadAssignment = &envoy_config_endpoint_v3.ClusterLoadAssignment{ + ClusterName: out.GetName(), + Endpoints: []*envoy_config_endpoint_v3.LocalityLbEndpoints{ + { + LbEndpoints: []*envoy_config_endpoint_v3.LbEndpoint{ + { + HostIdentifier: &envoy_config_endpoint_v3.LbEndpoint_Endpoint{ + Endpoint: EnvoyEndpoint(address, port), + }, + }, + }, + }, + }, + } +} + +func EnvoyEndpoint(address string, port uint32) *envoy_config_endpoint_v3.Endpoint { + return &envoy_config_endpoint_v3.Endpoint{ + Address: &envoy_config_core_v3.Address{ + Address: &envoy_config_core_v3.Address_SocketAddress{ + SocketAddress: &envoy_config_core_v3.SocketAddress{ + Address: address, + PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{ + PortValue: port, + }, + }, + }, + }, + } +} + +func SetExtensionProtocolOptions(out *envoy_config_cluster_v3.Cluster, filterName string, protoext proto.Message) error { + protoextAny, err := utils.MessageToAny(protoext) + if err != nil { + return errors.Wrapf(err, "converting extension "+filterName+" protocol options to struct") + } + if out.GetTypedExtensionProtocolOptions() == nil { + out.TypedExtensionProtocolOptions = make(map[string]*anypb.Any) + } + + out.GetTypedExtensionProtocolOptions()[filterName] = protoextAny + return nil + +} diff --git a/projects/gateway2/filters/filters.go b/projects/gateway2/filters/filters.go new file mode 100644 index 00000000000..3f2db8023ad --- /dev/null +++ b/projects/gateway2/filters/filters.go @@ -0,0 +1,88 @@ +package filters + +// List of filter stages which can be selected for a HTTP filter. +type FilterStage_Stage int32 + +const ( + FilterStage_FaultStage FilterStage_Stage = 0 + FilterStage_CorsStage FilterStage_Stage = 1 + FilterStage_WafStage FilterStage_Stage = 2 + FilterStage_AuthNStage FilterStage_Stage = 3 + FilterStage_AuthZStage FilterStage_Stage = 4 + FilterStage_RateLimitStage FilterStage_Stage = 5 + FilterStage_AcceptedStage FilterStage_Stage = 6 + FilterStage_OutAuthStage FilterStage_Stage = 7 + FilterStage_RouteStage FilterStage_Stage = 8 +) + +// Enum value maps for FilterStage_Stage. +var ( + FilterStage_Stage_name = map[int32]string{ + 0: "FaultStage", + 1: "CorsStage", + 2: "WafStage", + 3: "AuthNStage", + 4: "AuthZStage", + 5: "RateLimitStage", + 6: "AcceptedStage", + 7: "OutAuthStage", + 8: "RouteStage", + } + FilterStage_Stage_value = map[string]int32{ + "FaultStage": 0, + "CorsStage": 1, + "WafStage": 2, + "AuthNStage": 3, + "AuthZStage": 4, + "RateLimitStage": 5, + "AcceptedStage": 6, + "OutAuthStage": 7, + "RouteStage": 8, + } +) + +// Desired placement of the HTTP filter relative to the stage. The default is `During`. +type FilterStage_Predicate int32 + +const ( + FilterStage_During FilterStage_Predicate = 0 + FilterStage_Before FilterStage_Predicate = 1 + FilterStage_After FilterStage_Predicate = 2 +) + +// Enum value maps for FilterStage_Predicate. +var ( + FilterStage_Predicate_name = map[int32]string{ + 0: "During", + 1: "Before", + 2: "After", + } + FilterStage_Predicate_value = map[string]int32{ + "During": 0, + "Before": 1, + "After": 2, + } +) + +// FilterStage allows configuration of where in a filter chain a given HTTP filter is inserted, +// relative to one of the pre-defined stages. +type FilterStage struct { + // Stage of the filter chain in which the selected filter should be added. + Stage FilterStage_Stage `protobuf:"varint,1,opt,name=stage,proto3,enum=filters.gloo.solo.io.FilterStage_Stage" json:"stage,omitempty"` + // How this filter should be placed relative to the stage. + Predicate FilterStage_Predicate `protobuf:"varint,2,opt,name=predicate,proto3,enum=filters.gloo.solo.io.FilterStage_Predicate" json:"predicate,omitempty"` +} + +func (x *FilterStage) GetStage() FilterStage_Stage { + if x != nil { + return x.Stage + } + return FilterStage_FaultStage +} + +func (x *FilterStage) GetPredicate() FilterStage_Predicate { + if x != nil { + return x.Predicate + } + return FilterStage_During +} diff --git a/projects/gateway2/install.sh b/projects/gateway2/install.sh index eb648ccbed5..33f5e0fed2c 100755 --- a/projects/gateway2/install.sh +++ b/projects/gateway2/install.sh @@ -5,6 +5,6 @@ set -eux helm upgrade --install --create-namespace \ --namespace gloo-system gloo \ - ./_test/gloo-1.0.0-ci1.tgz \ - -f ./test/kubernetes/e2e/tests/manifests/common-recommendations.yaml \ - -f ./test/kubernetes/e2e/tests/manifests/profiles/kubernetes-gateway.yaml + ./_test/gloo-1.0.0-ci1.tgz + # -f ./test/kubernetes/e2e/tests/manifests/common-recommendations.yaml \ + # -f ./test/kubernetes/e2e/tests/manifests/profiles/kubernetes-gateway.yaml diff --git a/projects/gateway2/ir/gw2.go b/projects/gateway2/ir/gw2.go index a0022080342..6450232c148 100644 --- a/projects/gateway2/ir/gw2.go +++ b/projects/gateway2/ir/gw2.go @@ -1,7 +1,7 @@ package ir import ( - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" + "github.com/solo-io/gloo/projects/gateway2/plugins" "google.golang.org/protobuf/types/known/anypb" gwv1 "sigs.k8s.io/gateway-api/apis/v1" ) diff --git a/projects/gateway2/ir/iface.go b/projects/gateway2/ir/iface.go index dc0bc96e981..dc3dc00987e 100644 --- a/projects/gateway2/ir/iface.go +++ b/projects/gateway2/ir/iface.go @@ -8,7 +8,7 @@ import ( envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" + "github.com/solo-io/gloo/projects/gateway2/plugins" anypb "google.golang.org/protobuf/types/known/anypb" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/projects/gateway2/krtcollections/builtin.go b/projects/gateway2/krtcollections/builtin.go index 5df4033c232..23b4b70f8b2 100644 --- a/projects/gateway2/krtcollections/builtin.go +++ b/projects/gateway2/krtcollections/builtin.go @@ -18,7 +18,7 @@ import ( extensionplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" + "github.com/solo-io/gloo/projects/gateway2/plugins" gwv1 "sigs.k8s.io/gateway-api/apis/v1" ) diff --git a/projects/gateway2/krtcollections/endpoints.go b/projects/gateway2/krtcollections/endpoints.go index bdb0752bbad..da3572aca12 100644 --- a/projects/gateway2/krtcollections/endpoints.go +++ b/projects/gateway2/krtcollections/endpoints.go @@ -12,7 +12,7 @@ import ( "github.com/solo-io/gloo/projects/gateway2/extensions2/settings" "github.com/solo-io/gloo/projects/gateway2/ir" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - "github.com/solo-io/gloo/projects/gloo/constants" + "github.com/solo-io/gloo/projects/gateway2/wellknown" "github.com/solo-io/go-utils/contextutils" "istio.io/istio/pkg/kube/krt" corev1 "k8s.io/api/core/v1" @@ -248,12 +248,12 @@ func CreateLBEndpoint(address string, port uint32, podLabels map[string]string, func addIstioAutomtlsMetadata(metadata *envoy_config_core_v3.Metadata, labels map[string]string, enableAutoMtls bool) *envoy_config_core_v3.Metadata { const EnvoyTransportSocketMatch = "envoy.transport_socket_match" if enableAutoMtls { - if _, ok := labels[constants.IstioTlsModeLabel]; ok { + if _, ok := labels[wellknown.IstioTlsModeLabel]; ok { metadata.GetFilterMetadata()[EnvoyTransportSocketMatch] = &structpb.Struct{ Fields: map[string]*structpb.Value{ - constants.TLSModeLabelShortname: { + wellknown.TLSModeLabelShortname: { Kind: &structpb.Value_StringValue{ - StringValue: constants.IstioMutualTLSModeLabel, + StringValue: wellknown.IstioMutualTLSModeLabel, }, }, }, diff --git a/projects/gateway2/krtcollections/uniqueclients.go b/projects/gateway2/krtcollections/uniqueclients.go index 70e59b8e5e8..a5329b892cb 100644 --- a/projects/gateway2/krtcollections/uniqueclients.go +++ b/projects/gateway2/krtcollections/uniqueclients.go @@ -13,7 +13,7 @@ import ( xdsserver "github.com/envoyproxy/go-control-plane/pkg/server/v3" "github.com/solo-io/gloo/projects/gateway2/ir" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - "github.com/solo-io/gloo/projects/gloo/pkg/xds" + "github.com/solo-io/gloo/projects/gateway2/xds" "github.com/solo-io/go-utils/contextutils" "go.uber.org/zap" "google.golang.org/protobuf/types/known/structpb" diff --git a/projects/gateway2/krtcollections/uniqueclients_test.go b/projects/gateway2/krtcollections/uniqueclients_test.go index d8988c59799..d87083734eb 100644 --- a/projects/gateway2/krtcollections/uniqueclients_test.go +++ b/projects/gateway2/krtcollections/uniqueclients_test.go @@ -11,8 +11,8 @@ import ( . "github.com/solo-io/gloo/projects/gateway2/krtcollections" "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - glooutils "github.com/solo-io/gloo/projects/gloo/pkg/utils" - "github.com/solo-io/gloo/projects/gloo/pkg/xds" + "github.com/solo-io/gloo/projects/gateway2/wellknown" + "github.com/solo-io/gloo/projects/gateway2/xds" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/structpb" "istio.io/istio/pkg/kube/krt" @@ -59,7 +59,7 @@ func TestUniqueClients(t *testing.T) { Id: "podname.ns", Metadata: &structpb.Struct{ Fields: map[string]*structpb.Value{ - xds.RoleKey: structpb.NewStringValue(glooutils.GatewayApiProxyValue + "~best-proxy-role"), + xds.RoleKey: structpb.NewStringValue(wellknown.GatewayApiProxyValue + "~best-proxy-role"), }, }, }, @@ -76,13 +76,13 @@ func TestUniqueClients(t *testing.T) { Id: "podname.ns", Metadata: &structpb.Struct{ Fields: map[string]*structpb.Value{ - xds.RoleKey: structpb.NewStringValue(glooutils.GatewayApiProxyValue + "~best-proxy-role"), + xds.RoleKey: structpb.NewStringValue(wellknown.GatewayApiProxyValue + "~best-proxy-role"), }, }, }, }, }, - result: sets.New(fmt.Sprintf(glooutils.GatewayApiProxyValue + "~best-proxy-role")), + result: sets.New(fmt.Sprintf(wellknown.GatewayApiProxyValue + "~best-proxy-role")), }, } diff --git a/projects/gateway2/plugins/stages.go b/projects/gateway2/plugins/stages.go new file mode 100644 index 00000000000..dad73362d54 --- /dev/null +++ b/projects/gateway2/plugins/stages.go @@ -0,0 +1,238 @@ +package plugins + +import ( + "bytes" + "fmt" + "sort" + "strings" + + envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" + envoyhttp "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + "github.com/golang/protobuf/proto" + "github.com/solo-io/gloo/projects/gateway2/filters" + "github.com/solo-io/gloo/projects/gateway2/utils" + "google.golang.org/protobuf/types/known/anypb" +) + +var ( + _ sort.Interface = new(StagedHttpFilterList) + _ sort.Interface = new(StagedNetworkFilterList) +) + +// WellKnownFilterStages are represented by an integer that reflects their relative ordering +type WellKnownFilterStage int + +// The set of WellKnownFilterStages, whose order corresponds to the order used to sort filters +// If new well known filter stages are added, they should be inserted in a position corresponding to their order +const ( + FaultStage WellKnownFilterStage = iota // Fault injection // First Filter Stage + CorsStage // Cors stage + WafStage // Web application firewall stage + AuthNStage // Authentication stage + AuthZStage // Authorization stage + RateLimitStage // Rate limiting stage + AcceptedStage // Request passed all the checks and will be forwarded upstream + OutAuthStage // Add auth for the upstream (i.e. aws λ) + RouteStage // Request is going to upstream // Last Filter Stage +) + +type WellKnownUpstreamHTTPFilterStage int + +// The set of WellKnownUpstreamHTTPFilterStages, whose order corresponds to the order used to sort filters +// If new well known filter stages are added, they should be inserted in a position corresponding to their order +const ( + TransformationStage WellKnownUpstreamHTTPFilterStage = iota // Transformation stage +) + +// FilterStageComparison helps implement the sort.Interface Less function for use in other implementations of sort.Interface +// returns -1 if less than, 0 if equal, 1 if greater than +// It is not sufficient to return a Less bool because calling functions need to know if equal or greater when Less is false +func FilterStageComparison[WellKnown ~int](a, b FilterStage[WellKnown]) int { + if a.RelativeTo < b.RelativeTo { + return -1 + } else if a.RelativeTo > b.RelativeTo { + return 1 + } + if a.Weight < b.Weight { + return -1 + } else if a.Weight > b.Weight { + return 1 + } + return 0 +} + +func BeforeStage[WellKnown ~int](wellKnown WellKnown) FilterStage[WellKnown] { + return RelativeToStage(wellKnown, -1) +} +func DuringStage[WellKnown ~int](wellKnown WellKnown) FilterStage[WellKnown] { + return RelativeToStage(wellKnown, 0) +} +func AfterStage[WellKnown ~int](wellKnown WellKnown) FilterStage[WellKnown] { + return RelativeToStage(wellKnown, 1) +} +func RelativeToStage[WellKnown ~int](wellKnown WellKnown, weight int) FilterStage[WellKnown] { + return FilterStage[WellKnown]{ + RelativeTo: wellKnown, + Weight: weight, + } +} + +type FilterStage[WellKnown ~int] struct { + RelativeTo WellKnown + Weight int +} + +type HTTPFilterStage = FilterStage[WellKnownFilterStage] +type NetworkFilterStage = FilterStage[WellKnownFilterStage] +type UpstreamHTTPFilterStage = FilterStage[WellKnownUpstreamHTTPFilterStage] + +type Filter interface { + proto.Message + GetName() string + GetTypedConfig() *anypb.Any +} + +type StagedFilter[WellKnown ~int, FilterType Filter] struct { + Filter FilterType + Stage FilterStage[WellKnown] +} + +type StagedFilterList[WellKnown ~int, FilterType Filter] []StagedFilter[WellKnown, FilterType] + +func (s StagedFilterList[WellKnown, FilterType]) Len() int { + return len(s) +} + +// filters by Relative Stage, Weighting, Name, Config Type-Url, Config Value, and (to ensure stability) index. +// The assumption is that if two filters are in the same stage, their order doesn't matter, and we +// just need to make sure it is stable. +func (s StagedFilterList[WellKnown, FilterType]) Less(i, j int) bool { + if compare := FilterStageComparison(s[i].Stage, s[j].Stage); compare != 0 { + return compare < 0 + } + + if compare := strings.Compare(s[i].Filter.GetName(), s[j].Filter.GetName()); compare != 0 { + return compare < 0 + } + + if compare := strings.Compare(s[i].Filter.GetTypedConfig().GetTypeUrl(), s[j].Filter.GetTypedConfig().GetTypeUrl()); compare != 0 { + return compare < 0 + } + + if compare := bytes.Compare(s[i].Filter.GetTypedConfig().GetValue(), s[j].Filter.GetTypedConfig().GetValue()); compare != 0 { + return compare < 0 + } + + // ensure stability + return i < j +} + +func (s StagedFilterList[WellKnown, FilterType]) Swap(i, j int) { + s[i], s[j] = s[j], s[i] +} + +type StagedHttpFilter = StagedFilter[WellKnownFilterStage, *envoyhttp.HttpFilter] +type StagedNetworkFilter = StagedFilter[WellKnownFilterStage, *envoy_config_listener_v3.Filter] +type StagedUpstreamHttpFilter = StagedFilter[WellKnownUpstreamHTTPFilterStage, *envoyhttp.HttpFilter] + +type StagedHttpFilterList = StagedFilterList[WellKnownFilterStage, *envoyhttp.HttpFilter] +type StagedNetworkFilterList = StagedFilterList[WellKnownFilterStage, *envoy_config_listener_v3.Filter] +type StagedUpstreamHttpFilterList = StagedFilterList[WellKnownUpstreamHTTPFilterStage, *envoyhttp.HttpFilter] + +// MustNewStagedFilter creates an instance of the named filter with the desired stage. +// Returns a filter even if an error occurred. +// Should rarely be used as disregarding an error is bad practice but does make +// appending easier. +// If not directly appending consider using NewStagedFilter instead of this function. +func MustNewStagedFilter(name string, config proto.Message, stage FilterStage[WellKnownFilterStage]) StagedHttpFilter { + s, _ := NewStagedFilter(name, config, stage) + return s +} + +// NewStagedFilter creates an instance of the named filter with the desired stage. +// Errors if the config is nil or we cannot determine the type of the config. +// Config type determination may fail if the config is both unknown and has no fields. +func NewStagedFilter(name string, config proto.Message, stage FilterStage[WellKnownFilterStage]) (StagedHttpFilter, error) { + + s := StagedHttpFilter{ + Filter: &envoyhttp.HttpFilter{ + Name: name, + }, + Stage: stage, + } + + if config == nil { + return s, fmt.Errorf("filters must have a config specified to derive its type filtername:%s", name) + } + + marshalledConf, err := utils.MessageToAny(config) + if err != nil { + // all config types should already be known + // therefore this should never happen + return StagedHttpFilter{}, err + } + + s.Filter.ConfigType = &envoyhttp.HttpFilter_TypedConfig{ + TypedConfig: marshalledConf, + } + + return s, nil +} + +// StagedFilterListContainsName checks for a given named filter. +// This is not a check of the type url but rather the now mostly unused name +func StagedFilterListContainsName(filters StagedHttpFilterList, filterName string) bool { + for _, filter := range filters { + if filter.Filter.GetName() == filterName { + return true + } + } + + return false +} + +// ConvertFilterStage converts user-specified FilterStage options to the FilterStage representation used for translation. +func ConvertFilterStage(in *filters.FilterStage) *FilterStage[WellKnownFilterStage] { + if in == nil { + return nil + } + + var outStage WellKnownFilterStage + switch in.GetStage() { + case filters.FilterStage_CorsStage: + outStage = CorsStage + case filters.FilterStage_WafStage: + outStage = WafStage + case filters.FilterStage_AuthNStage: + outStage = AuthNStage + case filters.FilterStage_AuthZStage: + outStage = AuthZStage + case filters.FilterStage_RateLimitStage: + outStage = RateLimitStage + case filters.FilterStage_AcceptedStage: + outStage = AcceptedStage + case filters.FilterStage_OutAuthStage: + outStage = OutAuthStage + case filters.FilterStage_RouteStage: + outStage = RouteStage + case filters.FilterStage_FaultStage: + fallthrough + default: + // default to Fault stage + outStage = FaultStage + } + + var out FilterStage[WellKnownFilterStage] + switch in.GetPredicate() { + case filters.FilterStage_Before: + out = BeforeStage(outStage) + case filters.FilterStage_After: + out = AfterStage(outStage) + case filters.FilterStage_During: + fallthrough + default: + // default to During + out = DuringStage(outStage) + } + return &out +} diff --git a/projects/gateway2/proxy_syncer/proxy_syncer.go b/projects/gateway2/proxy_syncer/proxy_syncer.go index 961d79e00ed..89885ca0be0 100644 --- a/projects/gateway2/proxy_syncer/proxy_syncer.go +++ b/projects/gateway2/proxy_syncer/proxy_syncer.go @@ -19,7 +19,6 @@ import ( envoycache "github.com/envoyproxy/go-control-plane/pkg/cache/v3" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" - "github.com/solo-io/gloo/pkg/utils/statsutils" extensions "github.com/solo-io/gloo/projects/gateway2/extensions2" "github.com/solo-io/gloo/projects/gateway2/extensions2/common" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" @@ -28,11 +27,11 @@ import ( "github.com/solo-io/gloo/projects/gateway2/reports" "github.com/solo-io/gloo/projects/gateway2/translator" "github.com/solo-io/gloo/projects/gateway2/translator/irtranslator" + "github.com/solo-io/gloo/projects/gateway2/utils" ggv2utils "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" "github.com/solo-io/gloo/projects/gateway2/wellknown" - glooutils "github.com/solo-io/gloo/projects/gloo/pkg/utils" - "github.com/solo-io/gloo/projects/gloo/pkg/xds" + "github.com/solo-io/gloo/projects/gateway2/xds" "github.com/solo-io/go-utils/contextutils" "google.golang.org/protobuf/proto" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -82,7 +81,7 @@ type GatewayXdsResources struct { } func (r GatewayXdsResources) ResourceName() string { - return xds.OwnerNamespaceNameID(glooutils.GatewayApiProxyValue, r.Namespace, r.Name) + return xds.OwnerNamespaceNameID(wellknown.GatewayApiProxyValue, r.Namespace, r.Name) } func (r GatewayXdsResources) Equals(in GatewayXdsResources) bool { return r.NamespacedName == in.NamespacedName && report{r.reports}.Equals(report{in.reports}) && r.ClustersHash == in.ClustersHash && @@ -384,7 +383,7 @@ func (s *ProxySyncer) Start(ctx context.Context) error { func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap) { ctx = contextutils.WithLogger(ctx, "routeStatusSyncer") logger := contextutils.LoggerFrom(ctx) - stopwatch := statsutils.NewTranslatorStopWatch("RouteStatusSyncer") + stopwatch := utils.NewTranslatorStopWatch("RouteStatusSyncer") stopwatch.Start() defer stopwatch.Stop(ctx) @@ -461,7 +460,7 @@ func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap) func (s *ProxySyncer) syncGatewayStatus(ctx context.Context, rm reports.ReportMap) { ctx = contextutils.WithLogger(ctx, "statusSyncer") logger := contextutils.LoggerFrom(ctx) - stopwatch := statsutils.NewTranslatorStopWatch("GatewayStatusSyncer") + stopwatch := utils.NewTranslatorStopWatch("GatewayStatusSyncer") stopwatch.Start() // TODO: retry within loop per GW rathen that as a full block diff --git a/projects/gateway2/setup/controlplane.go b/projects/gateway2/setup/controlplane.go index 3d4b957f7ad..c88e4a5a402 100644 --- a/projects/gateway2/setup/controlplane.go +++ b/projects/gateway2/setup/controlplane.go @@ -13,7 +13,7 @@ import ( xdsserver "github.com/envoyproxy/go-control-plane/pkg/server/v3" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_zap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap" - "github.com/solo-io/gloo/projects/gloo/pkg/xds" + "github.com/solo-io/gloo/projects/gateway2/xds" "github.com/solo-io/go-utils/contextutils" "go.uber.org/zap" "google.golang.org/grpc" diff --git a/projects/gateway2/setup/ggv2setup.go b/projects/gateway2/setup/ggv2setup.go index 8f917a0809c..e30b5365097 100644 --- a/projects/gateway2/setup/ggv2setup.go +++ b/projects/gateway2/setup/ggv2setup.go @@ -7,26 +7,40 @@ import ( envoycache "github.com/envoyproxy/go-control-plane/pkg/cache/v3" xdsserver "github.com/envoyproxy/go-control-plane/pkg/server/v3" + "github.com/go-logr/zapr" "github.com/solo-io/gloo/pkg/utils/envutils" "github.com/solo-io/gloo/pkg/utils/kubeutils" "github.com/solo-io/gloo/pkg/utils/namespaces" - "github.com/solo-io/gloo/pkg/utils/setuputils" + "github.com/solo-io/gloo/pkg/version" "github.com/solo-io/gloo/projects/gateway2/admin" "github.com/solo-io/gloo/projects/gateway2/controller" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/krtcollections" "github.com/solo-io/gloo/projects/gateway2/utils/krtutil" - glookubev1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/apis/gloo.solo.io/v1" "github.com/solo-io/go-utils/contextutils" + "go.uber.org/zap" + "go.uber.org/zap/zapcore" istiokube "istio.io/istio/pkg/kube" "istio.io/istio/pkg/kube/krt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/log" + zaputil "sigs.k8s.io/controller-runtime/pkg/log/zap" ) -var settingsGVR = glookubev1.SchemeGroupVersion.WithResource("settings") +const ( + glooComponentName = "gloo" +) + +func Main(customCtx context.Context) error { + SetupLogging(customCtx, glooComponentName) + return startSetupLoop(customCtx) +} + +func startSetupLoop(ctx context.Context) error { + return StartGGv2(ctx, nil, nil) +} func createKubeClient(restConfig *rest.Config) (istiokube.Client, error) { restCfg := istiokube.NewClientConfigForRestConfig(restConfig) @@ -59,7 +73,7 @@ func StartGGv2(ctx context.Context, XdsPort: 9977, } - return StartGGv2WithConfig(ctx, setupOpts, restConfig, uccBuilder, extraPlugins, nil, setuputils.SetupNamespaceName()) + return StartGGv2WithConfig(ctx, setupOpts, restConfig, uccBuilder, extraPlugins, nil) } // GetControlPlaneXdsHost gets the xDS address from the gloo Service. @@ -81,7 +95,6 @@ func StartGGv2WithConfig(ctx context.Context, setupOpts *controller.SetupOpts, uccBuilder krtcollections.UniquelyConnectedClientsBulider, extraPlugins []extensionsplug.Plugin, extraGwClasses []string, // TODO: we can remove this and replace with something that watches all GW classes with our controller name - settingsNns types.NamespacedName, ) error { ctx = contextutils.WithLogger(ctx, "k8s") @@ -132,3 +145,28 @@ func StartGGv2WithConfig(ctx context.Context, setupOpts *controller.SetupOpts, logger.Info("starting controller") return c.Start(ctx) } + +// SetupLogging sets up controller-runtime logging +func SetupLogging(ctx context.Context, loggerName string) { + level := zapcore.InfoLevel + // if log level is set in env, use that + if envLogLevel := os.Getenv(contextutils.LogLevelEnvName); envLogLevel != "" { + if err := (&level).Set(envLogLevel); err != nil { + contextutils.LoggerFrom(ctx).Infof("Could not set log level from env %s=%s, available levels "+ + "can be found here: https://pkg.go.dev/go.uber.org/zap/zapcore?tab=doc#Level", + contextutils.LogLevelEnvName, + envLogLevel, + zap.Error(err), + ) + } + } + atomicLevel := zap.NewAtomicLevelAt(level) + + baseLogger := zaputil.NewRaw( + zaputil.Level(&atomicLevel), + zaputil.RawZapOpts(zap.Fields(zap.String("version", version.Version))), + ).Named(loggerName) + + // controller-runtime + log.SetLogger(zapr.NewLogger(baseLogger)) +} diff --git a/projects/gateway2/setup/ggv2setup_test.go b/projects/gateway2/setup/ggv2setup_test.go index 3648f4a89b3..ee58933999d 100644 --- a/projects/gateway2/setup/ggv2setup_test.go +++ b/projects/gateway2/setup/ggv2setup_test.go @@ -45,7 +45,6 @@ import ( istiokube "istio.io/istio/pkg/kube" "istio.io/istio/pkg/kube/krt" "istio.io/istio/pkg/slices" - "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/envtest" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/yaml" @@ -189,9 +188,7 @@ func TestScenarios(t *testing.T) { wg.Add(1) go func() { defer wg.Done() - ggv2setup.StartGGv2WithConfig(ctx, setupOpts, cfg, builder, nil, nil, - types.NamespacedName{Name: "default", Namespace: "default"}, - ) + ggv2setup.StartGGv2WithConfig(ctx, setupOpts, cfg, builder, nil, nil) }() // give ggv2 time to initialize so we don't get // "ggv2 not initialized" error diff --git a/projects/gateway2/translator/gateway/gateway_translator.go b/projects/gateway2/translator/gateway/gateway_translator.go index 8303524eed2..a26172a3124 100644 --- a/projects/gateway2/translator/gateway/gateway_translator.go +++ b/projects/gateway2/translator/gateway/gateway_translator.go @@ -3,9 +3,9 @@ package gateway import ( "context" - "github.com/solo-io/gloo/pkg/utils/statsutils" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" "github.com/solo-io/gloo/projects/gateway2/ir" + "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/go-utils/contextutils" "istio.io/istio/pkg/kube/krt" @@ -32,7 +32,7 @@ func (t *translator) Translate( gateway *ir.Gateway, reporter reports.Reporter, ) *ir.GatewayIR { - stopwatch := statsutils.NewTranslatorStopWatch("TranslateProxy") + stopwatch := utils.NewTranslatorStopWatch("TranslateProxy") stopwatch.Start() defer stopwatch.Stop(ctx) diff --git a/projects/gateway2/translator/irtranslator/fc.go b/projects/gateway2/translator/irtranslator/fc.go index 2ae92932444..6afee7b1271 100644 --- a/projects/gateway2/translator/irtranslator/fc.go +++ b/projects/gateway2/translator/irtranslator/fc.go @@ -18,9 +18,9 @@ import ( envoy_tls_inspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3" "github.com/solo-io/gloo/projects/gateway2/ir" + "github.com/solo-io/gloo/projects/gateway2/plugins" "github.com/solo-io/gloo/projects/gateway2/reports" - "github.com/solo-io/gloo/projects/gloo/pkg/plugins" - "github.com/solo-io/gloo/projects/gloo/pkg/translator" + "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/go-utils/contextutils" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" @@ -41,7 +41,7 @@ type filterChainTranslator struct { } func computeListenerAddress(bindAddress string, port uint32, reporter reports.GatewayReporter) *envoy_config_core_v3.Address { - _, isIpv4Address, err := translator.IsIpv4Address(bindAddress) + _, isIpv4Address, err := utils.IsIpv4Address(bindAddress) if err != nil { // TODO: return error ???? reporter.SetCondition(reports.GatewayCondition{ diff --git a/projects/gateway2/translator/irtranslator/route.go b/projects/gateway2/translator/irtranslator/route.go index 2eb4e1fa47a..0850559556b 100644 --- a/projects/gateway2/translator/irtranslator/route.go +++ b/projects/gateway2/translator/irtranslator/route.go @@ -13,7 +13,7 @@ import ( "github.com/solo-io/gloo/projects/gateway2/ir" "github.com/solo-io/gloo/projects/gateway2/reports" "github.com/solo-io/gloo/projects/gateway2/translator/routeutils" - "github.com/solo-io/gloo/projects/gloo/pkg/utils" + "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/go-utils/contextutils" "go.uber.org/zap" wrapperspb "google.golang.org/protobuf/types/known/wrapperspb" diff --git a/projects/gateway2/translator/irtranslator/upstream.go b/projects/gateway2/translator/irtranslator/upstream.go index d4a7648ce32..8a590535bfe 100644 --- a/projects/gateway2/translator/irtranslator/upstream.go +++ b/projects/gateway2/translator/irtranslator/upstream.go @@ -3,10 +3,10 @@ package irtranslator import ( "context" "errors" + "time" envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - "github.com/solo-io/gloo/projects/gloo/pkg/translator" "google.golang.org/protobuf/types/known/durationpb" "istio.io/istio/pkg/kube/krt" @@ -15,6 +15,10 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) +var ( + ClusterConnectionTimeout = time.Second * 5 +) + type UpstreamTranslator struct { ContributedUpstreams map[schema.GroupKind]ir.UpstreamInit ContributedPolicies map[schema.GroupKind]extensionsplug.PolicyPlugin @@ -80,7 +84,7 @@ func initializeCluster(u ir.Upstream) *envoy_config_cluster_v3.Cluster { // defaults to Cluster_USE_CONFIGURED_PROTOCOL // ProtocolSelection: envoy_config_cluster_v3.Cluster_ClusterProtocolSelection(upstream.GetProtocolSelection()), // this field can be overridden by plugins - ConnectTimeout: durationpb.New(translator.ClusterConnectionTimeout), + ConnectTimeout: durationpb.New(ClusterConnectionTimeout), // Http2ProtocolOptions: getHttp2options(upstream), // IgnoreHealthOnHostRemoval: upstream.GetIgnoreHealthOnHostRemoval().GetValue(), // RespectDnsTtl: upstream.GetRespectDnsTtl().GetValue(), diff --git a/projects/gateway2/translator/listener/gateway_listener_translator.go b/projects/gateway2/translator/listener/gateway_listener_translator.go index 9c650f96421..ac59c09a08d 100644 --- a/projects/gateway2/translator/listener/gateway_listener_translator.go +++ b/projects/gateway2/translator/listener/gateway_listener_translator.go @@ -24,7 +24,7 @@ import ( route "github.com/solo-io/gloo/projects/gateway2/translator/httproute" "github.com/solo-io/gloo/projects/gateway2/translator/routeutils" "github.com/solo-io/gloo/projects/gateway2/translator/sslutils" - "github.com/solo-io/gloo/projects/gloo/pkg/utils" + "github.com/solo-io/gloo/projects/gateway2/utils" corev1 "k8s.io/api/core/v1" ) diff --git a/projects/gateway2/translator/translator.go b/projects/gateway2/translator/translator.go index 5ac8d706dfa..8933b1ddced 100644 --- a/projects/gateway2/translator/translator.go +++ b/projects/gateway2/translator/translator.go @@ -10,7 +10,6 @@ import ( "istio.io/istio/pkg/kube/krt" envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" - "github.com/solo-io/gloo/pkg/utils/statsutils" "github.com/solo-io/gloo/projects/gateway2/endpoints" "github.com/solo-io/gloo/projects/gateway2/extensions2/common" extensionsplug "github.com/solo-io/gloo/projects/gateway2/extensions2/plugin" @@ -20,6 +19,7 @@ import ( "github.com/solo-io/gloo/projects/gateway2/reports" gwtranslator "github.com/solo-io/gloo/projects/gateway2/translator/gateway" "github.com/solo-io/gloo/projects/gateway2/translator/irtranslator" + "github.com/solo-io/gloo/projects/gateway2/utils" "github.com/solo-io/go-utils/contextutils" "sigs.k8s.io/controller-runtime/pkg/client" gwv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -106,7 +106,7 @@ func (s *CombinedTranslator) HasSynced() bool { // buildProxy performs translation of a kube Gateway -> gloov1.Proxy (really a wrapper type) func (s *CombinedTranslator) buildProxy(kctx krt.HandlerContext, ctx context.Context, gw ir.Gateway, r reports.Reporter) *ir.GatewayIR { - stopwatch := statsutils.NewTranslatorStopWatch("CombinedTranslator") + stopwatch := utils.NewTranslatorStopWatch("CombinedTranslator") stopwatch.Start() var gatewayTranslator extensionsplug.K8sGwTranslator = s.gwtranslator if s.extensions.ContributesGwTranslator != nil { diff --git a/projects/gateway2/utils/any.go b/projects/gateway2/utils/any.go new file mode 100644 index 00000000000..f1ed1b89785 --- /dev/null +++ b/projects/gateway2/utils/any.go @@ -0,0 +1,70 @@ +package utils + +import ( + "errors" + "fmt" + + "github.com/golang/protobuf/proto" + gogoproto "github.com/golang/protobuf/proto" + "github.com/golang/protobuf/ptypes" + pany "github.com/golang/protobuf/ptypes/any" +) + +// MessageToAny takes any given proto message msg and returns the marshalled bytes of the proto, and a url to the type +// definition for the proto in the form of a *pany.Any, errors if nil or if the proto type doesnt exist or if there is +// a marshalling error +func MessageToAny(msg proto.Message) (*pany.Any, error) { + if msg == nil { + return nil, errors.New("MessageToAny: message cannot be nil") + } + name, err := protoToMessageName(msg) + if err != nil { + return nil, err + } + // Marshalls the message into bytes using the proto library, or gogoproto if proto errors + buf, err := protoToMessageBytes(msg) + if err != nil { + return nil, err + } + return &pany.Any{ + TypeUrl: name, + Value: buf, + }, nil +} + +func AnyToMessage(a *pany.Any) (proto.Message, error) { + var x ptypes.DynamicAny + err := ptypes.UnmarshalAny(a, &x) + return x.Message, err +} + +func protoToMessageName(msg proto.Message) (string, error) { + typeUrlPrefix := "type.googleapis.com/" + + potentialName := gogoproto.MessageName(msg) + if potentialName != "" { + return typeUrlPrefix + potentialName, nil + } + return "", fmt.Errorf("can't determine message name") +} + +func protoToMessageBytes(msg proto.Message) ([]byte, error) { + if b, err := protoToMessageBytesGolang(msg); err == nil { + return b, nil + } + return protoToMessageBytesGogo(msg) +} + +func protoToMessageBytesGogo(msg proto.Message) ([]byte, error) { + b := gogoproto.NewBuffer(nil) + b.SetDeterministic(true) + err := b.Marshal(msg) + return b.Bytes(), err +} + +func protoToMessageBytesGolang(msg proto.Message) ([]byte, error) { + b := proto.NewBuffer(nil) + b.SetDeterministic(true) + err := b.Marshal(msg) + return b.Bytes(), err +} diff --git a/projects/gateway2/utils/ip.go b/projects/gateway2/utils/ip.go new file mode 100644 index 00000000000..aa152bf66bb --- /dev/null +++ b/projects/gateway2/utils/ip.go @@ -0,0 +1,40 @@ +package utils + +import ( + "net" + + "github.com/pkg/errors" +) + +// IsIpv4Address returns whether +// the provided address is valid IPv4, is pure(unmapped) IPv4, and if there was an error in the bindaddr +// This is used to distinguish between IPv4 and IPv6 addresses +func IsIpv4Address(bindAddress string) (validIpv4, strictIPv4 bool, err error) { + bindIP := net.ParseIP(bindAddress) + if bindIP == nil { + // If bindAddress is not a valid textual representation of an IP address + return false, false, errors.Errorf("bindAddress %s is not a valid IP address", bindAddress) + + } else if bindIP.To4() == nil { + // If bindIP is not an IPv4 address, To4 returns nil. + // so this is not an acceptable ipv4 + return false, false, nil + } + return true, isPureIPv4Address(bindAddress), nil +} + +// isPureIPv4Address checks the string to see if it is +// ipv4 and not ipv4 mapped into ipv6 space and not ipv6. +// Used as the standard net.Parse smashes everything to ipv6. +// Basically false if ::ffff:0.0.0.0 and true if 0.0.0.0 +func isPureIPv4Address(ipString string) bool { + for i := range len(ipString) { + switch ipString[i] { + case '.': + return true + case ':': + return false + } + } + return false +} diff --git a/projects/gateway2/utils/sanitize.go b/projects/gateway2/utils/sanitize.go new file mode 100644 index 00000000000..b0cf2131dda --- /dev/null +++ b/projects/gateway2/utils/sanitize.go @@ -0,0 +1,24 @@ +package utils + +import ( + "context" + "strings" + + "github.com/solo-io/go-utils/contextutils" +) + +// Virtual host and virtual cluster names cannot contain dots, otherwise Envoy might incorrectly compute +// its statistics tree. Any occurrences will be replaced with underscores. +const ( + illegalChar = "." + replacementChar = "_" +) + +func SanitizeForEnvoy(ctx context.Context, resourceName, resourceTypeName string) string { + if strings.Contains(resourceName, illegalChar) { + contextutils.LoggerFrom(ctx).Debugf("illegal character(s) '%s' in %s name [%s] will be replaced by '%s'", + illegalChar, resourceTypeName, resourceName, replacementChar) + resourceName = strings.ReplaceAll(resourceName, illegalChar, replacementChar) + } + return resourceName +} diff --git a/projects/gateway2/utils/stopwatch.go b/projects/gateway2/utils/stopwatch.go new file mode 100644 index 00000000000..39e647c6772 --- /dev/null +++ b/projects/gateway2/utils/stopwatch.go @@ -0,0 +1,71 @@ +package utils + +import ( + "context" + "log" + "time" + + "go.opencensus.io/stats" + "go.opencensus.io/stats/view" + "go.opencensus.io/tag" +) + +var ( + translationTime = stats.Float64("gloo_edge/translation_time_sec", "how long the translator takes in seconds", "s") + translatorNameKey, _ = tag.NewKey("translator_name") +) + +func init() { + // Register views with OpenCensus + if err := view.Register( + &view.View{ + Name: "gloo_edge/translation_time_sec", + Measure: translationTime, + Description: "how long the translator takes in seconds", + Aggregation: view.Distribution(0.01, 0.05, 0.1, 0.25, 0.5, 1, 5, 10, 60), + TagKeys: []tag.Key{translatorNameKey}, + }, + ); err != nil { + log.Fatalf("Failed to register views: %v", err) + } +} + +func NewTranslatorStopWatch(translatorName string) StopWatch { + return NewStopWatch(translationTime, tag.Upsert(translatorNameKey, translatorName)) +} + +// StopWatch is a stopwatch that records the duration of an operation and records an opencensus metric for the time between Start and Stop +type StopWatch interface { + Start() + Stop(ctx context.Context) time.Duration +} + +type stopwatch struct { + startTime time.Time + measure *stats.Float64Measure + labels []tag.Mutator +} + +// NewStopWatch creates a new StopWatch that records the duration of an operation and records an opencensus metric for the time between Start and Stop +// The metric is recorded with the provided measurement and labels as a tag +func NewStopWatch(measure *stats.Float64Measure, labels ...tag.Mutator) StopWatch { + return &stopwatch{ + measure: measure, + labels: labels, + } +} + +// Start starts the stopwatch +func (s *stopwatch) Start() { + s.startTime = time.Now() +} + +// Stop stops the stopwatch and records the duration of the operation +// Note: Stop() should be called only once per Start() call, otherwise this could lead to double-counting in any +// metrics that rely on this stopwatch and redundant logging. +func (s *stopwatch) Stop(ctx context.Context) time.Duration { + duration := time.Since(s.startTime) + tagCtx, _ := tag.New(ctx, s.labels...) + stats.Record(tagCtx, s.measure.M(duration.Seconds())) + return duration +} diff --git a/projects/gateway2/wellknown/constants.go b/projects/gateway2/wellknown/constants.go new file mode 100644 index 00000000000..79480cdae9c --- /dev/null +++ b/projects/gateway2/wellknown/constants.go @@ -0,0 +1,28 @@ +package wellknown + +const ( + // Env variable that indicates the Istio sidecar injection is enabled via istioIntegration.enableIstioSidecarOnGateway + // on the helm chart. If enabled, the gateway proxy is assumed to have an istio sidecar injected. + IstioInjectionEnabled = "ENABLE_ISTIO_SIDECAR_ON_GATEWAY" + + // Note: These are coming from istio: https://github.com/istio/istio/blob/fa321ebd2a1186325788b0f461aa9f36a1a8d90e/pilot/pkg/model/service.go#L206 + // IstioCertSecret is the secret that holds the server cert and key for Istio mTLS + IstioCertSecret = "istio_server_cert" + + // IstioValidationContext is the secret that holds the root cert for Istio mTLS + IstioValidationContext = "istio_validation_context" + + // IstioTlsModeLabel is the Istio injection label added to workloads in mesh + IstioTlsModeLabel = "security.istio.io/tlsMode" + + // IstioMutualTLSModeLabel implies that the endpoint is ready to receive Istio mTLS connections. + IstioMutualTLSModeLabel = "istio" + + // TLSModeLabelShortname name used for determining endpoint level tls transport socket configuration + TLSModeLabelShortname = "tlsMode" +) + +const ( + SdsClusterName = "gateway_proxy_sds" + SdsTargetURI = "127.0.0.1:8234" +) diff --git a/projects/gateway2/wellknown/kube.go b/projects/gateway2/wellknown/kube.go new file mode 100644 index 00000000000..34ba6fde3f9 --- /dev/null +++ b/projects/gateway2/wellknown/kube.go @@ -0,0 +1,15 @@ +package wellknown + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +var ( + SecretGVK = corev1.SchemeGroupVersion.WithKind("Secret") + ConfigMapGVK = corev1.SchemeGroupVersion.WithKind("ConfigMap") + ServiceGVK = corev1.SchemeGroupVersion.WithKind("Service") + ServiceAccountGVK = corev1.SchemeGroupVersion.WithKind("ServiceAccount") + + DeploymentGVK = appsv1.SchemeGroupVersion.WithKind("Deployment") +) diff --git a/projects/gateway2/wellknown/translator.go b/projects/gateway2/wellknown/translator.go new file mode 100644 index 00000000000..5e4b7e48f55 --- /dev/null +++ b/projects/gateway2/wellknown/translator.go @@ -0,0 +1,7 @@ +package wellknown + +const ( + // GatewayApiProxyValue is the label value for ProxyTypeKey applied to Proxy CRs + // that have been generated from Kubernetes Gateway API resources + GatewayApiProxyValue = "gloo-kube-gateway-api" +) diff --git a/projects/gateway2/xds/utils.go b/projects/gateway2/xds/utils.go new file mode 100644 index 00000000000..7f39311c11a --- /dev/null +++ b/projects/gateway2/xds/utils.go @@ -0,0 +1,58 @@ +package xds + +import ( + "strings" + + envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + "github.com/solo-io/gloo/projects/gateway2/wellknown" + "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" +) + +var _ cache.NodeHash = new(nodeRoleHasher) + +const ( + // KeyDelimiter is the character used to join segments of a cache key + KeyDelimiter = "~" + + // RoleKey is the name of the ket in the node.metadata used to store the role + RoleKey = "role" + + // FallbackNodeCacheKey is used to let nodes know they have a bad config + // we assign a "fix me" snapshot for bad nodes + FallbackNodeCacheKey = "misconfigured-node" +) + +func IsKubeGatewayCacheKey(key string) bool { + return strings.HasPrefix(key, wellknown.GatewayApiProxyValue) +} + +// OwnerNamespaceNameID returns the string identifier for an Envoy node in a provided namespace. +// Envoy proxies are assigned their configuration by Gloo based on their Node ID. +// Therefore, proxies must identify themselves using the same naming +// convention that we use to persist the Proxy resource in the snapshot cache. +// The naming convention that we follow is "OWNER~NAMESPACE~NAME" +func OwnerNamespaceNameID(owner, namespace, name string) string { + return strings.Join([]string{owner, namespace, name}, KeyDelimiter) +} + +func NewNodeRoleHasher() *nodeRoleHasher { + return &nodeRoleHasher{} +} + +// nodeRoleHasher identifies a node based on the values provided in the `node.metadata.role` +type nodeRoleHasher struct{} + +// ID returns the string value of the xDS cache key +// This value must match role metadata format: ~~ +// which is equal to role defined on proxy-deployment ConfigMap: +// gloo-kube-gateway-api~{{ $gateway.gatewayNamespace }}-{{ $gateway.gatewayName | default (include "gloo-gateway.gateway.fullname" .) }} +func (h *nodeRoleHasher) ID(node *envoy_config_core_v3.Node) string { + if node.GetMetadata() != nil { + roleValue := node.GetMetadata().GetFields()[RoleKey] + if roleValue != nil { + return roleValue.GetStringValue() + } + } + + return FallbackNodeCacheKey +} From 017d98c1419db2ed5cb6975480f383ac8302db94 Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 21:47:40 -0600 Subject: [PATCH 2/9] fixup codegen --- Makefile | 3 ++- docs/content/static/content/osa_provided.md | 4 ++-- go.mod | 5 +++-- go.sum | 10 ++++++---- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 3c31b2f6ce5..3a9c669fca1 100644 --- a/Makefile +++ b/Makefile @@ -345,9 +345,10 @@ generate-cli-docs: clean-cli-docs ## Removes existing CLI docs and re-generates GO111MODULE=on go run projects/gloo/cli/cmd/docs/main.go # Ensures that accesses for fields which have "getter" functions are exclusively done via said "getter" functions +# TODO: do we still want this? .PHONY: getter-check getter-check: - go run github.com/saiskee/gettercheck -ignoretests -ignoregenerated -write ./... + go run github.com/saiskee/gettercheck -ignoretests -ignoregenerated -write ./projects/gateway2/... .PHONY: mod-tidy mod-tidy: diff --git a/docs/content/static/content/osa_provided.md b/docs/content/static/content/osa_provided.md index a3161fb1ed1..51afd51629e 100644 --- a/docs/content/static/content/osa_provided.md +++ b/docs/content/static/content/osa_provided.md @@ -8,7 +8,7 @@ Name|Version|License [retry-go/v4](https://github.com/avast/retry-go)|v4.3.3|MIT License [aws/aws-sdk-go](https://github.com/aws/aws-sdk-go)|v1.34.9|Apache License 2.0 [census-instrumentation/opencensus-proto](https://github.com/census-instrumentation/opencensus-proto)|v0.2.0|Apache License 2.0 -[xds/go](https://github.com/cncf/xds)|v0.0.0-20240905190251-b4127c9b8d78|Apache License 2.0 +[xds/go](https://github.com/cncf/xds)|v0.0.0-20241223141626-cff3c89139a3|Apache License 2.0 [envoyproxy/go-control-plane](https://github.com/envoyproxy/go-control-plane)|v0.13.2-0.20241022220226-23b7e55d7f65|Apache License 2.0 [envoyproxy/protoc-gen-validate](https://github.com/envoyproxy/protoc-gen-validate)|v1.1.0|Apache License 2.0 [fgrosse/zaptest](https://github.com/fgrosse/zaptest)|v1.1.0|MIT License @@ -63,7 +63,7 @@ Name|Version|License [googleapis/api](https://google.golang.org/genproto/googleapis/api)|v0.0.0-20241021214115-324edc3d5d38|Apache License 2.0 [googleapis/rpc](https://google.golang.org/genproto/googleapis/rpc)|v0.0.0-20241021214115-324edc3d5d38|Apache License 2.0 [google.golang.org/grpc](https://google.golang.org/grpc)|v1.67.1|Apache License 2.0 -[google.golang.org/protobuf](https://google.golang.org/protobuf)|v1.35.1|BSD 3-clause "New" or "Revised" License +[google.golang.org/protobuf](https://google.golang.org/protobuf)|v1.36.1|BSD 3-clause "New" or "Revised" License [AlecAivazis/survey.v1](https://gopkg.in/AlecAivazis/survey.v1)|v1.8.7|MIT License [helm/v3](https://helm.sh/helm/v3)|v3.16.2|Apache License 2.0 [istio.io/api](https://istio.io/api)|v1.24.0-alpha.0.0.20241106042855-9e26cdd3450a|Apache License 2.0 diff --git a/go.mod b/go.mod index f13114443f3..28ecca67050 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/avast/retry-go v2.4.3+incompatible github.com/aws/aws-sdk-go v1.34.9 github.com/census-instrumentation/opencensus-proto v0.4.1 - github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 + github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 github.com/envoyproxy/go-control-plane v0.13.2-0.20241022220226-23b7e55d7f65 github.com/envoyproxy/protoc-gen-validate v1.1.0 github.com/form3tech-oss/jwt-go v3.2.5+incompatible @@ -66,7 +66,7 @@ require ( golang.org/x/sync v0.8.0 golang.org/x/tools v0.26.0 google.golang.org/grpc v1.67.1 - google.golang.org/protobuf v1.35.1 + google.golang.org/protobuf v1.36.1 gopkg.in/AlecAivazis/survey.v1 v1.8.7 helm.sh/helm/v3 v3.16.2 k8s.io/api v0.31.2 @@ -96,6 +96,7 @@ require ( github.com/google/uuid v1.6.0 github.com/mccutchen/go-httpbin/v2 v2.15.0 github.com/quasilyte/go-ruleguard/dsl v0.3.22 + github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966 github.com/stoewer/go-strcase v1.3.0 github.com/stretchr/testify v1.9.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 diff --git a/go.sum b/go.sum index 992c8110192..f4a2b503d8b 100644 --- a/go.sum +++ b/go.sum @@ -1531,8 +1531,8 @@ github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido69INQaVO6d87Qn543Xr6nooe9Kz7oBFM= github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= -github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= -github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 h1:boJj011Hh+874zpIySeApCX4GeOjPl9qhRF3QuIZq+Q= +github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/cockroachdb/datadriven v1.0.2/go.mod h1:a9RdTaap04u637JoCzcUoIcDmvwSUtcUFtT/C3kJlTU= @@ -2688,6 +2688,8 @@ github.com/solo-io/anyvendor v0.1.0 h1:pzqilD2dxOJnosCe01gl7bU91EHrYjBnfB6W3lQmF github.com/solo-io/anyvendor v0.1.0/go.mod h1:pm4oeT20nrF6moqurCc7U4fEC1oi1RzkqoD/Lp/z/4Y= github.com/solo-io/cue v0.4.7 h1:X65mDmyBrS3ODvDvAgzIt9aTxbwBtdt+ayg4w9XKoaA= github.com/solo-io/cue v0.4.7/go.mod h1:P1tN9y6nBPAMoEK5aJxI8kn0VUcjVcRc+8esieRzQ7M= +github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966 h1:MavIqMAvo9dxhcuN0/m7Ok830e7htfhR+JWRDqs3qj4= +github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966/go.mod h1:27GcajR+wxZ34COPvLp1+4hxGN66/GSx7SSjVn8LySY= github.com/solo-io/go-list-licenses v0.1.4 h1:u4xh1OUORT4iSWuAp3Q4NsfHcDaeUV8QRDH8ACQqbxw= github.com/solo-io/go-list-licenses v0.1.4/go.mod h1:x6LSp/NrYgVXwNum7ZOiaAYTpg6B3F6TrWYfcdHVroA= github.com/solo-io/go-utils v0.20.2/go.mod h1:6e8K1spnMWwlnJRSNp/J84GEyJbrcK4Gm7i+ehzCi8c= @@ -3971,8 +3973,8 @@ google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= +google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/AlecAivazis/survey.v1 v1.8.2/go.mod h1:iBNOmqKz/NUbZx3bA+4hAGLRC7fSK7tgtVDT4tB22XA= gopkg.in/AlecAivazis/survey.v1 v1.8.7 h1:oBJqtgsyBLg9K5FK9twNUbcPnbCPoh+R9a+7nag3qJM= gopkg.in/AlecAivazis/survey.v1 v1.8.7/go.mod h1:iBNOmqKz/NUbZx3bA+4hAGLRC7fSK7tgtVDT4tB22XA= From 486189f1a9eb6b6df012045bfacc56da80cba27a Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 22:24:59 -0600 Subject: [PATCH 3/9] only lint gateway2 dir for now --- .github/workflows/static-analysis.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 6f01c777f41..b53e7c68234 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -40,7 +40,8 @@ jobs: # If this action fails, try running `make analyze` locally. with: version: v1.57.2 - args: --verbose --modules-download-mode=readonly --allow-parallel-runners + # TODO: remove specific dir once we remove old code and deflate structure + args: --verbose --modules-download-mode=readonly --allow-parallel-runners ./projects/gateway2 skip-cache: true skip-save-cache: true only-new-issues: false From c949958b66ed2215ab458c0092cf818a5a74314d Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 22:27:20 -0600 Subject: [PATCH 4/9] remove redundant helm templates --- .../templates/3-discovery-deployment.yaml | 133 ----------------- .../3-discovery-service-account.yaml | 28 ---- .../gloo/templates/3-discovery-service.yaml | 18 --- ...eway-validation-webhook-configuration.yaml | 120 ---------------- .../5-resource-cleanup-job-clusterrole.yaml | 23 --- ...source-cleanup-job-clusterrolebinding.yaml | 24 ---- .../5-resource-cleanup-job-role.yaml | 21 --- .../5-resource-cleanup-job-rolebinding.yaml | 25 ---- ...-resource-cleanup-job-service-account.yaml | 17 --- .../templates/5-resource-cleanup-job.yaml | 72 ---------- .../gloo/templates/5-resource-configmap.yaml | 24 ---- .../5-resource-migration-job-clusterrole.yaml | 23 --- ...urce-migration-job-clusterrolebinding.yaml | 24 ---- .../5-resource-migration-job-role.yaml | 21 --- .../5-resource-migration-job-rolebinding.yaml | 25 ---- ...esource-migration-job-service-account.yaml | 17 --- .../templates/5-resource-migration-job.yaml | 75 ---------- .../5-resource-rollout-check-job.yaml | 135 ------------------ .../5-resource-rollout-cleanup-job.yaml | 117 --------------- .../5-resource-rollout-job-clusterrole.yaml | 16 --- ...source-rollout-job-clusterrolebinding.yaml | 20 --- .../5-resource-rollout-job-role.yaml | 24 ---- .../5-resource-rollout-job-rolebinding.yaml | 21 --- ...-resource-rollout-job-service-account.yaml | 13 -- .../templates/5-resource-rollout-job.yaml | 115 --------------- .../6.5-gateway-certgen-cronjob.yaml | 76 ---------- ...ateway-certgen-job-secret-create-role.yaml | 22 --- ...certgen-job-secret-create-rolebinding.yaml | 25 ---- ...5-gateway-certgen-job-service-account.yaml | 17 --- ...ay-certgen-job-vwc-update-clusterrole.yaml | 20 --- ...gen-job-vwc-update-clusterrolebinding.yaml | 24 ---- .../templates/6.5-gateway-certgen-job.yaml | 78 ---------- 32 files changed, 1413 deletions(-) delete mode 100644 install/helm/gloo/templates/3-discovery-deployment.yaml delete mode 100644 install/helm/gloo/templates/3-discovery-service-account.yaml delete mode 100644 install/helm/gloo/templates/3-discovery-service.yaml delete mode 100644 install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job-clusterrole.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job-clusterrolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job-role.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job-rolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job-service-account.yaml delete mode 100644 install/helm/gloo/templates/5-resource-cleanup-job.yaml delete mode 100644 install/helm/gloo/templates/5-resource-configmap.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job-clusterrole.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job-clusterrolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job-role.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job-rolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job-service-account.yaml delete mode 100644 install/helm/gloo/templates/5-resource-migration-job.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-check-job.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job-clusterrole.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job-clusterrolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job-role.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job-rolebinding.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job-service-account.yaml delete mode 100644 install/helm/gloo/templates/5-resource-rollout-job.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-cronjob.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-role.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-rolebinding.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job-service-account.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrole.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrolebinding.yaml delete mode 100644 install/helm/gloo/templates/6.5-gateway-certgen-job.yaml diff --git a/install/helm/gloo/templates/3-discovery-deployment.yaml b/install/helm/gloo/templates/3-discovery-deployment.yaml deleted file mode 100644 index d163ee4b0ca..00000000000 --- a/install/helm/gloo/templates/3-discovery-deployment.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- define "discovery.deploymentSpec"}} -{{- if .Values.discovery.enabled }} -{{- $statsConfig := coalesce .Values.discovery.deployment.stats .Values.global.glooStats -}} -{{- $image := .Values.discovery.deployment.image }} -{{- if .Values.global }} -{{- $image = merge .Values.discovery.deployment.image .Values.global.image }} -{{- end }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: discovery - name: discovery - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.discovery.deployment.replicas }} - selector: - matchLabels: - gloo: discovery - template: - metadata: - labels: - gloo: discovery - {{- if .Values.discovery.deployment.extraDiscoveryLabels }} - {{- range $key, $value := .Values.discovery.deployment.extraDiscoveryLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if and .Values.global.istioIntegration.whitelistDiscovery .Values.global.istioIntegration.istioSidecarRevTag }} - istio.io/rev: {{ .Values.global.istioIntegration.istioSidecarRevTag }} - {{- else if .Values.global.istioIntegration.whitelistDiscovery }} - sidecar.istio.io/inject: "true" - {{- else if .Values.global.istioIntegration.disableAutoinjection }} - sidecar.istio.io/inject: "false" - {{- end }} - annotations: - {{- if $statsConfig.enabled }} - prometheus.io/path: /metrics - prometheus.io/port: "9091" - prometheus.io/scrape: "true" - {{- end}} - {{- if .Values.discovery.deployment.extraDiscoveryAnnotations }} - {{- range $key, $value := .Values.discovery.deployment.extraDiscoveryAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: discovery - {{- include "gloo.podSpecStandardFields" .Values.discovery.deployment | nindent 6 -}} - containers: - - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - name: discovery -{{- if .Values.discovery.deployment.resources }} - resources: -{{ toYaml .Values.discovery.deployment.resources | indent 10}} -{{- end}} - # container security context - {{- $capabilities := dict "drop" (list "ALL") -}} - {{- $securityDefaults := dict - "readOnlyRootFilesystem" true - "allowPrivilegeEscalation" false - "runAsNonRoot" true - "capabilities" $capabilities -}} - {{- if not .Values.discovery.deployment.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.discovery.deployment.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.discovery.deployment.discoveryContainerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8 "globalSec" .Values.global.securitySettings) }} - env: -{{- if .Values.license_secret_name }} - - name: GLOO_LICENSE_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.license_secret_name }} - key: license-key -{{- end }} -{{- if (((.Values.discovery.deployment.resources).limits).memory) }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - divisor: "1" - resource: limits.memory -{{- end -}} -{{- if (((.Values.discovery.deployment.resources).limits).cpu) }} - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - divisor: "1" - resource: limits.cpu -{{- end -}} -{{- if .Values.discovery.deployment.customEnv }} -{{ toYaml .Values.discovery.deployment.customEnv | indent 10 }} -{{- end }} - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if $statsConfig.enabled }} - - name: START_STATS_SERVER - value: "true" - {{- end}} - {{- if .Values.discovery.logLevel }} - - name: LOG_LEVEL - value: {{ .Values.discovery.logLevel }} - {{- end}} - {{- if and $statsConfig.enabled $statsConfig.podMonitorEnabled }} - ports: - - name: http-monitoring - containerPort: 9091 - {{- end }} - {{- /* Pod Security Context */ -}} - {{- if and .Values.discovery.deployment.enablePodSecurityContext (not .Values.global.securitySettings.floatingUserId) }} - {{- $securityDefaults := dict -}} - {{- if .Values.discovery.deployment.fsGroup }} - {{- $_ := set $securityDefaults "fsGroup" (int64 (printf "%.0f" (float64 .Values.discovery.deployment.fsGroup))) -}} - {{- end -}} - {{- if .Values.discovery.deployment.runAsUser }} - {{- $_ := set $securityDefaults "runAsUser" (int64 (printf "%.0f" (float64 .Values.discovery.deployment.runAsUser))) -}} - {{- end }} - {{- include "gloo.securityContext" (dict "defaults" $securityDefaults "indent" 6 "globalSec" .Values.global.securitySettings) -}} - {{- end}} -{{- end }} -{{- end }} {{/* define "discovery.deploymentSpec"*/}} - -{{/* Render template with yaml overrides */}} -{{- $kubeResourceOverride := dict -}} -{{- if .Values.discovery.deployment -}} -{{- $kubeResourceOverride = .Values.discovery.deployment.kubeResourceOverride -}} -{{- end -}} -{{- include "gloo.util.merge" (list . $kubeResourceOverride "discovery.deploymentSpec") -}} - diff --git a/install/helm/gloo/templates/3-discovery-service-account.yaml b/install/helm/gloo/templates/3-discovery-service-account.yaml deleted file mode 100644 index 344330521fb..00000000000 --- a/install/helm/gloo/templates/3-discovery-service-account.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- define "discovery.serviceAccountSpec"}} -{{- if .Values.discovery.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: -{{- if .Values.discovery.serviceAccount.extraAnnotations }} - annotations: - {{- range $key, $value := .Values.discovery.serviceAccount.extraAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: discovery - name: discovery - namespace: {{ $.Release.Namespace }} -{{- if .Values.discovery.serviceAccount.disableAutomount }} -automountServiceAccountToken: false -{{ end }} -{{- end }} -{{- end }} - -{{/* Render template with yaml overrides */}} -{{- $kubeResourceOverride := dict -}} -{{- if .Values.discovery.serviceAccount -}} -{{- $kubeResourceOverride = .Values.discovery.serviceAccount.kubeResourceOverride -}} -{{- end -}} -{{- include "gloo.util.merge" (list . $kubeResourceOverride "discovery.serviceAccountSpec") -}} \ No newline at end of file diff --git a/install/helm/gloo/templates/3-discovery-service.yaml b/install/helm/gloo/templates/3-discovery-service.yaml deleted file mode 100644 index 739cb43aed6..00000000000 --- a/install/helm/gloo/templates/3-discovery-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $statsConfig := coalesce .Values.discovery.deployment.stats .Values.global.glooStats -}} -{{- if and $statsConfig.enabled $statsConfig.serviceMonitorEnabled }} -apiVersion: v1 -kind: Service -metadata: - labels: - discovery.solo.io/function_discovery: disabled -{{ include "gloo.labels" . | indent 4}} - gloo: discovery - name: discovery - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: http-monitoring - port: 9091 - selector: - gloo: discovery -{{- end -}} \ No newline at end of file diff --git a/install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml b/install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml deleted file mode 100644 index 669fc02774d..00000000000 --- a/install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- define "gateway.validationWebhookSpec" }} -{{- if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.validation.webhook.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: gloo-gateway-validation-webhook-{{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: gateway - annotations: - {{- if not .Values.gateway.validation.webhook.disableHelmHook }} - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job - {{- end }} - {{- range $key, $value := .Values.gateway.validation.webhook.extraAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} -webhooks: -- name: gloo.{{ .Release.Namespace }}.svc # must be a domain with at least three segments separated by dots - clientConfig: - service: - name: gloo - namespace: {{ .Release.Namespace }} - path: "/validation" - caBundle: "" # update manually or use certgen job or cert-manager's ca-injector - rules: -{{- if and .Values.kubeGateway.enabled .Values.gateway.validation.webhook.enablePolicyApi }} - - operations: [ "CREATE", "UPDATE" ] - # RouteOption and VirtualHostOption DELETEs are not supported. - # Their validation is currently limited to usage as Kube Gateway API Policies - # and are hermetically validated for semantic correctness only. This means there - # is no validation needed for DELETEs, as a DELETE will never result be semantically invalid - apiGroups: ["gateway.solo.io"] - apiVersions: ["v1"] - resources: ["routeoptions", "virtualhostoptions"] -{{- end }}{{/* if and .Values.kubeGateway.enabled .Values.gateway.validation.webhook.enablePolicyApi */}} - - operations: {{ include "gloo.webhookvalidation.operationsForResource" (list "virtualservices" .Values.gateway.validation.webhook.skipDeleteValidationResources) }} - apiGroups: ["gateway.solo.io"] - apiVersions: ["v1"] - resources: ["virtualservices"] - - operations: {{ include "gloo.webhookvalidation.operationsForResource" (list "routetables" .Values.gateway.validation.webhook.skipDeleteValidationResources) }} - apiGroups: ["gateway.solo.io"] - apiVersions: ["v1"] - resources: ["routetables"] - - operations: [ "CREATE", "UPDATE" ] -{{/* gateway deletions are not supported at the moment. Since we have no longer use resource flags to support -specific resources, we will manage the resources that the webhook receives via the helm configurations*/}} - apiGroups: ["gateway.solo.io"] - apiVersions: ["v1"] - resources: ["gateways"] - - operations: {{ include "gloo.webhookvalidation.operationsForResource" (list "upstreams" .Values.gateway.validation.webhook.skipDeleteValidationResources) }} - apiGroups: ["gloo.solo.io"] - apiVersions: ["v1"] - resources: ["upstreams"]{{/* TODO(https://github.com/solo-io/gloo/issues/2797): Extend to all gloo resources */}} - - operations: {{ include "gloo.webhookvalidation.operationsForResource" (list "ratelimitconfigs" .Values.gateway.validation.webhook.skipDeleteValidationResources) }} - apiGroups: ["ratelimit.solo.io"] - apiVersions: ["v1alpha1"] - resources: ["ratelimitconfigs"] - sideEffects: None - matchPolicy: Exact -{{- if .Values.gateway.validation.webhook.timeoutSeconds }} - timeoutSeconds: {{ .Values.gateway.validation.webhook.timeoutSeconds }} -{{- end }} - admissionReviewVersions: - - v1beta1 # v1beta1 still live in 1.22 https://github.com/kubernetes/api/blob/release-1.22/admission/v1beta1/types.go#L33 -{{- if .Values.gateway.validation.failurePolicy }} - failurePolicy: {{ .Values.gateway.validation.failurePolicy }} -{{- end }} {{- /* if .Values.gateway.validation.failurePolicy */}} - -{{/* Webhook for core resources - only render if we need to */}} -{{- if and - (not (has "*" .Values.gateway.validation.webhook.skipDeleteValidationResources)) - (or (not (has "secrets" .Values.gateway.validation.webhook.skipDeleteValidationResources)) - (not (has "namespaces" .Values.gateway.validation.webhook.skipDeleteValidationResources))) -}} -- name: kube.{{ .Release.Namespace }}.svc # must be a domain with at least three segments separated by dots - clientConfig: - service: - name: gloo - namespace: {{ .Release.Namespace }} - path: "/validation" - caBundle: "" # update manually or use certgen job or cert-manager's ca-injector - rules: -{{- /* Can't use the include for this one because if the operations are empty, we need to drop the whole list element */}} -{{- if and (not (has "*" .Values.gateway.validation.webhook.skipDeleteValidationResources)) (not (has "secrets" .Values.gateway.validation.webhook.skipDeleteValidationResources)) }} - - operations: [ "DELETE" ] - apiGroups: [""]{{/* We do not have internal secret CRDs. We want to validate the deletion of secrets such as TLS, so we add "" which refers to Kubernetes' core APIs. */}} - apiVersions: ["v1"] - resources: ["secrets"] -{{- end }} -{{- if and (not (has "*" .Values.gateway.validation.webhook.skipDeleteValidationResources)) (not (has "namespaces" .Values.gateway.validation.webhook.skipDeleteValidationResources)) }} -{{- /* A namespace with an updated to a label can cause it to no longer be watched, equivalent to deleting it from the controller's perspective */}} - - operations: [ "UPDATE", "DELETE"] - apiGroups: [""]{{/* We do not have internal namespace CRDs. We want to validate the updation and deletion of namespaces that are watched. */}} - apiVersions: ["v1"] - resources: ["namespaces"] -{{- end }} - sideEffects: None - matchPolicy: Exact -{{- if .Values.gateway.validation.webhook.timeoutSeconds }} - timeoutSeconds: {{ .Values.gateway.validation.webhook.timeoutSeconds }} -{{- end }} - admissionReviewVersions: - - v1beta1 # v1beta1 still live in 1.22 https://github.com/kubernetes/api/blob/release-1.22/admission/v1beta1/types.go#L33 -{{- if .Values.gateway.validation.kubeCoreFailurePolicy }} - failurePolicy: {{ .Values.gateway.validation.kubeCoreFailurePolicy -}} -{{- end }} {{/* if .Values.gateway.validation.kubeCoreFailurePolicy */}} -{{- end }} {{/* render webhook if */}} - -{{- end }} {{/* if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.validation.webhook.enabled */}} -{{- end }} {{/* define "gateway.validationWebhookSpec" */}} - -{{/* Render template with yaml overrides */}} -{{- $kubeResourceOverride := dict -}} -{{- if .Values.gateway.validation -}} -{{- if .Values.gateway.validation.webhook -}} -{{- $kubeResourceOverride = .Values.gateway.validation.webhook.kubeResourceOverride -}} -{{- end -}} {{/* if .Values.gateway.validation.webhook */ -}} -{{- end -}} {{/* if .Values.gateway.validation */ -}} -{{- include "gloo.util.merge" (list . $kubeResourceOverride "gateway.validationWebhookSpec") -}} \ No newline at end of file diff --git a/install/helm/gloo/templates/5-resource-cleanup-job-clusterrole.yaml b/install/helm/gloo/templates/5-resource-cleanup-job-clusterrole.yaml deleted file mode 100644 index 59c7888c60d..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-cleanup{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "0" # must be created before cleanup job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["delete"] -- apiGroups: ["gateway.solo.io"] - resources: ["*"] - verbs: ["list", "delete"] -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-cleanup-job-clusterrolebinding.yaml b/install/helm/gloo/templates/5-resource-cleanup-job-clusterrolebinding.yaml deleted file mode 100644 index 5e818825b94..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job-clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-cleanup{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "0" # must be created before cleanup job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - kind: ClusterRole - name: gloo-resource-cleanup{{ include "gloo.rbacNameSuffix" . }} - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-cleanup-job-role.yaml b/install/helm/gloo/templates/5-resource-cleanup-job-role.yaml deleted file mode 100644 index bf952d5df66..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "0" # must be created before cleanup job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: -- apiGroups: ["gloo.solo.io"] - resources: ["*"] - verbs: ["list", "delete"] -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-cleanup-job-rolebinding.yaml b/install/helm/gloo/templates/5-resource-cleanup-job-rolebinding.yaml deleted file mode 100644 index 6952e73061d..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job-rolebinding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "0" # must be created before cleanup job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - kind: Role - name: gloo-resource-cleanup - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-cleanup-job-service-account.yaml b/install/helm/gloo/templates/5-resource-cleanup-job-service-account.yaml deleted file mode 100644 index 5131f7598f0..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job-service-account.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "0" # must be created before cleanup job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-cleanup-job.yaml b/install/helm/gloo/templates/5-resource-cleanup-job.yaml deleted file mode 100644 index 78760b8eef3..00000000000 --- a/install/helm/gloo/templates/5-resource-cleanup-job.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- if .Values.gateway.cleanupJob.enabled }} -{{- $image := .Values.gateway.cleanupJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.cleanupJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: resource-cleanup - name: gloo-resource-cleanup - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "5" # run this job after the role/rolebinding is created - {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.cleanupJob | nindent 4 }} -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.cleanupJob | nindent 2 -}} - template: - metadata: - labels: - gloo: resource-cleanup - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.cleanupJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.cleanupJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.cleanupJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.cleanupJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: gloo-resource-cleanup - {{- include "gloo.podSpecStandardFields" .Values.gateway.cleanupJob | nindent 6 -}} - containers: - - name: kubectl - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.rolloutJob.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.cleanupJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} - command: - - /bin/sh - - -c - - | - kubectl delete --ignore-not-found validatingwebhookconfigurations.admissionregistration.k8s.io gloo-gateway-validation-webhook-{{ .Release.Namespace }} || exit $? - - if ! kubectl get crd upstreams.gloo.solo.io; then - echo "Could not find Upstream CRD. Gloo Edge CRDs may have already been deleted. Skipping cleanup of Gloo Edge resources." - exit 0 - fi - - kubectl delete --ignore-not-found upstreams.gloo.solo.io -n {{ .Release.Namespace }} -l app=gloo || exit $? - - # gateways can be in multiple namespaces - {{- range include "gloo.gatewayNamespaces" . | fromJsonArray }} - kubectl delete --ignore-not-found gateways.gateway.solo.io -n {{ . }} -l app=gloo || exit $? - {{- end }} -{{- end }}{{/* if .Values.gateway.cleanupJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-configmap.yaml b/install/helm/gloo/templates/5-resource-configmap.yaml deleted file mode 100644 index b6d0fd6b390..00000000000 --- a/install/helm/gloo/templates/5-resource-configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: gloo-custom-resource-config - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: custom-resources -data: - {{- $cr := include "gloo.customResources" . | indent 4 -}} - {{- $hasCr := contains "kind:" $cr -}}{{/* whether there are any custom resources */}} - custom-resources: | -{{ $cr }} - has-custom-resources: "{{- $hasCr -}}" -{{- if .Values.global.extraCustomResources }} - {{- /* Since the OSS values context is passed to enterprise, we ensure that enterprise can refer to (i) gloo values as .Values.gloo (ii) global values as .Values.global (iii) release values as .Release. That way any changes in enterprise are minimized */}} - {{- $values := dict "global" .Values.global "gloo" .Values }} - {{- $data := dict "Values" $values "Release" .Release }} - {{- $extraCr := include "gloo.extraCustomResources" $data | indent 4 -}} - {{- $hasExtraCr := contains "kind:" $extraCr -}}{{/* whether there are any custom resources in enterprise */}} - extra-custom-resources: | -{{ $extraCr }} - has-extra-custom-resources: "{{- $hasExtraCr -}}" -{{- end -}} diff --git a/install/helm/gloo/templates/5-resource-migration-job-clusterrole.yaml b/install/helm/gloo/templates/5-resource-migration-job-clusterrole.yaml deleted file mode 100644 index 4a62215b532..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-migration{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" # must be created before job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: -- apiGroups: ["gateway.solo.io"] - resources: ["*"] - verbs: ["get", "list", "update", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list"] -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-migration-job-clusterrolebinding.yaml b/install/helm/gloo/templates/5-resource-migration-job-clusterrolebinding.yaml deleted file mode 100644 index 9cc04d5546d..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job-clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-migration{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" # must be created before job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - kind: ClusterRole - name: gloo-resource-migration{{ include "gloo.rbacNameSuffix" . }} - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-migration-job-role.yaml b/install/helm/gloo/templates/5-resource-migration-job-role.yaml deleted file mode 100644 index 26a66d3c4c1..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" # must be created before job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: -- apiGroups: ["gloo.solo.io"] - resources: ["*"] - verbs: ["get", "list", "update", "patch"] -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-migration-job-rolebinding.yaml b/install/helm/gloo/templates/5-resource-migration-job-rolebinding.yaml deleted file mode 100644 index 304b252a814..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job-rolebinding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" # must be created before job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - kind: Role - name: gloo-resource-migration - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-migration-job-service-account.yaml b/install/helm/gloo/templates/5-resource-migration-job-service-account.yaml deleted file mode 100644 index 40d16033cca..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job-service-account.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" # must be created before job - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-migration-job.yaml b/install/helm/gloo/templates/5-resource-migration-job.yaml deleted file mode 100644 index a2040ae6cbf..00000000000 --- a/install/helm/gloo/templates/5-resource-migration-job.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- $image := .Values.gateway.rolloutJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.rolloutJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: resource-migration - name: gloo-resource-migration - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "3" # run this job after the role/rolebinding is created, and before the validation webhook is upgraded - {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.rolloutJob | nindent 4 }} -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.rolloutJob | nindent 2 -}} - template: - metadata: - labels: - gloo: resource-migration - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.rolloutJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.rolloutJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: gloo-resource-migration - {{- include "gloo.podSpecStandardFields" .Values.gateway.rolloutJob | nindent 6 -}} - containers: - - name: kubectl - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.rolloutJob.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.rolloutJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} - command: - - /bin/sh - - -c - - | - if ! kubectl get crd upstreams.gloo.solo.io; then - echo "Could not find Upstream CRD. Gloo Edge may not be installed yet. Skipping migration job." - exit 0 - fi - - # remove existing helm labels/annotations since the custom resources are no longer managed by helm. - # also add resource-policy to tell helm not to delete the resource during upgrade. - # select by label app=gloo, which is on all CRs from the gloo helm chart. - kubectl annotate --overwrite upstreams.gloo.solo.io -n {{ $.Release.Namespace }} -l app=gloo helm.sh/hook- helm.sh/hook-weight- meta.helm.sh/release-name- meta.helm.sh/release-namespace- helm.sh/resource-policy=keep || exit $? - kubectl label upstreams.gloo.solo.io -n {{ $.Release.Namespace }} -l app=gloo,app.kubernetes.io/managed-by=Helm app.kubernetes.io/managed-by- || exit $? - - # gateways can be in multiple namespaces - {{- range include "gloo.gatewayNamespaces" $ | fromJsonArray }} - kubectl annotate --overwrite gateways.gateway.solo.io -n {{ . }} -l app=gloo helm.sh/hook- helm.sh/hook-weight- meta.helm.sh/release-name- meta.helm.sh/release-namespace- helm.sh/resource-policy=keep || exit $? - kubectl label gateways.gateway.solo.io -n {{ . }} -l app=gloo,app.kubernetes.io/managed-by=Helm app.kubernetes.io/managed-by- || exit $? - {{- end }} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-check-job.yaml b/install/helm/gloo/templates/5-resource-rollout-check-job.yaml deleted file mode 100644 index 8c3798461dd..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-check-job.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- $image := .Values.gateway.rolloutJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.rolloutJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: resource-rollout - name: gloo-resource-rollout-check - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "5" - {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.rolloutJob | nindent 4 }} -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.rolloutJob | nindent 2 -}} - template: - metadata: - labels: - gloo: resource-rollout - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.rolloutJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.rolloutJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: gloo-resource-rollout - {{- include "gloo.podSpecStandardFields" .Values.gateway.rolloutJob | nindent 6 -}} - volumes: - - name: custom-resource-config-volume - configMap: - name: gloo-custom-resource-config - items: - - key: custom-resources - path: custom-resources - {{- if .Values.global.extraCustomResources }} - - key: extra-custom-resources - path: extra-custom-resources - {{- end }} - containers: - - name: kubectl - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - env: - - name: HAS_CUSTOM_RESOURCES - valueFrom: - configMapKeyRef: - name: gloo-custom-resource-config - key: has-custom-resources - {{- if .Values.global.extraCustomResources }} - - name: HAS_EXTRA_CUSTOM_RESOURCES - valueFrom: - configMapKeyRef: - name: gloo-custom-resource-config - key: has-extra-custom-resources - {{- end }} - volumeMounts: - - name: custom-resource-config-volume - mountPath: /etc/gloo-custom-resources - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.rolloutJob.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.rolloutJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} - command: - - /bin/sh - - -c - - | - # Check if Gloo Edge applied custom resources - if [ "$HAS_CUSTOM_RESOURCES" == "true" ] - then - # Wait for the resource rollout job to complete - kubectl -n {{ .Release.Namespace }} get job gloo-resource-rollout &> /dev/null - if [ $? -eq 0 ] - then - # Exit immediately if the rollout job failed - kubectl -n {{ .Release.Namespace }} get job gloo-resource-rollout -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' | grep -i "True" &> /dev/null - if [ $? -eq 0 ] - then - echo "Rollout job failed. Not all resources were successfully created." - exit 1 - fi - echo "Waiting for the resource rollout job to complete" - kubectl -n {{ .Release.Namespace }} wait --for=condition=complete job gloo-resource-rollout --timeout={{ .Values.gateway.rolloutJob.timeout }}s || exit 1 - - fi - - # If the resource has been applied, re-applying it should output something like this - # gateway.gateway.solo.io/default unchanged - # If not it will output - # gateway.gateway.solo.io/default configured - # gateway.gateway.solo.io/default created - # This indicates that the resource was not applied in the resource rollout job - if [ "$HAS_EXTRA_CUSTOM_RESOURCES" == "true" ] - then - FAILED_RESOURCES=$(kubectl apply -f /etc/gloo-custom-resources/extra-custom-resources | grep -iv ' unchanged') - if [ ! -z "$FAILED_RESOURCES" ] - then - echo "The following extra resources failed to be applied by the resource rollout job $FAILED_RESOURCES. As a consequence, other custom resources (eg. Gateways) were not applied." - exit 1 - else - echo "The resource rollout job successfully applied all the extra resources" - fi - fi - - FAILED_RESOURCES=$(kubectl apply -f /etc/gloo-custom-resources/custom-resources | grep -iv ' unchanged') - if [ ! -z "$FAILED_RESOURCES" ] - then - echo "The following resources failed to be applied by the resource rollout job $FAILED_RESOURCES" - exit 1 - else - echo "The resource rollout job successfully applied all the resources" - fi - else - echo "no custom resources to check" - fi -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} - diff --git a/install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml b/install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml deleted file mode 100644 index f5b172539c7..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- $image := .Values.gateway.rolloutJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.rolloutJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: resource-rollout - name: gloo-resource-rollout-cleanup - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "5" # run this job after the role/rolebinding is created - {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.rolloutJob | nindent 4 }} -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.rolloutJob | nindent 2 -}} - template: - metadata: - labels: - gloo: resource-rollout - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.rolloutJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.rolloutJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: gloo-resource-rollout-cleanup - {{- include "gloo.podSpecStandardFields" .Values.gateway.rolloutJob | nindent 6 -}} - containers: - - name: kubectl - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.rolloutJob.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.rolloutJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} - command: - - /bin/sh - - -c - - | - # Check if the resource rollout job exists - kubectl -n {{ .Release.Namespace }} get job gloo-resource-rollout &> /dev/null - if [ $? -eq 0 ] - then - echo "Cleaning up resource-rollout-job" - # Clean it up so it doesn't cause issues with upgrades - kubectl -n {{ .Release.Namespace }} delete job gloo-resource-rollout || exit $? - fi -{{- if .Values.global.glooRbac.create }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - name: gloo-resource-rollout-cleanup - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout-cleanup - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" -rules: -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get", "list", "delete"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout-cleanup - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" -roleRef: - kind: Role - name: gloo-resource-rollout-cleanup - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-rollout-cleanup - namespace: {{ .Release.Namespace }} -{{- end }}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} \ No newline at end of file diff --git a/install/helm/gloo/templates/5-resource-rollout-job-clusterrole.yaml b/install/helm/gloo/templates/5-resource-rollout-job-clusterrole.yaml deleted file mode 100644 index 835312647ea..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job-clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac -rules: -- apiGroups: ["gateway.solo.io"] - resources: ["*"] - verbs: ["get", "list", "create", "update", "patch"] -{{- end -}}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-job-clusterrolebinding.yaml b/install/helm/gloo/templates/5-resource-rollout-job-clusterrolebinding.yaml deleted file mode 100644 index d3f34233918..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac -roleRef: - kind: ClusterRole - name: gloo-resource-rollout{{ include "gloo.rbacNameSuffix" . }} - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} -{{- end -}}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-job-role.yaml b/install/helm/gloo/templates/5-resource-rollout-job-role.yaml deleted file mode 100644 index 192ec07b840..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job-role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] -- apiGroups: ["gloo.solo.io"] - resources: ["*"] - verbs: ["get", "list", "create", "update", "patch"] -# This permission is required by the oss rollout job in order to wait for the enterprise rollout job to finish first -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get", "list", "watch", "delete"] -{{- end -}}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-job-rolebinding.yaml b/install/helm/gloo/templates/5-resource-rollout-job-rolebinding.yaml deleted file mode 100644 index ef7790bdb7b..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac -roleRef: - kind: Role - name: gloo-resource-rollout - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} -{{- end -}}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-job-service-account.yaml b/install/helm/gloo/templates/5-resource-rollout-job-service-account.yaml deleted file mode 100644 index ec6515f0e1b..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job-service-account.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- if .Values.global.glooRbac.create }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} -{{- end -}}{{/* if .Values.global.glooRbac.create */}} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/5-resource-rollout-job.yaml b/install/helm/gloo/templates/5-resource-rollout-job.yaml deleted file mode 100644 index affd62889f9..00000000000 --- a/install/helm/gloo/templates/5-resource-rollout-job.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- if .Values.gateway.rolloutJob.enabled }} -{{- $image := .Values.gateway.rolloutJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.rolloutJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: resource-rollout - name: gloo-resource-rollout - namespace: {{ .Release.Namespace }} - annotations: - # Argo checks the status of resources in an app to determine its state. Since a job is cleaned up (deleted) after ttlSecondsAfterFinished, - # the missing job causes the argo app to go out of sync. - # Annotating this job as a Sync hook along with an argo-specific hook deletion policy ensures that even when the job is cleaned up, - # it does not alter the state of the argo app and that it is still in sync. - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: BeforeHookCreation -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.rolloutJob | nindent 2 -}} - template: - metadata: - labels: - gloo: resource-rollout - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.rolloutJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.rolloutJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.rolloutJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: gloo-resource-rollout - {{- include "gloo.podSpecStandardFields" .Values.gateway.rolloutJob | nindent 6 -}} - volumes: - - name: custom-resource-config-volume - configMap: - name: gloo-custom-resource-config - items: - - key: custom-resources - path: custom-resources - {{- if .Values.global.extraCustomResources }} - - key: extra-custom-resources - path: extra-custom-resources - {{- end }} - containers: - - name: kubectl - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - env: - - name: HAS_CUSTOM_RESOURCES - valueFrom: - configMapKeyRef: - name: gloo-custom-resource-config - key: has-custom-resources - {{- if .Values.global.extraCustomResources }} - - name: HAS_EXTRA_CUSTOM_RESOURCES - valueFrom: - configMapKeyRef: - name: gloo-custom-resource-config - key: has-extra-custom-resources - {{- end }} - volumeMounts: - - name: custom-resource-config-volume - mountPath: /etc/gloo-custom-resources - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.rolloutJob.floatingUserId -}} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }} - {{- end -}} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.rolloutJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} - command: - - /bin/sh - - -c - - | - {{ if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.validation.webhook.enabled -}} - # if validation webhook is enabled, wait for deployment rollout so validation service will be available - kubectl rollout status deployment -n {{ .Release.Namespace }} gloo - {{- end }} - - # apply extra Gloo Edge custom resources - these are created in enterprise - if [ "$HAS_EXTRA_CUSTOM_RESOURCES" == "true" ] - then - kubectl apply -f /etc/gloo-custom-resources/extra-custom-resources || exit $? - else - echo "no extra custom resources to apply" - fi - - # apply Gloo Edge custom resources - if [ "$HAS_CUSTOM_RESOURCES" == "true" ] - then - kubectl apply -f /etc/gloo-custom-resources/custom-resources || exit $? - else - echo "no custom resources to apply" - fi - - # remove the resource-policy annotations that were added temporarily by the gloo-resource-migration job during upgrade - kubectl annotate upstreams.gloo.solo.io -n {{ $.Release.Namespace }} -l app=gloo helm.sh/resource-policy- || exit $? - {{- range include "gloo.gatewayNamespaces" $ | fromJsonArray }} - kubectl annotate gateways.gateway.solo.io -n {{ . }} -l app=gloo helm.sh/resource-policy- || exit $? - {{- end }} -{{- end }}{{/* if .Values.gateway.rolloutJob.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-cronjob.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-cronjob.yaml deleted file mode 100644 index 15833be795c..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-cronjob.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{ define "gateway.certGenCronJobSpec" }} -{{- $image := .Values.gateway.certGenJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.certGenJob.image .Values.global.image }} -{{- end }} -{{- if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.validation.webhook.enabled .Values.gateway.certGenJob.cron.enabled }} -apiVersion: batch/v1 -kind: CronJob -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: gateway-certgen-cronjob - gloo.solo.io/component: certgen - name: gateway-certgen-cronjob - namespace: {{ .Release.Namespace }} -spec: - schedule: {{ .Values.gateway.certGenJob.cron.schedule | quote }} - jobTemplate: - spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.certGenJob | nindent 6 -}} - template: - metadata: - labels: - gloo: gloo-gateway-certs - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.certGenJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.certGenJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.certGenJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.certGenJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 10 -}} - serviceAccountName: certgen - {{- include "gloo.podSpecStandardFields" .Values.gateway.certGenJob | nindent 10 -}} - containers: - - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - name: certgen - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.certGenJob.floatingUserId }} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.certGenJob.runAsUser }} - {{- end }} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.certGenJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 14 "globalSec" .Values.global.securitySettings) }} - {{- with .Values.gateway.certGenJob.resources }} - resources: {{ toYaml . | nindent 16 }} - {{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: - - "--secret-name={{ .Values.gateway.validation.secretName }}" - - "--svc-name=gloo" - - "--validating-webhook-configuration-name=gloo-gateway-validation-webhook-{{ .Release.Namespace }}" - {{- if .Values.gateway.certGenJob.forceRotation }} - - "--force-rotation=true" - {{- end }} {{/* if .Values.gateway.certGenJob.forceRotation */}} -{{- end }} {{/* if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.validation.webhook.enabled .Values.gateway.certGenJob.cron.enabled */}} -{{- end }} {{/* define gateway.certGenJob.JobSpec*/}} - -{{/* Render template with yaml overrides */}} -{{- $kubeResourceOverride := dict -}} -{{- if .Values.gateway.certGenJob -}} -{{- $kubeResourceOverride = .Values.gateway.certGenJob.cron.validationWebhookKubeResourceOverride -}} -{{- end -}} -{{- include "gloo.util.merge" (list . $kubeResourceOverride "gateway.certGenCronJobSpec") -}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-role.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-role.yaml deleted file mode 100644 index 76d00a48617..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled) (.Values.global.glooMtls.enabled) }} -{{- if .Values.global.glooRbac.create }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-gateway-secret-create{{ include "gloo.rbacNameSuffix" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - gloo.solo.io/component: certgen - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "update"] ---- -{{- end }} {{/* .Values.global.glooRbac.create */}} -{{- end }} {{/* {{- if or (and gateway.enabled validation.enabled certGenJob.enabled glooMtls.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-rolebinding.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-rolebinding.yaml deleted file mode 100644 index 24c627f0625..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job-secret-create-rolebinding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if or (and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled) (.Values.global.glooMtls.enabled) }} -{{- if .Values.global.glooRbac.create }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-gateway-secret-create{{ include "gloo.rbacNameSuffix" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - gloo.solo.io/component: certgen - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job -subjects: - - kind: ServiceAccount - name: certgen - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: gloo-gateway-secret-create{{ include "gloo.rbacNameSuffix" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} {{/* .Values.global.glooRbac.create */}} -{{- end }} {{/* {{- if or (and gateway.enabled validation.enabled certGenJob.enabled glooMtls.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job-service-account.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job-service-account.yaml deleted file mode 100644 index 7d0e1a01d80..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job-service-account.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if or (and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled) (.Values.global.glooMtls.enabled) }} -{{- if .Values.global.glooRbac.create }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - gloo.solo.io/component: certgen - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job - name: certgen - namespace: {{ $.Release.Namespace }} -{{- end }} {{/* .Values.global.glooRbac.create */}} -{{- end }} {{/* {{- if or (and gateway.enabled validation.enabled certGenJob.enabled glooMtls.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrole.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrole.yaml deleted file mode 100644 index 8ecca9418eb..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrole.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled) (.Values.global.glooMtls.enabled) }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-gateway-vwc-update{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - gloo.solo.io/component: certgen - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "update"] -{{- end }} {{/* .Values.global.glooRbac.create */}} -{{- end }} {{/* {{- if or (and gateway.enabled validation.enabled certGenJob.enabled glooMtls.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrolebinding.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrolebinding.yaml deleted file mode 100644 index eebb49a8e6b..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job-vwc-update-clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled) (.Values.global.glooMtls.enabled) }} -{{- if .Values.global.glooRbac.create }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-gateway-vwc-update{{ include "gloo.rbacNameSuffix" . }} - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: rbac - gloo.solo.io/component: certgen - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "5" # must be executed before cert-gen job -subjects: -- kind: ServiceAccount - name: certgen - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: gloo-gateway-vwc-update{{ include "gloo.rbacNameSuffix" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} {{/* .Values.global.glooRbac.create */}} -{{- end }} {{/* {{- if or (and gateway.enabled validation.enabled certGenJob.enabled glooMtls.enabled */}} diff --git a/install/helm/gloo/templates/6.5-gateway-certgen-job.yaml b/install/helm/gloo/templates/6.5-gateway-certgen-job.yaml deleted file mode 100644 index d1b795f1752..00000000000 --- a/install/helm/gloo/templates/6.5-gateway-certgen-job.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- define "gloo.gatewayCertGenJobSpec" -}} -{{- if and .Values.gateway.enabled .Values.gateway.validation.enabled .Values.gateway.certGenJob.enabled }} - -{{- $image := .Values.gateway.certGenJob.image }} -{{- if .Values.global }} -{{- $image = merge .Values.gateway.certGenJob.image .Values.global.image }} -{{- end }} -apiVersion: batch/v1 -kind: Job -metadata: - labels: -{{ include "gloo.labels" . | indent 4}} - gloo: gateway-certgen - gloo.solo.io/component: certgen - name: gateway-certgen - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "10" - {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.certGenJob | nindent 4 }} -spec: - {{- include "gloo.jobSpecStandardFields" .Values.gateway.certGenJob | nindent 2 -}} - template: - metadata: - labels: - gloo: gateway-certgen - sidecar.istio.io/inject: "false" - {{- if .Values.gateway.certGenJob.extraPodLabels }} - {{- range $key, $value := .Values.gateway.certGenJob.extraPodLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if or .Values.settings.linkerd .Values.gateway.certGenJob.extraPodAnnotations }} - annotations: - {{- if .Values.settings.linkerd }} - "linkerd.io/inject": disabled - {{- end }} - {{- range $key, $value := .Values.gateway.certGenJob.extraPodAnnotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: - {{- include "gloo.pullSecret" $image | nindent 6 -}} - serviceAccountName: certgen - {{- include "gloo.podSpecStandardFields" .Values.gateway.certGenJob | nindent 6 -}} - containers: - - image: {{template "gloo.image" $image}} - imagePullPolicy: {{ $image.pullPolicy }} - name: certgen - {{- $securityDefaults := dict "runAsNonRoot" true }} - {{- if not .Values.gateway.certGenJob.floatingUserId }} - {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.certGenJob.runAsUser }} - {{- end }} - {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.certGenJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10 "globalSec" .Values.global.securitySettings) }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: - - "--secret-name={{ .Values.gateway.validation.secretName }}" - - "--svc-name=gloo" - - "--validating-webhook-configuration-name=gloo-gateway-validation-webhook-{{ .Release.Namespace }}" - {{- if .Values.gateway.certGenJob.forceRotation }} - - "--force-rotation=true" - {{- end }} {{/* if .Values.gateway.certGenJob.forceRotation */}} - {{- with .Values.gateway.certGenJob.resources }} - resources: {{ toYaml . | nindent 12}} - {{- end }} -{{- end }} {{/* if and gateway.enabled gateway.validation.enabled gateway.certGenJob.enabled */}} -{{- end }} {{/* define "gloo.gatewayCertGenJobSpec" */}} - -{{/* Render template with yaml overrides */}} -{{- $kubeResourceOverride := dict -}} -{{- if .Values.gateway.certGenJob -}} -{{- $kubeResourceOverride = .Values.gateway.certGenJob.kubeResourceOverride -}} -{{- end -}} -{{- include "gloo.util.merge" (list . $kubeResourceOverride "gloo.gatewayCertGenJobSpec") -}} From 3b4a093ae2b81f3c36d47c4461cdef5cc15afc92 Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 22:42:54 -0600 Subject: [PATCH 5/9] undo --- .github/workflows/static-analysis.yaml | 3 +- pkg/utils/envoyutils/admincli/client.go | 8 +- pkg/utils/envoyutils/bootstrap/bootstrap.go | 2 +- .../envoyutils/bootstrap/bootstrap_test.go | 161 +++++++++--------- pkg/utils/namespaces/namespaces.go | 52 ++++++ pkg/utils/regexutils/regex.go | 81 +++++---- pkg/utils/regexutils/regex_test.go | 54 +++--- 7 files changed, 207 insertions(+), 154 deletions(-) diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index b53e7c68234..6f01c777f41 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -40,8 +40,7 @@ jobs: # If this action fails, try running `make analyze` locally. with: version: v1.57.2 - # TODO: remove specific dir once we remove old code and deflate structure - args: --verbose --modules-download-mode=readonly --allow-parallel-runners ./projects/gateway2 + args: --verbose --modules-download-mode=readonly --allow-parallel-runners skip-cache: true skip-save-cache: true only-new-issues: false diff --git a/pkg/utils/envoyutils/admincli/client.go b/pkg/utils/envoyutils/admincli/client.go index c34a9cc2c61..cd37affcc44 100644 --- a/pkg/utils/envoyutils/admincli/client.go +++ b/pkg/utils/envoyutils/admincli/client.go @@ -17,6 +17,7 @@ import ( "github.com/solo-io/gloo/pkg/utils/kubeutils/kubectl" "github.com/solo-io/gloo/pkg/utils/kubeutils/portforward" + "github.com/solo-io/gloo/projects/gloo/pkg/defaults" ) const ( @@ -29,9 +30,6 @@ const ( HealthCheckPath = "healthcheck" LoggingPath = "logging" ServerInfoPath = "server_info" - - // TODO: directly copied from previous constants file, this should probably actually be defined in envoy-gloo? - EnvoyAdminPort uint32 = 19000 ) // DumpOptions should have flags for any kind of underlying optional @@ -58,7 +56,7 @@ func NewClient() *Client { curlOptions: []curl.Option{ curl.WithScheme("http"), curl.WithHost("127.0.0.1"), - curl.WithPort(int(EnvoyAdminPort)), + curl.WithPort(int(defaults.EnvoyAdminPort)), // 3 retries, exponential back-off, 10 second max curl.WithRetries(3, 0, 10), }, @@ -77,7 +75,7 @@ func NewPortForwardedClient(ctx context.Context, proxySelector, namespace string // 1. Open a port-forward to the Kubernetes Deployment, so that we can query the Envoy Admin API directly portForwarder, err := kubectl.NewCli().StartPortForward(ctx, selector, - portforward.WithRemotePort(int(EnvoyAdminPort))) + portforward.WithRemotePort(int(defaults.EnvoyAdminPort))) if err != nil { return nil, nil, err } diff --git a/pkg/utils/envoyutils/bootstrap/bootstrap.go b/pkg/utils/envoyutils/bootstrap/bootstrap.go index 6d22d3f519b..02d6454ee1d 100644 --- a/pkg/utils/envoyutils/bootstrap/bootstrap.go +++ b/pkg/utils/envoyutils/bootstrap/bootstrap.go @@ -17,7 +17,7 @@ import ( "github.com/golang/protobuf/proto" anypb "github.com/golang/protobuf/ptypes/any" "github.com/rotisserie/eris" - "github.com/solo-io/gloo/projects/gateway2/utils" + "github.com/solo-io/gloo/projects/gloo/pkg/utils" envoycache "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" ) diff --git a/pkg/utils/envoyutils/bootstrap/bootstrap_test.go b/pkg/utils/envoyutils/bootstrap/bootstrap_test.go index 42082867f98..bb2791b58fc 100644 --- a/pkg/utils/envoyutils/bootstrap/bootstrap_test.go +++ b/pkg/utils/envoyutils/bootstrap/bootstrap_test.go @@ -3,7 +3,9 @@ package bootstrap import ( "context" - "github.com/solo-io/gloo/projects/gateway2/utils" + envoytransformation "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/extensions/transformation" + "github.com/solo-io/gloo/projects/gloo/pkg/utils" + envoycache "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/resource" "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/types" @@ -215,91 +217,88 @@ var _ = Describe("Static bootstrap generation", func() { }) }) }) + Context("From Filter", func() { + It("produces correct bootstrap", func() { + inTransformation := &envoytransformation.RouteTransformations{ + ClearRouteCache: true, + Transformations: []*envoytransformation.RouteTransformations_RouteTransformation{ + { + Match: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch_{ + RequestMatch: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch{ClearRouteCache: true}, + }, + }, + }, + } - // TODO: reimplement with transformation - // Context("From Filter", func() { - // It("produces correct bootstrap", func() { - // inTransformation := &envoytransformation.RouteTransformations{ - // ClearRouteCache: true, - // Transformations: []*envoytransformation.RouteTransformations_RouteTransformation{ - // { - // Match: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch_{ - // RequestMatch: &envoytransformation.RouteTransformations_RouteTransformation_RequestMatch{ClearRouteCache: true}, - // }, - // }, - // }, - // } - - // filterName := "transformation" - // actual, err := FromFilter(filterName, inTransformation) - // Expect(err).NotTo(HaveOccurred()) - - // expectedBootstrap := &envoy_config_bootstrap_v3.Bootstrap{ - // Node: &envoy_config_core_v3.Node{ - // Id: "validation-node-id", - // Cluster: "validation-cluster", - // }, - // StaticResources: &envoy_config_bootstrap_v3.Bootstrap_StaticResources{ - // Listeners: []*envoy_config_listener_v3.Listener{{ - // Name: "placeholder_listener", - // Address: &envoy_config_core_v3.Address{ - // Address: &envoy_config_core_v3.Address_SocketAddress{SocketAddress: &envoy_config_core_v3.SocketAddress{ - // Address: "0.0.0.0", - // PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{PortValue: 8081}, - // }}, - // }, - // FilterChains: []*envoy_config_listener_v3.FilterChain{ - // { - // Name: "placeholder_filter_chain", - // Filters: []*envoy_config_listener_v3.Filter{ - // { - // Name: wellknown.HTTPConnectionManager, - // ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ - // TypedConfig: func() *anypb.Any { - // hcmAny, err := utils.MessageToAny(&envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager{ - // StatPrefix: "placeholder", - // RouteSpecifier: &envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ - // RouteConfig: &envoy_config_route_v3.RouteConfiguration{ - // VirtualHosts: []*envoy_config_route_v3.VirtualHost{ - // { - // Name: "placeholder_host", - // Domains: []string{"*"}, - // TypedPerFilterConfig: map[string]*anypb.Any{ - // filterName: { - // TypeUrl: "type.googleapis.com/envoy.api.v2.filter.http.RouteTransformations", - // Value: func() []byte { - // tformany, err := utils.MessageToAny(inTransformation) - // Expect(err).NotTo(HaveOccurred()) - // return tformany.GetValue() - // }(), - // }, - // }, - // }, - // }, - // }, - // }, - // }) - // Expect(err).NotTo(HaveOccurred()) - // return hcmAny - // }(), - // }, - // }, - // }, - // }, - // }, - // }}, - // }, - // } + filterName := "transformation" + actual, err := FromFilter(filterName, inTransformation) + Expect(err).NotTo(HaveOccurred()) - // actualBootstrap := &envoy_config_bootstrap_v3.Bootstrap{} + expectedBootstrap := &envoy_config_bootstrap_v3.Bootstrap{ + Node: &envoy_config_core_v3.Node{ + Id: "validation-node-id", + Cluster: "validation-cluster", + }, + StaticResources: &envoy_config_bootstrap_v3.Bootstrap_StaticResources{ + Listeners: []*envoy_config_listener_v3.Listener{{ + Name: "placeholder_listener", + Address: &envoy_config_core_v3.Address{ + Address: &envoy_config_core_v3.Address_SocketAddress{SocketAddress: &envoy_config_core_v3.SocketAddress{ + Address: "0.0.0.0", + PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{PortValue: 8081}, + }}, + }, + FilterChains: []*envoy_config_listener_v3.FilterChain{ + { + Name: "placeholder_filter_chain", + Filters: []*envoy_config_listener_v3.Filter{ + { + Name: wellknown.HTTPConnectionManager, + ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ + TypedConfig: func() *anypb.Any { + hcmAny, err := utils.MessageToAny(&envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager{ + StatPrefix: "placeholder", + RouteSpecifier: &envoy_extensions_filters_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ + RouteConfig: &envoy_config_route_v3.RouteConfiguration{ + VirtualHosts: []*envoy_config_route_v3.VirtualHost{ + { + Name: "placeholder_host", + Domains: []string{"*"}, + TypedPerFilterConfig: map[string]*anypb.Any{ + filterName: { + TypeUrl: "type.googleapis.com/envoy.api.v2.filter.http.RouteTransformations", + Value: func() []byte { + tformany, err := utils.MessageToAny(inTransformation) + Expect(err).NotTo(HaveOccurred()) + return tformany.GetValue() + }(), + }, + }, + }, + }, + }, + }, + }) + Expect(err).NotTo(HaveOccurred()) + return hcmAny + }(), + }, + }, + }, + }, + }, + }}, + }, + } - // err = protojson.Unmarshal([]byte(actual), actualBootstrap) - // Expect(err).NotTo(HaveOccurred()) + actualBootstrap := &envoy_config_bootstrap_v3.Bootstrap{} - // Expect(proto.Equal(expectedBootstrap, actualBootstrap)).To(BeTrue()) - // }) - // }) + err = protojson.Unmarshal([]byte(actual), actualBootstrap) + Expect(err).NotTo(HaveOccurred()) + Expect(proto.Equal(expectedBootstrap, actualBootstrap)).To(BeTrue()) + }) + }) Context("From Snapshot", func() { var ( snap *fakeSnapshot diff --git a/pkg/utils/namespaces/namespaces.go b/pkg/utils/namespaces/namespaces.go index ac5e3a0c07c..073b9ffdf76 100644 --- a/pkg/utils/namespaces/namespaces.go +++ b/pkg/utils/namespaces/namespaces.go @@ -1,7 +1,18 @@ package namespaces import ( + "context" + "errors" "os" + + "github.com/solo-io/gloo/projects/gloo/cli/pkg/helpers" + "github.com/solo-io/solo-kit/pkg/api/external/kubernetes/namespace" + "github.com/solo-io/solo-kit/pkg/api/v1/clients/kube/cache" + "github.com/solo-io/solo-kit/pkg/api/v1/resources/common/kubernetes" + + authv1 "k8s.io/api/authorization/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_kubernetes "k8s.io/client-go/kubernetes" ) // AllNamespaces returns true if the list of namespaces watched is empty or contains only a blank string @@ -43,3 +54,44 @@ func GetPodNamespace() string { } return "gloo-system" } + +// NewKubeNamespaceClient creates and returns the `namespace.NewNamespaceClient` if it has permissions to list namespaces +// This entails creating a kubeclient, kubecorecache and calling a SelfSubjectAccessReview to verify if it has the appropriate RBAC +func NewKubeNamespaceClient(ctx context.Context) (kubernetes.KubeNamespaceClient, error) { + kubeClient, err := helpers.KubeClientWithKubecontext("") + if err != nil { + return nil, err + } + + clientset, ok := kubeClient.(*k8s_kubernetes.Clientset) + if !ok { + return nil, errors.New("unable to create kube client to list namespaces") + } + + action := authv1.ResourceAttributes{ + Namespace: "", + Verb: "list", + Resource: "namespaces", + } + + selfCheck := authv1.SelfSubjectAccessReview{ + Spec: authv1.SelfSubjectAccessReviewSpec{ + ResourceAttributes: &action, + }, + } + + resp, err := clientset.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, &selfCheck, metav1.CreateOptions{}) + if err != nil { + return nil, err + } + + if resp.Status.Allowed { + kubeCache, err := cache.NewKubeCoreCache(ctx, kubeClient) + if err != nil { + return nil, err + } + + return namespace.NewNamespaceClient(kubeClient, kubeCache), nil + } + return nil, errors.New("the caller does not have permissions to list namespaces") +} diff --git a/pkg/utils/regexutils/regex.go b/pkg/utils/regexutils/regex.go index 989e0e97154..139bf503aaa 100644 --- a/pkg/utils/regexutils/regex.go +++ b/pkg/utils/regexutils/regex.go @@ -6,6 +6,10 @@ import ( envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" wrappers "github.com/golang/protobuf/ptypes/wrappers" + "github.com/solo-io/gloo/pkg/utils/settingsutil" + v32 "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type/matcher/v3" + v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" + "github.com/solo-io/solo-kit/pkg/errors" ) // NewCheckedRegex creates a new regex matcher with the given regex. @@ -31,24 +35,21 @@ func CheckRegexString(candidateRegex string) error { // Wraps NewRegexFromSettings which wraps NewRegexWithProgramSize which leads to the tight coupling. // NOTE: Call this after having checked regex with CheckRegexString. func NewRegex(ctx context.Context, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { - // TODO: we need to figure out if the programsize as a global setting is still relevant - // settings := settingsutil.MaybeFromContext(ctx) - // return NewRegexFromSettings(settings, candidateRegex) - return NewRegexWithProgramSize(candidateRegex, nil) - + settings := settingsutil.MaybeFromContext(ctx) + return NewRegexFromSettings(settings, candidateRegex) } // NewRegexFromSettings wraps NewRegexWithProgramSize with the program size from the settings. // NOTE: Call this after having checked regex with CheckRegexString. -// func NewRegexFromSettings(settings *v1.Settings, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { -// var programsize *uint32 -// if settings != nil { -// if max_size := settings.GetGloo().GetRegexMaxProgramSize(); max_size != nil { -// programsize = &max_size.Value -// } -// } -// return NewRegexWithProgramSize(candidateRegex, programsize) -// } +func NewRegexFromSettings(settings *v1.Settings, candidateRegex string) *envoy_type_matcher_v3.RegexMatcher { + var programsize *uint32 + if settings != nil { + if max_size := settings.GetGloo().GetRegexMaxProgramSize(); max_size != nil { + programsize = &max_size.Value + } + } + return NewRegexWithProgramSize(candidateRegex, programsize) +} // NewRegexWithProgramSize creates a new regex matcher with the given program size. // This means its tightly coupled to envoy's implementation of regex. @@ -70,36 +71,34 @@ func NewRegexWithProgramSize(candidateRegex string, programsize *uint32) *envoy_ } } -// TODO: audit this stuff, is it even still needed?? - // ConvertRegexMatchAndSubstitute into safe variant consumable by envoy. // By default we use the RegexMatcher_GoogleRe2 matcher which as of // envoy 1.21 is the only engine supported. -// func ConvertRegexMatchAndSubstitute(ctx context.Context, in *v32.RegexMatchAndSubstitute) (*envoy_type_matcher_v3.RegexMatchAndSubstitute, error) { -// if in == nil { -// return nil, nil -// } +func ConvertRegexMatchAndSubstitute(ctx context.Context, in *v32.RegexMatchAndSubstitute) (*envoy_type_matcher_v3.RegexMatchAndSubstitute, error) { + if in == nil { + return nil, nil + } -// out := &envoy_type_matcher_v3.RegexMatchAndSubstitute{ -// Pattern: NewRegex(ctx, in.GetPattern().GetRegex()), -// Substitution: in.GetSubstitution(), -// } -// switch inET := in.GetPattern().GetEngineType().(type) { -// case nil: -// // we do nothing here as it defaults to googleRe2 but we dont have any of the extra settings on it. -// case *v32.RegexMatcher_GoogleRe2: -// // note that this is likely to be deprecated soon anyways... So if engines no longer matter we may eventually -// // be able to remove most of this. -// outET := out.GetPattern().GetEngineType().(*envoy_type_matcher_v3.RegexMatcher_GoogleRe2) -// if inET.GoogleRe2.GetMaxProgramSize() != nil && (outET.GoogleRe2.GetMaxProgramSize() == nil || inET.GoogleRe2.GetMaxProgramSize().GetValue() < outET.GoogleRe2.GetMaxProgramSize().GetValue()) { -// out.Pattern = NewRegexWithProgramSize(in.GetPattern().GetRegex(), &inET.GoogleRe2.GetMaxProgramSize().Value) -// } + out := &envoy_type_matcher_v3.RegexMatchAndSubstitute{ + Pattern: NewRegex(ctx, in.GetPattern().GetRegex()), + Substitution: in.GetSubstitution(), + } + switch inET := in.GetPattern().GetEngineType().(type) { + case nil: + // we do nothing here as it defaults to googleRe2 but we dont have any of the extra settings on it. + case *v32.RegexMatcher_GoogleRe2: + // note that this is likely to be deprecated soon anyways... So if engines no longer matter we may eventually + // be able to remove most of this. + outET := out.GetPattern().GetEngineType().(*envoy_type_matcher_v3.RegexMatcher_GoogleRe2) + if inET.GoogleRe2.GetMaxProgramSize() != nil && (outET.GoogleRe2.GetMaxProgramSize() == nil || inET.GoogleRe2.GetMaxProgramSize().GetValue() < outET.GoogleRe2.GetMaxProgramSize().GetValue()) { + out.Pattern = NewRegexWithProgramSize(in.GetPattern().GetRegex(), &inET.GoogleRe2.GetMaxProgramSize().Value) + } -// default: -// // this will only happen if there is a new type of engine that our current envoy implementation does not know how to handle. -// // This should be thrown as we are unsure that we are passing the right info to envoy which could cause crashes. -// return nil, errors.Errorf("Invalid regex EngineType: %v", in.GetPattern().GetEngineType()) -// } + default: + // this will only happen if there is a new type of engine that our current envoy implementation does not know how to handle. + // This should be thrown as we are unsure that we are passing the right info to envoy which could cause crashes. + return nil, errors.Errorf("Invalid regex EngineType: %v", in.GetPattern().GetEngineType()) + } -// return out, nil -// } + return out, nil +} diff --git a/pkg/utils/regexutils/regex_test.go b/pkg/utils/regexutils/regex_test.go index 609d6ba29a4..b9f2e9be301 100644 --- a/pkg/utils/regexutils/regex_test.go +++ b/pkg/utils/regexutils/regex_test.go @@ -1,9 +1,15 @@ package regexutils_test import ( + "context" + + "github.com/golang/protobuf/ptypes/wrappers" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/solo-io/gloo/pkg/utils/regexutils" + "github.com/solo-io/gloo/pkg/utils/settingsutil" + v32 "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type/matcher/v3" + v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" ) var _ = Describe("Regex", func() { @@ -24,28 +30,28 @@ var _ = Describe("Regex", func() { Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(Equal(number)) }) - // It("should create regex from settings in context", func() { - // ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ - // Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, - // }) - // regex := NewRegex(ctx, "foo") - // Expect(regex.GetRegex()).To(Equal("foo")) - // Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(BeEquivalentTo(123)) - // }) - // It("should create regex even without engine", func() { - // ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ - // Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, - // }) - // subPattern := v32.RegexMatcher{ - // Regex: "(.*)", - // } - // in := v32.RegexMatchAndSubstitute{ - // Substitution: "123", - // Pattern: &subPattern, - // } - // out, err := ConvertRegexMatchAndSubstitute(ctx, &in) - // Expect(err).NotTo(HaveOccurred()) - // Expect(out.Pattern.Regex).To(Equal(in.Pattern.Regex)) - // Expect(out.Substitution).To(Equal(in.Substitution)) - // }) + It("should create regex from settings in context", func() { + ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ + Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, + }) + regex := NewRegex(ctx, "foo") + Expect(regex.GetRegex()).To(Equal("foo")) + Expect(regex.GetGoogleRe2().GetMaxProgramSize().GetValue()).To(BeEquivalentTo(123)) + }) + It("should create regex even without engine", func() { + ctx := settingsutil.WithSettings(context.Background(), &v1.Settings{ + Gloo: &v1.GlooOptions{RegexMaxProgramSize: &wrappers.UInt32Value{Value: 123}}, + }) + subPattern := v32.RegexMatcher{ + Regex: "(.*)", + } + in := v32.RegexMatchAndSubstitute{ + Substitution: "123", + Pattern: &subPattern, + } + out, err := ConvertRegexMatchAndSubstitute(ctx, &in) + Expect(err).NotTo(HaveOccurred()) + Expect(out.Pattern.Regex).To(Equal(in.Pattern.Regex)) + Expect(out.Substitution).To(Equal(in.Substitution)) + }) }) From 3d828954bec700001ef1a9f414e9214ab3cbd304 Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 22:53:15 -0600 Subject: [PATCH 6/9] fix tests until deletion --- .github/workflows/pr-unit-tests.yaml | 2 ++ projects/gateway2/utils/stopwatch.go | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-unit-tests.yaml b/.github/workflows/pr-unit-tests.yaml index af436d12b1a..e7b5935e4e8 100644 --- a/.github/workflows/pr-unit-tests.yaml +++ b/.github/workflows/pr-unit-tests.yaml @@ -31,6 +31,8 @@ jobs: shell: bash env: TEST_PKG: "./projects/gateway2/..." + # TODO: remove this once we delete gloo + GOLANG_PROTOBUF_REGISTRATION_CONFLICT: "ignore" run: make go-test-with-coverage - name: Validate Test Coverage shell: bash diff --git a/projects/gateway2/utils/stopwatch.go b/projects/gateway2/utils/stopwatch.go index 39e647c6772..f7a0901a511 100644 --- a/projects/gateway2/utils/stopwatch.go +++ b/projects/gateway2/utils/stopwatch.go @@ -11,7 +11,7 @@ import ( ) var ( - translationTime = stats.Float64("gloo_edge/translation_time_sec", "how long the translator takes in seconds", "s") + translationTime = stats.Float64("io.kgateway/translation_time_sec", "how long the translator takes in seconds", "s") translatorNameKey, _ = tag.NewKey("translator_name") ) @@ -19,7 +19,7 @@ func init() { // Register views with OpenCensus if err := view.Register( &view.View{ - Name: "gloo_edge/translation_time_sec", + Name: "io.kgateway/translation_time_sec", Measure: translationTime, Description: "how long the translator takes in seconds", Aggregation: view.Distribution(0.01, 0.05, 0.1, 0.25, 0.5, 1, 5, 10, 60), From 7c20bbeb6ada79e9abe36e3d1ba33ad18fcab57b Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 23:16:28 -0600 Subject: [PATCH 7/9] fix proto conflict on gloo pod until del --- install/helm/gloo/templates/1-gloo-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/helm/gloo/templates/1-gloo-deployment.yaml b/install/helm/gloo/templates/1-gloo-deployment.yaml index 0a9f666e6ac..eea2b06de7b 100644 --- a/install/helm/gloo/templates/1-gloo-deployment.yaml +++ b/install/helm/gloo/templates/1-gloo-deployment.yaml @@ -259,6 +259,8 @@ spec: - name: HEADER_SECRET_REF_NS_MATCHES_US value: "true" {{- end}} + - name: GOLANG_PROTOBUF_REGISTRATION_CONFLICT + value: ignore {{- if not .Values.global.glooMtls.enabled }} readinessProbe: tcpSocket: From a8d2c6aaec84172fdb6d62d1d1a15516430f071e Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 23:36:29 -0600 Subject: [PATCH 8/9] prepare for git mv --- projects/gateway2/cmd/Dockerfile | 23 --------------------- projects/gateway2/cmd/Dockerfile.distroless | 19 ----------------- projects/gateway2/cmd/main.go | 20 ------------------ 3 files changed, 62 deletions(-) delete mode 100644 projects/gateway2/cmd/Dockerfile delete mode 100644 projects/gateway2/cmd/Dockerfile.distroless delete mode 100644 projects/gateway2/cmd/main.go diff --git a/projects/gateway2/cmd/Dockerfile b/projects/gateway2/cmd/Dockerfile deleted file mode 100644 index a06affe8bdf..00000000000 --- a/projects/gateway2/cmd/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -ARG ENVOY_IMAGE - -FROM $ENVOY_IMAGE - -ARG GOARCH=amd64 -# eventually may matter for now https://unix.stackexchange.com/a/701288 -# means its not too useful -ENV DEBIAN_FRONTEND=noninteractive - -# Update our deps to make cve toil lower -#install wget for our default probes -RUN apt-get update \ - && apt-get upgrade -y \ - && apt-get install --no-install-recommends -y ca-certificates \ - && apt-get install wget -y \ - && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old - - -COPY gloo-linux-$GOARCH /usr/local/bin/gloo - -USER 10101 - -ENTRYPOINT ["/usr/local/bin/gloo"] \ No newline at end of file diff --git a/projects/gateway2/cmd/Dockerfile.distroless b/projects/gateway2/cmd/Dockerfile.distroless deleted file mode 100644 index 0f920b3c684..00000000000 --- a/projects/gateway2/cmd/Dockerfile.distroless +++ /dev/null @@ -1,19 +0,0 @@ -ARG ENVOY_IMAGE -ARG BASE_IMAGE - -FROM $ENVOY_IMAGE as envoy - -FROM $BASE_IMAGE -ARG GOARCH=amd64 - -COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy - -# Copy over the required libraries -# lib64z1 - Required by libsaxon for xslt transformations -COPY --from=envoy /usr/lib/x86_64-linux-gnu/libz.so* /usr/lib/x86_64-linux-gnu/ - -COPY gloo-linux-$GOARCH /usr/local/bin/gloo - -USER 10101 - -ENTRYPOINT ["/usr/local/bin/gloo"] \ No newline at end of file diff --git a/projects/gateway2/cmd/main.go b/projects/gateway2/cmd/main.go deleted file mode 100644 index 44ec14320be..00000000000 --- a/projects/gateway2/cmd/main.go +++ /dev/null @@ -1,20 +0,0 @@ -package main - -import ( - "context" - - "github.com/solo-io/gloo/pkg/utils/probes" - "github.com/solo-io/gloo/projects/gateway2/setup" - "github.com/solo-io/go-utils/log" -) - -func main() { - ctx := context.Background() - - // Start a server which is responsible for responding to liveness probes - probes.StartLivenessProbeServer(ctx) - - if err := setup.Main(ctx); err != nil { - log.Fatalf("err in main: %v", err.Error()) - } -} From c2cd229884e55d817923e31147c42b73cdc7327d Mon Sep 17 00:00:00 2001 From: Lawrence Gadban Date: Wed, 22 Jan 2025 23:37:55 -0600 Subject: [PATCH 9/9] git mv projects/gloo/cmd --- projects/{gloo => gateway2}/cmd/Dockerfile | 0 projects/{gloo => gateway2}/cmd/Dockerfile.distroless | 0 projects/{gloo => gateway2}/cmd/main.go | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename projects/{gloo => gateway2}/cmd/Dockerfile (100%) rename projects/{gloo => gateway2}/cmd/Dockerfile.distroless (100%) rename projects/{gloo => gateway2}/cmd/main.go (87%) diff --git a/projects/gloo/cmd/Dockerfile b/projects/gateway2/cmd/Dockerfile similarity index 100% rename from projects/gloo/cmd/Dockerfile rename to projects/gateway2/cmd/Dockerfile diff --git a/projects/gloo/cmd/Dockerfile.distroless b/projects/gateway2/cmd/Dockerfile.distroless similarity index 100% rename from projects/gloo/cmd/Dockerfile.distroless rename to projects/gateway2/cmd/Dockerfile.distroless diff --git a/projects/gloo/cmd/main.go b/projects/gateway2/cmd/main.go similarity index 87% rename from projects/gloo/cmd/main.go rename to projects/gateway2/cmd/main.go index 12f7645c2c7..44ec14320be 100644 --- a/projects/gloo/cmd/main.go +++ b/projects/gateway2/cmd/main.go @@ -4,7 +4,7 @@ import ( "context" "github.com/solo-io/gloo/pkg/utils/probes" - "github.com/solo-io/gloo/projects/gloo/pkg/setup" + "github.com/solo-io/gloo/projects/gateway2/setup" "github.com/solo-io/go-utils/log" )