From 39e7d2c13ff36f707ea19a40a5015eb77f3f37de Mon Sep 17 00:00:00 2001 From: Pasha Gurkov Date: Wed, 9 Apr 2025 11:42:07 +0100 Subject: [PATCH 1/6] Add global imageRegistry and imagePullSecrets overrides Add global.imageRegistry and global.imagePullSecrets to gateway-helm chart values Add override logic: globals above take precedence if defined Add new ENV vars: REPOSITORY, RATELIMIT_REPOSITORY, RATELIMIT_TAG Delete ENV vars: IMAGE_NAME, IMAGE Signed-off-by: Pavel Gurkov --- charts/gateway-helm/README.md | 6 +- charts/gateway-helm/templates/_helpers.tpl | 83 ++- charts/gateway-helm/templates/certgen.yaml | 2 +- .../templates/envoy-gateway-deployment.yaml | 2 +- charts/gateway-helm/values.tmpl.yaml | 15 +- release-notes/current.yaml | 3 + site/content/en/contributions/DEVELOP.md | 16 +- .../en/latest/install/gateway-helm-api.md | 6 +- test/helm/gateway-helm/certgen-args.in.yaml | 3 +- test/helm/gateway-helm/certgen-args.out.yaml | 8 +- .../certjen-custom-scheduling.in.yaml | 3 +- .../certjen-custom-scheduling.out.yaml | 8 +- .../control-plane-with-pdb.in.yaml | 1 + .../control-plane-with-pdb.out.yaml | 8 +- .../helm/gateway-helm/default-config.out.yaml | 8 +- .../deployment-custom-topology.in.yaml | 1 + .../deployment-custom-topology.out.yaml | 8 +- .../deployment-images-config.in.yaml | 3 +- .../deployment-images-config.out.yaml | 16 +- .../deployment-priorityclass.in.yaml | 1 + .../deployment-priorityclass.out.yaml | 8 +- .../deployment-repo-no-registry.in.yaml | 5 + .../deployment-repo-no-registry.out.yaml | 578 +++++++++++++++++ .../deployment-securitycontext.in.yaml | 1 + .../deployment-securitycontext.out.yaml | 8 +- .../gateway-helm/envoy-gateway-config.in.yaml | 1 + .../envoy-gateway-config.out.yaml | 8 +- .../global-images-config.out.yaml | 8 +- ...al-pullsecrets-override-deployment.in.yaml | 24 + ...l-pullsecrets-override-deployment.out.yaml | 582 ++++++++++++++++++ ...global-pullsecrets-override-global.in.yaml | 15 + ...lobal-pullsecrets-override-global.out.yaml | 582 ++++++++++++++++++ ...lobal-registry-override-deployment.in.yaml | 14 + ...obal-registry-override-deployment.out.yaml | 578 +++++++++++++++++ .../global-registry-override-global.in.yaml | 8 + .../global-registry-override-global.out.yaml | 578 +++++++++++++++++ .../horizontal-pod-autoscaler.out.yaml | 8 +- .../service-customization.in.yaml | 1 + .../service-customization.out.yaml | 8 +- tools/make/docs.mk | 7 +- tools/make/env.mk | 31 +- tools/make/helm.mk | 50 +- tools/make/image.mk | 16 +- tools/make/kube.mk | 4 +- 44 files changed, 3208 insertions(+), 116 deletions(-) create mode 100644 test/helm/gateway-helm/deployment-repo-no-registry.in.yaml create mode 100644 test/helm/gateway-helm/deployment-repo-no-registry.out.yaml create mode 100644 test/helm/gateway-helm/global-pullsecrets-override-deployment.in.yaml create mode 100644 test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml create mode 100644 test/helm/gateway-helm/global-pullsecrets-override-global.in.yaml create mode 100644 test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml create mode 100644 test/helm/gateway-helm/global-registry-override-deployment.in.yaml create mode 100644 test/helm/gateway-helm/global-registry-override-deployment.out.yaml create mode 100644 test/helm/gateway-helm/global-registry-override-global.in.yaml create mode 100644 test/helm/gateway-helm/global-registry-override-global.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 64cf772ecb..6f0b604f7b 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -97,10 +97,12 @@ To uninstall the chart: | deployment.ports[3].targetPort | int | `19001` | | | deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | +| global.imagePullSecrets | list | `[]` | Global override for image pull secrets | +| global.imageRegistry | string | `""` | Global override for image registry | | global.images.envoyGateway.image | string | `nil` | | -| global.images.envoyGateway.pullPolicy | string | `nil` | | +| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | +| global.images.ratelimit.image | string | `""` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | hpa.behavior | object | `{}` | | diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index d9aefc2a84..d7f69edf71 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -65,37 +65,85 @@ Create the name of the service account to use The name of the Envoy Gateway image. */}} {{- define "eg.image" -}} -{{- if .Values.deployment.envoyGateway.image.repository }} -{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }} -{{- else if .Values.global.images.envoyGateway.image }} -{{- .Values.global.images.envoyGateway.image }} -{{- else }} +{{/* if deployment-specific repository is defined, it takes precedence */}} +{{- if .Values.deployment.envoyGateway.image.repository -}} +{{/* if global.imageRegistry is defined, it takes precedence always */}} +{{- if .Values.global.imageRegistry -}} +{{- $repositoryParts := splitn "/" 2 .Values.deployment.envoyGateway.image.repository -}} +{{- $registryName := .Values.global.imageRegistry -}} +{{- $repositoryName := $repositoryParts._1 -}} +{{- $imageTag := default .Chart.AppVersion .Values.deployment.envoyGateway.image.tag -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}} +{{/* if global.imageRegistry is undefined, take repository as is */}} +{{- else -}} +{{- $imageTag := default .Chart.AppVersion .Values.deployment.envoyGateway.image.tag -}} +{{- printf "%s:%s" .Values.deployment.envoyGateway.image.repository $imageTag -}} +{{- end -}} +{{/* else, global image is used if defined */}} +{{- else if .Values.global.images.envoyGateway.image -}} +{{- $imageParts := splitn "/" 2 .Values.global.images.envoyGateway.image -}} +{{/* if global.imageRegistry is defined, it takes precedence always */}} +{{- $registryName := default $imageParts._0 .Values.global.imageRegistry -}} +{{- $repositoryTag := $imageParts._1 -}} +{{- $repositoryParts := splitn ":" 2 $repositoryTag -}} +{{- $repositoryName := $repositoryParts._0 -}} +{{- $imageTag := $repositoryParts._1 -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}} +{{- else -}} docker.io/envoyproxy/gateway:{{ .Chart.Version }} -{{- end }} -{{- end }} +{{- end -}} +{{- end -}} {{/* Pull policy for the Envoy Gateway image. */}} {{- define "eg.image.pullPolicy" -}} -{{ .Values.deployment.envoyGateway.imagePullPolicy | default .Values.global.images.envoyGateway.pullPolicy | default "IfNotPresent" }} +{{- default .Values.deployment.envoyGateway.imagePullPolicy .Values.global.images.envoyGateway.pullPolicy -}} {{- end }} {{/* Pull secrets for the Envoy Gateway image. */}} {{- define "eg.image.pullSecrets" -}} -{{- if .Values.deployment.envoyGateway.imagePullSecrets -}} -imagePullSecrets: +{{- if .Values.global.imagePullSecrets -}} +{{ toYaml .Values.global.imagePullSecrets }} +{{- else if .Values.deployment.envoyGateway.imagePullSecrets -}} {{ toYaml .Values.deployment.envoyGateway.imagePullSecrets }} {{- else if .Values.global.images.envoyGateway.pullSecrets -}} -imagePullSecrets: {{ toYaml .Values.global.images.envoyGateway.pullSecrets }} {{- else -}} -imagePullSecrets: [] +{{ toYaml list }} {{- end }} {{- end }} +{{/* +The name of the Envoy Ratelimit image. +*/}} +{{- define "eg.ratelimit.image" -}} +{{- $imageParts := splitn "/" 2 .Values.global.images.ratelimit.image -}} +{{/* if global.imageRegistry is defined, it takes precedence always */}} +{{- $registryName := default $imageParts._0 .Values.global.imageRegistry -}} +{{- $repositoryTag := $imageParts._1 -}} +{{- $repositoryParts := splitn ":" 2 $repositoryTag -}} +{{- $repositoryName := $repositoryParts._0 -}} +{{- $imageTag := default .Chart.AppVersion $repositoryParts._1 -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}} +{{- end -}} + +{{/* +Pull secrets for the Envoy Ratelimit image. +*/}} +{{- define "eg.ratelimit.image.pullSecrets" -}} +{{- if .Values.global.imagePullSecrets }} +{{ toYaml .Values.global.imagePullSecrets }} +{{- else if .Values.global.images.ratelimit.pullSecrets -}} +{{ toYaml .Values.global.images.ratelimit.pullSecrets }} +{{- else -}} +{{ toYaml list }} +{{- end }} +{{- end }} + + {{/* The default Envoy Gateway configuration. */}} @@ -105,16 +153,9 @@ provider: kubernetes: rateLimitDeployment: container: - {{- if .Values.global.images.ratelimit.image }} - image: {{ .Values.global.images.ratelimit.image }} - {{- else }} - image: "docker.io/envoyproxy/ratelimit:master" - {{- end }} - {{- with .Values.global.images.ratelimit.pullSecrets }} + image: {{ include "eg.ratelimit.image" . }} pod: - imagePullSecrets: - {{- toYaml . | nindent 10 }} - {{- end }} + imagePullSecrets: {{- include "eg.ratelimit.image.pullSecrets" . | nindent 10 }} {{- with .Values.global.images.ratelimit.pullPolicy }} patch: type: StrategicMerge diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 3f2a514e91..768f47b553 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -48,7 +48,7 @@ spec: {{- end }} securityContext: {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} - {{- include "eg.image.pullSecrets" . | nindent 6 }} + imagePullSecrets: {{- include "eg.image.pullSecrets" . | nindent 8 }} {{- with .Values.certgen.job.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 7746dd2e4a..82d9d790ac 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -84,7 +84,7 @@ spec: - mountPath: /certs name: certs readOnly: true - {{- include "eg.image.pullSecrets" . | nindent 6 }} + imagePullSecrets: {{- include "eg.image.pullSecrets" . | nindent 8 }} {{- with .Values.deployment.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 0c166ad825..a2a7580abc 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -1,6 +1,13 @@ -# The global settings for the Envoy Gateway Helm chart. -# These values will be used if the values are not overridden in the other sections. +# Global settings global: + # If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets. + # -- Global override for image registry + imageRegistry: "" + # -- Global override for image pull secrets + imagePullSecrets: [] + + # If set, these override image-specific values: useful when installing the chart in a private registry environment. + # Override image-specific values directly if a global override is not desired. images: envoyGateway: # This is the full image name including the hub, repo, and tag. @@ -12,12 +19,13 @@ global: pullSecrets: [] ratelimit: # This is the full image name including the hub, repo, and tag. - image: "docker.io/envoyproxy/ratelimit:master" + image: "${RatelimitImage}" # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. pullPolicy: IfNotPresent # List of secrets in the same namespace of the component that can be used to pull images from private repositories. pullSecrets: [] + podDisruptionBudget: minAvailable: 0 # maxUnavailable: 1 @@ -25,6 +33,7 @@ podDisruptionBudget: deployment: envoyGateway: image: + # if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway repository: "" tag: "" imagePullPolicy: "" diff --git a/release-notes/current.yaml b/release-notes/current.yaml index b996dec109..fc502cb12b 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -4,6 +4,7 @@ date: Pending breaking changes: | Use a dedicated listener port(19003) for envoy proxy readiness Uses the envoy JSON formatter for the default access log instead of text formatter. + Removed environment variables IMAGE, IMAGE_NAME used for building the image; use REGISTRY and REPOSITORY instead # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | @@ -29,6 +30,8 @@ new features: | Added support for egctl Websocket in addation to SPDY Added a configuration option in the Helm chart to set the TrafficDistribution field in the Envoy Gateway Service Added support for setting the log level to trace for the Envoy Proxy + Added support for global imageRegistry and imagePullSecrets to the Helm chart + bug fixes: | Fix traffic splitting when filters are attached to the backendRef. diff --git a/site/content/en/contributions/DEVELOP.md b/site/content/en/contributions/DEVELOP.md index 4f557fdb0a..bee7683961 100644 --- a/site/content/en/contributions/DEVELOP.md +++ b/site/content/en/contributions/DEVELOP.md @@ -60,14 +60,14 @@ __Note:__ The `golangci-lint` configuration resides [here](https://github.com/en ### Building and Pushing the Image -* Run `IMAGE=docker.io/you/gateway-dev make image` to build the docker image. -* Run `IMAGE=docker.io/you/gateway-dev make push-multiarch` to build and push the multi-arch docker image. +* Run `REGISTRY=docker.io REPOSITORY=you/gateway-dev make image` to build the docker image. +* Run `REGISTRY=docker.io REPOSITORY=you/gateway-dev make push-multiarch` to build and push the multi-arch docker image. -__Note:__ Replace `IMAGE` with your registry's image name. +__Note:__ Replace `REPOSITORY` with your registry's image name. ### Raising a PR -* Run `make generate` and push the generated files along with your commit, if your PR contains any **API** changes (changes in `/api` folder), you've added some unit tests or you've updated the modules used in the project. +* Run `make generate` and push the generated files along with your commit, if your PR contains any **API** changes (changes in `/api` folder), you've added some unit tests or you've updated the modules used in the project. ### Deploying Envoy Gateway for Test/Dev @@ -86,7 +86,7 @@ __Note:__ Replace `IMAGE` with your registry's image name. ### Deploying Envoy Gateway in Kubernetes * Run `TAG=latest make kube-deploy` to deploy Envoy Gateway using the latest image into a Kubernetes cluster (linked to - the current kube context). Preface the command with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or + the current kube context). Preface the command with `REGISTRY` and `REPOSITORY` or replace `TAG` to use a different Envoy Gateway image or tag. * Run `make kube-undeploy` to uninstall Envoy Gateway from the cluster. @@ -120,7 +120,7 @@ workarounds to run conformance tests: uninstall Envoy Gateway. * Install and run [Docker Mac Net Connect][mac_connect] and then run `TAG=latest make conformance`. -__Note:__ Preface commands with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or tag. If `TAG` +__Note:__ Preface commands with `REGISTRY` and `REPOSITORY` or replace `TAG` to use a different Envoy Gateway image or tag. If `TAG` is unspecified, the short SHA of your current branch is used. ### Debugging the Envoy Config @@ -162,13 +162,13 @@ The performance and scalability concerns come from several aspects for control-p - The consumption of memory and CPU. - The rate of configuration changes. -The benchmark test is running on a [Kind][Kind] cluster, you can start a Kind cluster and +The benchmark test is running on a [Kind][Kind] cluster, you can start a Kind cluster and run benchmark test on it by executing `make benchmark`. The benchmark report will be included in the release artifacts, you can learn more by downloading the detailed benchmark report, namely `benchmark_report.zip`. -Here are some brief benchmark reports about Envoy Gateway: +Here are some brief benchmark reports about Envoy Gateway: - It will take up nearly 550MiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 7e44697a62..268d43cbf1 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -61,10 +61,12 @@ The Helm chart for Envoy Gateway | deployment.ports[3].targetPort | int | `19001` | | | deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | +| global.imagePullSecrets | list | `[]` | Global override for image pull secrets | +| global.imageRegistry | string | `""` | Global override for image registry | | global.images.envoyGateway.image | string | `nil` | | -| global.images.envoyGateway.pullPolicy | string | `nil` | | +| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | +| global.images.ratelimit.image | string | `""` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | hpa.behavior | object | `{}` | | diff --git a/test/helm/gateway-helm/certgen-args.in.yaml b/test/helm/gateway-helm/certgen-args.in.yaml index ca8864e6ac..9f027b8984 100644 --- a/test/helm/gateway-helm/certgen-args.in.yaml +++ b/test/helm/gateway-helm/certgen-args.in.yaml @@ -3,7 +3,8 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + certgen: job: args: - - --overwrite \ No newline at end of file + - --overwrite diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index d52753db28..b74bde085a 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -570,7 +573,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml index c579310e0d..dec84e6889 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + certgen: job: affinity: @@ -18,4 +19,4 @@ certgen: - effect: NoSchedule key: taint1 operator: Equal - value: tol1 \ No newline at end of file + value: tol1 diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 37d0212f71..3b0d90f244 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -568,7 +571,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.in.yaml b/test/helm/gateway-helm/control-plane-with-pdb.in.yaml index ef71656e57..1531b798a2 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.in.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + podDisruptionBudget: minAvailable: 1 maxUnavailable: 1 diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 69f08e1dbb..a77d798143 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -62,6 +62,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -459,7 +461,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -583,7 +586,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 6e1b1846ba..1511327122 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -568,7 +571,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-custom-topology.in.yaml b/test/helm/gateway-helm/deployment-custom-topology.in.yaml index fe16f64d28..ba122b4a20 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.in.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + deployment: pod: affinity: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 0bc5809337..59d7cda01f 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -472,7 +474,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -596,7 +599,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-images-config.in.yaml b/test/helm/gateway-helm/deployment-images-config.in.yaml index f5f4425f74..9cd0bb61ab 100644 --- a/test/helm/gateway-helm/deployment-images-config.in.yaml +++ b/test/helm/gateway-helm/deployment-images-config.in.yaml @@ -3,7 +3,8 @@ deployment: envoyGateway: image: - repository: private-hub/envoyproxy/gateway + registry: private-hub + repository: envoyproxy/gateway tag: abcdef12 imagePullPolicy: IfNotPresent imagePullSecrets: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index f99a89039d..dbdbbee52d 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -47,8 +47,10 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: - image: private-hub/envoyproxy/gateway:abcdef12 + image: envoyproxy/gateway:abcdef12 type: Kubernetes --- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml @@ -396,7 +398,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: private-hub/envoyproxy/gateway:abcdef12 + image: envoyproxy/gateway:abcdef12 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -445,8 +447,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -555,7 +557,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: private-hub/envoyproxy/gateway:abcdef12 + image: envoyproxy/gateway:abcdef12 imagePullPolicy: IfNotPresent name: envoy-gateway-certgen securityContext: @@ -571,8 +573,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-priorityclass.in.yaml b/test/helm/gateway-helm/deployment-priorityclass.in.yaml index f5dbd6afc4..a3c25cbb82 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.in.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.in.yaml @@ -3,5 +3,6 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + deployment: priorityClassName: system-cluster-critical diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 3757e360d9..d63df945df 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] priorityClassName: "system-cluster-critical" serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 @@ -569,7 +572,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.in.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.in.yaml new file mode 100644 index 0000000000..3be324a67b --- /dev/null +++ b/test/helm/gateway-helm/deployment-repo-no-registry.in.yaml @@ -0,0 +1,5 @@ +deployment: + envoyGateway: + image: + repository: "envoy/gateway" + tag: "abcdef" diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml new file mode 100644 index 0000000000..f797121e5b --- /dev/null +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -0,0 +1,578 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + pod: + imagePullSecrets: [] + shutdownManager: + image: envoy/gateway:abcdef + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: envoy/gateway:abcdef + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: + [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: envoy/gateway:abcdef + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-securitycontext.in.yaml b/test/helm/gateway-helm/deployment-securitycontext.in.yaml index 47b8d1cec2..317c10ee12 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.in.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + deployment: envoyGateway: securityContext: diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index e98bd1e973..bc1caa1c96 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -568,7 +571,8 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.in.yaml b/test/helm/gateway-helm/envoy-gateway-config.in.yaml index 936d3ddf87..cea617ef29 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.in.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + config: envoyGateway: gateway: diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index fb1e51f220..d9bcaf26b5 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -49,6 +49,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -446,7 +448,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -570,7 +573,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index ebcda594b1..031e4c6cf6 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -449,8 +449,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -575,8 +575,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.in.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.in.yaml new file mode 100644 index 0000000000..c51bc53a84 --- /dev/null +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.in.yaml @@ -0,0 +1,24 @@ +global: + imageRegistry: "private.registry" + imagePullSecrets: + - key1: "value1" + - key2: "value2" + + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always + pullSecrets: + - key5: "value5" + - key6: "value6" + ratelimit: + image: "docker.io/envoyproxy/ratelimit:master" + +deployment: + envoyGateway: + image: + repository: "docker.io/envoy/gateway" + tag: "abcdef" + imagePullSecrets: + - key3: "value3" + - key4: "value4" diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml new file mode 100644 index 0000000000..f18cf3834b --- /dev/null +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml @@ -0,0 +1,582 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: private.registry/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + pod: + imagePullSecrets: + - key1: value1 + - key2: value2 + shutdownManager: + image: private.registry/envoy/gateway:abcdef + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoy/gateway:abcdef + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: + - key1: value1 + - key2: value2 + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoy/gateway:abcdef + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - key1: value1 + - key2: value2 + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.in.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.in.yaml new file mode 100644 index 0000000000..36b65a7dd8 --- /dev/null +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.in.yaml @@ -0,0 +1,15 @@ +global: + imageRegistry: "private.registry" + imagePullSecrets: + - key1: "value1" + - key2: "value2" + + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always + pullSecrets: + - key5: "value5" + - key6: "value6" + ratelimit: + image: "docker.io/envoyproxy/ratelimit:master" diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml new file mode 100644 index 0000000000..3adb70c206 --- /dev/null +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml @@ -0,0 +1,582 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: private.registry/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + pod: + imagePullSecrets: + - key1: value1 + - key2: value2 + shutdownManager: + image: private.registry/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: + - key1: value1 + - key2: value2 + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - key1: value1 + - key2: value2 + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-registry-override-deployment.in.yaml b/test/helm/gateway-helm/global-registry-override-deployment.in.yaml new file mode 100644 index 0000000000..a7d7e02edd --- /dev/null +++ b/test/helm/gateway-helm/global-registry-override-deployment.in.yaml @@ -0,0 +1,14 @@ +global: + imageRegistry: "private.registry" + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always + ratelimit: + image: "docker.io/envoyproxy/ratelimit:master" + +deployment: + envoyGateway: + image: + repository: "docker.io/envoy/gateway" + tag: "abcdef" diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml new file mode 100644 index 0000000000..2586212b88 --- /dev/null +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -0,0 +1,578 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: private.registry/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + pod: + imagePullSecrets: [] + shutdownManager: + image: private.registry/envoy/gateway:abcdef + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoy/gateway:abcdef + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: + [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoy/gateway:abcdef + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-registry-override-global.in.yaml b/test/helm/gateway-helm/global-registry-override-global.in.yaml new file mode 100644 index 0000000000..365e732755 --- /dev/null +++ b/test/helm/gateway-helm/global-registry-override-global.in.yaml @@ -0,0 +1,8 @@ +global: + imageRegistry: "private.registry" + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always + ratelimit: + image: "docker.io/envoyproxy/ratelimit:master" diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml new file mode 100644 index 0000000000..478e058f4f --- /dev/null +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -0,0 +1,578 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: private.registry/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + pod: + imagePullSecrets: [] + shutdownManager: + image: private.registry/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: + [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: private.registry/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index fb75b1bf84..f5905b73bf 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -444,7 +446,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -599,7 +602,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/service-customization.in.yaml b/test/helm/gateway-helm/service-customization.in.yaml index 4d80e7cd70..6c35d65f29 100644 --- a/test/helm/gateway-helm/service-customization.in.yaml +++ b/test/helm/gateway-helm/service-customization.in.yaml @@ -3,6 +3,7 @@ global: envoyGateway: image: "docker.io/envoyproxy/gateway-dev:latest" pullPolicy: Always + service: trafficDistribution: PreferClose annotations: diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index f72169d4f0..1f9179f4e5 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -47,6 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit + pod: + imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes @@ -447,7 +449,8 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: [] + imagePullSecrets: + [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,7 +574,8 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: [] + imagePullSecrets: + [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/tools/make/docs.mk b/tools/make/docs.mk index 4ac179122c..b43acd031b 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -129,7 +129,12 @@ helm-readme-gen.%: $(eval CHART_NAME := $(COMMAND)) # use production ENV to generate helm api doc @if test -f "charts/${CHART_NAME}/values.tmpl.yaml"; then \ - ImageRepository=docker.io/envoyproxy/gateway ImageTag=latest ImagePullPolicy=IfNotPresent \ + Registry=docker.io\ + GatewayRepository=envoyproxy/gateway\ + GatewayTag=latest\ + GatewayImagePullPolicy=IfNotPresent\ + RatelimitRepository=envoyproxy/ratelimit\ + RatelimitTag=master\ envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ fi diff --git a/tools/make/env.mk b/tools/make/env.mk index 1e3d533259..0329f7e326 100644 --- a/tools/make/env.mk +++ b/tools/make/env.mk @@ -2,21 +2,30 @@ # # This file does not contain any specific make targets. - -# Docker variables +# Docker global variables # REGISTRY is the image registry to use for build and push image targets. -REGISTRY ?= docker.io/envoyproxy -# IMAGE_NAME is the name of EG image -# Use gateway-dev in default when developing -# Use gateway when releasing an image. -IMAGE_NAME ?= gateway-dev -# IMAGE is the image URL for build and push image targets. -IMAGE ?= ${REGISTRY}/${IMAGE_NAME} -# Tag is the tag to use for build and push image targets. +REGISTRY ?= docker.io + +# Docker Envoy Gateway variables + +# REPOSITORY is the image repository +# Use envoyproxy/gateway-dev when developing +# Use envoyproxy/gateway when releasing an image. +REPOSITORY ?= envoyproxy/gateway +# REPOSITORY ?= envoyproxy/gateway-dev + +# TAG is the image tag, defaults to current revision TAG ?= $(REV) +# Docker Envoy Ratelimit variables + +# RATELIMIT_REPOSITORY is the ratelimit repository +RATELIMIT_REPOSITORY ?= envoyproxy/ratelimit +# RATELIMIT_TAG is the ratelimit image tag +RATELIMIT_TAG ?= master + # Fuzzing variables # FUZZ_TIME is the time to run the fuzzer for -FUZZ_TIME ?= 5s \ No newline at end of file +FUZZ_TIME ?= 5s diff --git a/tools/make/helm.mk b/tools/make/helm.mk index 591619ad37..587f38f6f1 100644 --- a/tools/make/helm.mk +++ b/tools/make/helm.mk @@ -16,8 +16,8 @@ CHART_VERSION ?= ${RELEASE_VERSION} helm-package: ## Package envoy gateway relevant helm charts. helm-package: @for chart in $(CHARTS); do \ - $(LOG_TARGET); \ - $(MAKE) $(addprefix helm-package., $$(basename $${chart})); \ + $(LOG_TARGET); \ + $(MAKE) $(addprefix helm-package., $$(basename $${chart})); \ done .PHONY: helm-package.% @@ -43,39 +43,41 @@ helm-push.%: helm-package.% .PHONY: helm-generate helm-generate: @for chart in $(CHARTS); do \ - $(LOG_TARGET); \ - $(MAKE) $(addprefix helm-generate., $$(basename $${chart})); \ - done + $(LOG_TARGET); \ + $(MAKE) $(addprefix helm-generate., $$(basename $${chart})); \ + done .PHONY: helm-generate.% helm-generate.%: $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval CHART_NAME := $(COMMAND)) @if test -f "charts/${CHART_NAME}/values.tmpl.yaml"; then \ - GatewayImage=${IMAGE}:${TAG} GatewayImagePullPolicy=${IMAGE_PULL_POLICY} \ - envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ - fi + GatewayImage="${REGISTRY}/${REPOSITORY}:${TAG}"\ + GatewayImagePullPolicy=${IMAGE_PULL_POLICY}\ + RatelimitImage="${REGISTRY}/${RATELIMIT_REPOSITORY}:${RATELIMIT_TAG}"\ + envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ + fi helm dependency update charts/${CHART_NAME} helm lint charts/${CHART_NAME} - # The jb does not support self-assigned jsonnetfile, so entering working dir before executing jb. + # The jb does not support self-assigned jsonnetfile, so entering working dir before executing jb. @if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ - $(call log, "Run jsonnet generate for dashboards in chart: ${CHART_NAME}!"); \ - workDir="charts/${CHART_NAME}/dashboards"; \ - cd $$workDir && ../../../go tool jb install && cd ../../..; \ - for file in $$(find $${workDir} -maxdepth 1 -name '*.libsonnet'); do \ - name=$$(basename $$file .libsonnet); \ - go tool jsonnet -J $${workDir}/vendor $${workDir}/$${name}.libsonnet > $${workDir}/$${name}.gen.json; \ - done \ - fi + $(call log, "Run jsonnet generate for dashboards in chart: ${CHART_NAME}!"); \ + workDir="charts/${CHART_NAME}/dashboards"; \ + cd $$workDir && go tool jb install && cd ../../..; \ + for file in $$(find $${workDir} -maxdepth 1 -name '*.libsonnet'); do \ + name=$$(basename $$file .libsonnet); \ + go tool jsonnet -J $${workDir}/vendor $${workDir}/$${name}.libsonnet > $${workDir}/$${name}.gen.json; \ + done \ + fi $(call log, "Run helm template for chart: ${CHART_NAME}!"); @for file in $(wildcard test/helm/${CHART_NAME}/*.in.yaml); do \ - filename=$$(basename $${file}); \ - output="$${filename%.in.*}.out.yaml"; \ - if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ - helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=monitoring; \ - else \ - helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=envoy-gateway-system; \ - fi; \ + filename=$$(basename $${file}); \ + output="$${filename%.in.*}.out.yaml"; \ + if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ + helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=monitoring; \ + else \ + helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=envoy-gateway-system; \ + fi; \ done diff --git a/tools/make/image.mk b/tools/make/image.mk index f3864a2296..a2f2f0c614 100644 --- a/tools/make/image.mk +++ b/tools/make/image.mk @@ -43,8 +43,12 @@ image.build.%: image.verify go.build.linux_$(GOARCH).% $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval IMAGES := $(COMMAND)) @$(call log, "Building image $(IMAGES):$(TAG) in linux/$(GOARCH)") - $(eval BUILD_SUFFIX := --pull --load -t $(IMAGE):$(TAG) -f $(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile bin) - @$(call log, "Creating image tag $(REGISTRY)/$(IMAGES):$(TAG) in linux/$(GOARCH)") + $(eval BUILD_SUFFIX := --pull --load -t $(REGISTRY)/$(REPOSITORY):$(TAG) -f $(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile bin) + $(eval __SECOND_TO_LAST_WORD_INDEX := $(shell expr $(words $(subst /, ,$(REPOSITORY))) - 1)) + $(eval __REPOSITORY_WORDS := $(subst /, ,$(REPOSITORY))) + $(eval __REPOSITORY_ALL_BUT_LAST := $(wordlist 1,$(__SECOND_TO_LAST_WORD_INDEX),$(__REPOSITORY_WORDS))) + $(eval NAMESPACE := $(subst $() ,/,$(__REPOSITORY_ALL_BUT_LAST))) + @$(call log, "Creating image tag $(REGISTRY)/$(NAMESPACE)/$(IMAGES):$(TAG) in linux/$(GOARCH)") $(DOCKER) buildx build --platform linux/$(GOARCH) $(BUILD_SUFFIX) .PHONY: image.push @@ -56,8 +60,8 @@ image.push.%: image.build.% $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval IMAGES := $(COMMAND)) @$(call log, "Pushing image $(IMAGES) $(TAG) to $(REGISTRY)") - @$(call log, "Pushing docker image tag $(IMAGE):$(TAG) in linux/$(GOARCH)") - $(DOCKER) push $(IMAGE):$(TAG) + @$(call log, "Pushing docker image tag $(REGISTRY)/$(REPOSITORY):$(TAG) in linux/$(GOARCH)") + $(DOCKER) push $(REGISTRY)/$(REPOSITORY):$(TAG) .PHONY: image.multiarch.verify image.multiarch.verify: @@ -84,12 +88,12 @@ image.multiarch.setup: image.verify image.multiarch.verify image.multiarch.emula .PHONY: image.build.multiarch image.build.multiarch: @$(LOG_TARGET) - docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${IMAGE}:${TAG}" --platform "${BUILDX_PLATFORMS}" + docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${REGISTRY}/${REPOSITORY}:${TAG}" --platform "${BUILDX_PLATFORMS}" .PHONY: image.push.multiarch image.push.multiarch: @$(LOG_TARGET) - docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${IMAGE}:${TAG}" --platform "${BUILDX_PLATFORMS}" --sbom=false --provenance=false --push + docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${REGISTRY}/${REPOSITORY}:${TAG}" --platform "${BUILDX_PLATFORMS}" --sbom=false --provenance=false --push ##@ Image diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 61376d79d9..88f7bb6a0f 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -247,9 +247,9 @@ create-cluster: ## Create a kind cluster suitable for running Gateway API confor tools/hack/create-cluster.sh .PHONY: kube-install-image -kube-install-image: image.build ## Install the EG image to a kind cluster using the provided $IMAGE and $TAG. +kube-install-image: image.build ## Install the EG image to a kind cluster using the provided $REGISTRY, $REPOSITORY and $TAG. @$(LOG_TARGET) - tools/hack/kind-load-image.sh $(IMAGE) $(TAG) + tools/hack/kind-load-image.sh $(REGISTRY)/$(REPOSITORY) $(TAG) .PHONY: run-conformance run-conformance: prepare-ip-family ## Run Gateway API conformance. From cb714664589c7c9a3860f065821eb0ebb125cb59 Mon Sep 17 00:00:00 2001 From: Pavel Gurkov Date: Tue, 15 Apr 2025 13:21:00 +0100 Subject: [PATCH 2/6] Revert Makefiles and changes relevant to them Signed-off-by: Pavel Gurkov --- charts/gateway-helm/README.md | 4 +- charts/gateway-helm/values.tmpl.yaml | 2 +- .../en/latest/install/gateway-helm-api.md | 4 +- tools/make/docs.mk | 7 +-- tools/make/env.mk | 31 ++++-------- tools/make/helm.mk | 50 +++++++++---------- tools/make/image.mk | 16 +++--- tools/make/kube.mk | 4 +- 8 files changed, 49 insertions(+), 69 deletions(-) diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 6f0b604f7b..f3d4568c31 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -100,9 +100,9 @@ To uninstall the chart: | global.imagePullSecrets | list | `[]` | Global override for image pull secrets | | global.imageRegistry | string | `""` | Global override for image registry | | global.images.envoyGateway.image | string | `nil` | | -| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | | +| global.images.envoyGateway.pullPolicy | string | `nil` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `""` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | hpa.behavior | object | `{}` | | diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index a2a7580abc..6a549f3061 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -19,7 +19,7 @@ global: pullSecrets: [] ratelimit: # This is the full image name including the hub, repo, and tag. - image: "${RatelimitImage}" + image: "docker.io/envoyproxy/ratelimit:master" # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. pullPolicy: IfNotPresent diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 268d43cbf1..0a9aa29ba2 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -64,9 +64,9 @@ The Helm chart for Envoy Gateway | global.imagePullSecrets | list | `[]` | Global override for image pull secrets | | global.imageRegistry | string | `""` | Global override for image registry | | global.images.envoyGateway.image | string | `nil` | | -| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | | +| global.images.envoyGateway.pullPolicy | string | `nil` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `""` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | hpa.behavior | object | `{}` | | diff --git a/tools/make/docs.mk b/tools/make/docs.mk index b43acd031b..4ac179122c 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -129,12 +129,7 @@ helm-readme-gen.%: $(eval CHART_NAME := $(COMMAND)) # use production ENV to generate helm api doc @if test -f "charts/${CHART_NAME}/values.tmpl.yaml"; then \ - Registry=docker.io\ - GatewayRepository=envoyproxy/gateway\ - GatewayTag=latest\ - GatewayImagePullPolicy=IfNotPresent\ - RatelimitRepository=envoyproxy/ratelimit\ - RatelimitTag=master\ + ImageRepository=docker.io/envoyproxy/gateway ImageTag=latest ImagePullPolicy=IfNotPresent \ envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ fi diff --git a/tools/make/env.mk b/tools/make/env.mk index 0329f7e326..1e3d533259 100644 --- a/tools/make/env.mk +++ b/tools/make/env.mk @@ -2,30 +2,21 @@ # # This file does not contain any specific make targets. -# Docker global variables -# REGISTRY is the image registry to use for build and push image targets. -REGISTRY ?= docker.io - -# Docker Envoy Gateway variables - -# REPOSITORY is the image repository -# Use envoyproxy/gateway-dev when developing -# Use envoyproxy/gateway when releasing an image. -REPOSITORY ?= envoyproxy/gateway -# REPOSITORY ?= envoyproxy/gateway-dev +# Docker variables -# TAG is the image tag, defaults to current revision +# REGISTRY is the image registry to use for build and push image targets. +REGISTRY ?= docker.io/envoyproxy +# IMAGE_NAME is the name of EG image +# Use gateway-dev in default when developing +# Use gateway when releasing an image. +IMAGE_NAME ?= gateway-dev +# IMAGE is the image URL for build and push image targets. +IMAGE ?= ${REGISTRY}/${IMAGE_NAME} +# Tag is the tag to use for build and push image targets. TAG ?= $(REV) -# Docker Envoy Ratelimit variables - -# RATELIMIT_REPOSITORY is the ratelimit repository -RATELIMIT_REPOSITORY ?= envoyproxy/ratelimit -# RATELIMIT_TAG is the ratelimit image tag -RATELIMIT_TAG ?= master - # Fuzzing variables # FUZZ_TIME is the time to run the fuzzer for -FUZZ_TIME ?= 5s +FUZZ_TIME ?= 5s \ No newline at end of file diff --git a/tools/make/helm.mk b/tools/make/helm.mk index 587f38f6f1..591619ad37 100644 --- a/tools/make/helm.mk +++ b/tools/make/helm.mk @@ -16,8 +16,8 @@ CHART_VERSION ?= ${RELEASE_VERSION} helm-package: ## Package envoy gateway relevant helm charts. helm-package: @for chart in $(CHARTS); do \ - $(LOG_TARGET); \ - $(MAKE) $(addprefix helm-package., $$(basename $${chart})); \ + $(LOG_TARGET); \ + $(MAKE) $(addprefix helm-package., $$(basename $${chart})); \ done .PHONY: helm-package.% @@ -43,41 +43,39 @@ helm-push.%: helm-package.% .PHONY: helm-generate helm-generate: @for chart in $(CHARTS); do \ - $(LOG_TARGET); \ - $(MAKE) $(addprefix helm-generate., $$(basename $${chart})); \ - done + $(LOG_TARGET); \ + $(MAKE) $(addprefix helm-generate., $$(basename $${chart})); \ + done .PHONY: helm-generate.% helm-generate.%: $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval CHART_NAME := $(COMMAND)) @if test -f "charts/${CHART_NAME}/values.tmpl.yaml"; then \ - GatewayImage="${REGISTRY}/${REPOSITORY}:${TAG}"\ - GatewayImagePullPolicy=${IMAGE_PULL_POLICY}\ - RatelimitImage="${REGISTRY}/${RATELIMIT_REPOSITORY}:${RATELIMIT_TAG}"\ - envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ - fi + GatewayImage=${IMAGE}:${TAG} GatewayImagePullPolicy=${IMAGE_PULL_POLICY} \ + envsubst < charts/${CHART_NAME}/values.tmpl.yaml > ./charts/${CHART_NAME}/values.yaml; \ + fi helm dependency update charts/${CHART_NAME} helm lint charts/${CHART_NAME} - # The jb does not support self-assigned jsonnetfile, so entering working dir before executing jb. + # The jb does not support self-assigned jsonnetfile, so entering working dir before executing jb. @if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ - $(call log, "Run jsonnet generate for dashboards in chart: ${CHART_NAME}!"); \ - workDir="charts/${CHART_NAME}/dashboards"; \ - cd $$workDir && go tool jb install && cd ../../..; \ - for file in $$(find $${workDir} -maxdepth 1 -name '*.libsonnet'); do \ - name=$$(basename $$file .libsonnet); \ - go tool jsonnet -J $${workDir}/vendor $${workDir}/$${name}.libsonnet > $${workDir}/$${name}.gen.json; \ - done \ - fi + $(call log, "Run jsonnet generate for dashboards in chart: ${CHART_NAME}!"); \ + workDir="charts/${CHART_NAME}/dashboards"; \ + cd $$workDir && ../../../go tool jb install && cd ../../..; \ + for file in $$(find $${workDir} -maxdepth 1 -name '*.libsonnet'); do \ + name=$$(basename $$file .libsonnet); \ + go tool jsonnet -J $${workDir}/vendor $${workDir}/$${name}.libsonnet > $${workDir}/$${name}.gen.json; \ + done \ + fi $(call log, "Run helm template for chart: ${CHART_NAME}!"); @for file in $(wildcard test/helm/${CHART_NAME}/*.in.yaml); do \ - filename=$$(basename $${file}); \ - output="$${filename%.in.*}.out.yaml"; \ - if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ - helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=monitoring; \ - else \ - helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=envoy-gateway-system; \ - fi; \ + filename=$$(basename $${file}); \ + output="$${filename%.in.*}.out.yaml"; \ + if [ ${CHART_NAME} == "gateway-addons-helm" ]; then \ + helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=monitoring; \ + else \ + helm template ${CHART_NAME} charts/${CHART_NAME} -f $${file} > test/helm/${CHART_NAME}/$$output --namespace=envoy-gateway-system; \ + fi; \ done diff --git a/tools/make/image.mk b/tools/make/image.mk index a2f2f0c614..f3864a2296 100644 --- a/tools/make/image.mk +++ b/tools/make/image.mk @@ -43,12 +43,8 @@ image.build.%: image.verify go.build.linux_$(GOARCH).% $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval IMAGES := $(COMMAND)) @$(call log, "Building image $(IMAGES):$(TAG) in linux/$(GOARCH)") - $(eval BUILD_SUFFIX := --pull --load -t $(REGISTRY)/$(REPOSITORY):$(TAG) -f $(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile bin) - $(eval __SECOND_TO_LAST_WORD_INDEX := $(shell expr $(words $(subst /, ,$(REPOSITORY))) - 1)) - $(eval __REPOSITORY_WORDS := $(subst /, ,$(REPOSITORY))) - $(eval __REPOSITORY_ALL_BUT_LAST := $(wordlist 1,$(__SECOND_TO_LAST_WORD_INDEX),$(__REPOSITORY_WORDS))) - $(eval NAMESPACE := $(subst $() ,/,$(__REPOSITORY_ALL_BUT_LAST))) - @$(call log, "Creating image tag $(REGISTRY)/$(NAMESPACE)/$(IMAGES):$(TAG) in linux/$(GOARCH)") + $(eval BUILD_SUFFIX := --pull --load -t $(IMAGE):$(TAG) -f $(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile bin) + @$(call log, "Creating image tag $(REGISTRY)/$(IMAGES):$(TAG) in linux/$(GOARCH)") $(DOCKER) buildx build --platform linux/$(GOARCH) $(BUILD_SUFFIX) .PHONY: image.push @@ -60,8 +56,8 @@ image.push.%: image.build.% $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval IMAGES := $(COMMAND)) @$(call log, "Pushing image $(IMAGES) $(TAG) to $(REGISTRY)") - @$(call log, "Pushing docker image tag $(REGISTRY)/$(REPOSITORY):$(TAG) in linux/$(GOARCH)") - $(DOCKER) push $(REGISTRY)/$(REPOSITORY):$(TAG) + @$(call log, "Pushing docker image tag $(IMAGE):$(TAG) in linux/$(GOARCH)") + $(DOCKER) push $(IMAGE):$(TAG) .PHONY: image.multiarch.verify image.multiarch.verify: @@ -88,12 +84,12 @@ image.multiarch.setup: image.verify image.multiarch.verify image.multiarch.emula .PHONY: image.build.multiarch image.build.multiarch: @$(LOG_TARGET) - docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${REGISTRY}/${REPOSITORY}:${TAG}" --platform "${BUILDX_PLATFORMS}" + docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${IMAGE}:${TAG}" --platform "${BUILDX_PLATFORMS}" .PHONY: image.push.multiarch image.push.multiarch: @$(LOG_TARGET) - docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${REGISTRY}/${REPOSITORY}:${TAG}" --platform "${BUILDX_PLATFORMS}" --sbom=false --provenance=false --push + docker buildx build bin -f "$(ROOT_DIR)/tools/docker/$(IMAGES)/Dockerfile" -t "${IMAGE}:${TAG}" --platform "${BUILDX_PLATFORMS}" --sbom=false --provenance=false --push ##@ Image diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 88f7bb6a0f..61376d79d9 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -247,9 +247,9 @@ create-cluster: ## Create a kind cluster suitable for running Gateway API confor tools/hack/create-cluster.sh .PHONY: kube-install-image -kube-install-image: image.build ## Install the EG image to a kind cluster using the provided $REGISTRY, $REPOSITORY and $TAG. +kube-install-image: image.build ## Install the EG image to a kind cluster using the provided $IMAGE and $TAG. @$(LOG_TARGET) - tools/hack/kind-load-image.sh $(REGISTRY)/$(REPOSITORY) $(TAG) + tools/hack/kind-load-image.sh $(IMAGE) $(TAG) .PHONY: run-conformance run-conformance: prepare-ip-family ## Run Gateway API conformance. From df21a3ba5d1572c1cea15a182b13fd402e421dd0 Mon Sep 17 00:00:00 2001 From: Pavel Gurkov Date: Tue, 15 Apr 2025 17:13:25 +0100 Subject: [PATCH 3/6] Revert manual documentation changes Signed-off-by: Pavel Gurkov --- site/content/en/contributions/DEVELOP.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/site/content/en/contributions/DEVELOP.md b/site/content/en/contributions/DEVELOP.md index bee7683961..4f557fdb0a 100644 --- a/site/content/en/contributions/DEVELOP.md +++ b/site/content/en/contributions/DEVELOP.md @@ -60,14 +60,14 @@ __Note:__ The `golangci-lint` configuration resides [here](https://github.com/en ### Building and Pushing the Image -* Run `REGISTRY=docker.io REPOSITORY=you/gateway-dev make image` to build the docker image. -* Run `REGISTRY=docker.io REPOSITORY=you/gateway-dev make push-multiarch` to build and push the multi-arch docker image. +* Run `IMAGE=docker.io/you/gateway-dev make image` to build the docker image. +* Run `IMAGE=docker.io/you/gateway-dev make push-multiarch` to build and push the multi-arch docker image. -__Note:__ Replace `REPOSITORY` with your registry's image name. +__Note:__ Replace `IMAGE` with your registry's image name. ### Raising a PR -* Run `make generate` and push the generated files along with your commit, if your PR contains any **API** changes (changes in `/api` folder), you've added some unit tests or you've updated the modules used in the project. +* Run `make generate` and push the generated files along with your commit, if your PR contains any **API** changes (changes in `/api` folder), you've added some unit tests or you've updated the modules used in the project. ### Deploying Envoy Gateway for Test/Dev @@ -86,7 +86,7 @@ __Note:__ Replace `REPOSITORY` with your registry's image name. ### Deploying Envoy Gateway in Kubernetes * Run `TAG=latest make kube-deploy` to deploy Envoy Gateway using the latest image into a Kubernetes cluster (linked to - the current kube context). Preface the command with `REGISTRY` and `REPOSITORY` or replace `TAG` to use a different Envoy Gateway image or + the current kube context). Preface the command with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or tag. * Run `make kube-undeploy` to uninstall Envoy Gateway from the cluster. @@ -120,7 +120,7 @@ workarounds to run conformance tests: uninstall Envoy Gateway. * Install and run [Docker Mac Net Connect][mac_connect] and then run `TAG=latest make conformance`. -__Note:__ Preface commands with `REGISTRY` and `REPOSITORY` or replace `TAG` to use a different Envoy Gateway image or tag. If `TAG` +__Note:__ Preface commands with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or tag. If `TAG` is unspecified, the short SHA of your current branch is used. ### Debugging the Envoy Config @@ -162,13 +162,13 @@ The performance and scalability concerns come from several aspects for control-p - The consumption of memory and CPU. - The rate of configuration changes. -The benchmark test is running on a [Kind][Kind] cluster, you can start a Kind cluster and +The benchmark test is running on a [Kind][Kind] cluster, you can start a Kind cluster and run benchmark test on it by executing `make benchmark`. The benchmark report will be included in the release artifacts, you can learn more by downloading the detailed benchmark report, namely `benchmark_report.zip`. -Here are some brief benchmark reports about Envoy Gateway: +Here are some brief benchmark reports about Envoy Gateway: - It will take up nearly 550MiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings From 3fe41858a85d98bd458995add2b4ca3b34ff828a Mon Sep 17 00:00:00 2001 From: Pavel Gurkov Date: Thu, 17 Apr 2025 12:53:21 +0100 Subject: [PATCH 4/6] Address PR feedback Signed-off-by: Pavel Gurkov --- charts/gateway-helm/templates/_helpers.tpl | 15 ++++++++++----- charts/gateway-helm/templates/certgen.yaml | 2 +- .../templates/envoy-gateway-deployment.yaml | 2 +- release-notes/current.yaml | 1 - test/helm/gateway-helm/certgen-args.out.yaml | 6 ++---- .../certjen-custom-scheduling.out.yaml | 6 ++---- .../gateway-helm/control-plane-with-pdb.out.yaml | 6 ++---- test/helm/gateway-helm/default-config.out.yaml | 6 ++---- .../deployment-custom-topology.out.yaml | 6 ++---- .../deployment-images-config.out.yaml | 8 ++++---- .../deployment-priorityclass.out.yaml | 6 ++---- .../deployment-repo-no-registry.out.yaml | 6 ++---- .../deployment-securitycontext.out.yaml | 6 ++---- .../gateway-helm/envoy-gateway-config.out.yaml | 6 ++---- .../gateway-helm/global-images-config.out.yaml | 8 ++++---- ...lobal-pullsecrets-override-deployment.out.yaml | 8 ++++---- .../global-pullsecrets-override-global.out.yaml | 8 ++++---- .../global-registry-override-deployment.out.yaml | 6 ++---- .../global-registry-override-global.out.yaml | 6 ++---- .../horizontal-pod-autoscaler.out.yaml | 6 ++---- .../gateway-helm/service-customization.out.yaml | 6 ++---- 21 files changed, 54 insertions(+), 76 deletions(-) diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index d7f69edf71..9e127b297d 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -106,13 +106,16 @@ Pull secrets for the Envoy Gateway image. */}} {{- define "eg.image.pullSecrets" -}} {{- if .Values.global.imagePullSecrets -}} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets }} {{- else if .Values.deployment.envoyGateway.imagePullSecrets -}} +imagePullSecrets: {{ toYaml .Values.deployment.envoyGateway.imagePullSecrets }} {{- else if .Values.global.images.envoyGateway.pullSecrets -}} +imagePullSecrets: {{ toYaml .Values.global.images.envoyGateway.pullSecrets }} {{- else -}} -{{ toYaml list }} +imagePullSecrets: {{ toYaml list }} {{- end }} {{- end }} @@ -126,7 +129,7 @@ The name of the Envoy Ratelimit image. {{- $repositoryTag := $imageParts._1 -}} {{- $repositoryParts := splitn ":" 2 $repositoryTag -}} {{- $repositoryName := $repositoryParts._0 -}} -{{- $imageTag := default .Chart.AppVersion $repositoryParts._1 -}} +{{- $imageTag := default "master" $repositoryParts._1 -}} {{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}} {{- end -}} @@ -135,11 +138,13 @@ Pull secrets for the Envoy Ratelimit image. */}} {{- define "eg.ratelimit.image.pullSecrets" -}} {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets }} {{- else if .Values.global.images.ratelimit.pullSecrets -}} +imagePullSecrets: {{ toYaml .Values.global.images.ratelimit.pullSecrets }} -{{- else -}} -{{ toYaml list }} +{{- else }} +imagePullSecrets: {{ toYaml list }} {{- end }} {{- end }} @@ -155,7 +160,7 @@ provider: container: image: {{ include "eg.ratelimit.image" . }} pod: - imagePullSecrets: {{- include "eg.ratelimit.image.pullSecrets" . | nindent 10 }} + {{- include "eg.ratelimit.image.pullSecrets" . | nindent 8 }} {{- with .Values.global.images.ratelimit.pullPolicy }} patch: type: StrategicMerge diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 768f47b553..3f2a514e91 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -48,7 +48,7 @@ spec: {{- end }} securityContext: {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} - imagePullSecrets: {{- include "eg.image.pullSecrets" . | nindent 8 }} + {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.certgen.job.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 82d9d790ac..7746dd2e4a 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -84,7 +84,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: {{- include "eg.image.pullSecrets" . | nindent 8 }} + {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.deployment.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index fc502cb12b..29d9ff313a 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -4,7 +4,6 @@ date: Pending breaking changes: | Use a dedicated listener port(19003) for envoy proxy readiness Uses the envoy JSON formatter for the default access log instead of text formatter. - Removed environment variables IMAGE, IMAGE_NAME used for building the image; use REGISTRY and REPOSITORY instead # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index b74bde085a..4ce007abcb 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -573,8 +572,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 3b0d90f244..0541403940 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index a77d798143..8185763b44 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -461,8 +461,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -586,8 +585,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 1511327122..421f2ed840 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 59d7cda01f..ec33918148 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -474,8 +474,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -599,8 +598,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index dbdbbee52d..8ba803e004 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -447,8 +447,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -573,8 +573,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index d63df945df..d190ba4b24 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] priorityClassName: "system-cluster-critical" serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 @@ -572,8 +571,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml index f797121e5b..91b4e78f04 100644 --- a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index bc1caa1c96..edfb36bfdb 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index d9bcaf26b5..9b380eb332 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -448,8 +448,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -573,8 +572,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 031e4c6cf6..ebcda594b1 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -449,8 +449,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -575,8 +575,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - name: secret1 - - name: secret2 + - name: secret1 + - name: secret2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml index f18cf3834b..0cb61e651e 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml @@ -449,8 +449,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - key1: value1 - - key2: value2 + - key1: value1 + - key2: value2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -575,8 +575,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - key1: value1 - - key2: value2 + - key1: value1 + - key2: value2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml index 3adb70c206..afc036bcbf 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml @@ -449,8 +449,8 @@ spec: name: certs readOnly: true imagePullSecrets: - - key1: value1 - - key2: value2 + - key1: value1 + - key2: value2 serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -575,8 +575,8 @@ spec: seccompProfile: type: RuntimeDefault imagePullSecrets: - - key1: value1 - - key2: value2 + - key1: value1 + - key2: value2 restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml index 2586212b88..c94040c7e8 100644 --- a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml index 478e058f4f..97e8d032e1 100644 --- a/test/helm/gateway-helm/global-registry-override-global.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -571,8 +570,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index f5905b73bf..17bdea42fc 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -446,8 +446,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -602,8 +601,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index 1f9179f4e5..c59b57d2b6 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -449,8 +449,7 @@ spec: - mountPath: /certs name: certs readOnly: true - imagePullSecrets: - [] + imagePullSecrets: [] serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -574,8 +573,7 @@ spec: runAsUser: 65534 seccompProfile: type: RuntimeDefault - imagePullSecrets: - [] + imagePullSecrets: [] restartPolicy: Never serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 From f008b690693f5db603ec1b9ce54e6a54c749db87 Mon Sep 17 00:00:00 2001 From: Pavel Gurkov Date: Thu, 17 Apr 2025 13:05:23 +0100 Subject: [PATCH 5/6] Fix test config deployment-images-config.in.yaml Signed-off-by: Pavel Gurkov --- test/helm/gateway-helm/deployment-images-config.in.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/helm/gateway-helm/deployment-images-config.in.yaml b/test/helm/gateway-helm/deployment-images-config.in.yaml index 9cd0bb61ab..f5f4425f74 100644 --- a/test/helm/gateway-helm/deployment-images-config.in.yaml +++ b/test/helm/gateway-helm/deployment-images-config.in.yaml @@ -3,8 +3,7 @@ deployment: envoyGateway: image: - registry: private-hub - repository: envoyproxy/gateway + repository: private-hub/envoyproxy/gateway tag: abcdef12 imagePullPolicy: IfNotPresent imagePullSecrets: From b8445748333e458ad6d678c4db40163f9e32eb92 Mon Sep 17 00:00:00 2001 From: Pavel Gurkov Date: Thu, 17 Apr 2025 17:41:48 +0100 Subject: [PATCH 6/6] Address PR feedback Signed-off-by: Pavel Gurkov --- charts/gateway-helm/templates/_helpers.tpl | 2 ++ test/helm/gateway-helm/certgen-args.out.yaml | 2 -- test/helm/gateway-helm/certjen-custom-scheduling.out.yaml | 2 -- test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 2 -- test/helm/gateway-helm/default-config.out.yaml | 2 -- .../helm/gateway-helm/deployment-custom-topology.out.yaml | 2 -- test/helm/gateway-helm/deployment-images-config.out.yaml | 8 +++----- test/helm/gateway-helm/deployment-priorityclass.out.yaml | 2 -- .../gateway-helm/deployment-repo-no-registry.out.yaml | 2 -- .../helm/gateway-helm/deployment-securitycontext.out.yaml | 2 -- test/helm/gateway-helm/envoy-gateway-config.out.yaml | 2 -- .../global-registry-override-deployment.out.yaml | 2 -- .../gateway-helm/global-registry-override-global.out.yaml | 2 -- test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml | 2 -- test/helm/gateway-helm/service-customization.out.yaml | 2 -- 15 files changed, 5 insertions(+), 31 deletions(-) diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index 9e127b297d..ebcfb54797 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -159,8 +159,10 @@ provider: rateLimitDeployment: container: image: {{ include "eg.ratelimit.image" . }} + {{- if (or .Values.global.imagePullSecrets .Values.global.images.ratelimit.pullSecrets) }} pod: {{- include "eg.ratelimit.image.pullSecrets" . | nindent 8 }} + {{- end }} {{- with .Values.global.images.ratelimit.pullPolicy }} patch: type: StrategicMerge diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index 4ce007abcb..d52753db28 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 0541403940..37d0212f71 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 8185763b44..69f08e1dbb 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -62,8 +62,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 421f2ed840..6e1b1846ba 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index ec33918148..0bc5809337 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 8ba803e004..f99a89039d 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -47,10 +47,8 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: - image: envoyproxy/gateway:abcdef12 + image: private-hub/envoyproxy/gateway:abcdef12 type: Kubernetes --- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml @@ -398,7 +396,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: envoyproxy/gateway:abcdef12 + image: private-hub/envoyproxy/gateway:abcdef12 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -557,7 +555,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: envoyproxy/gateway:abcdef12 + image: private-hub/envoyproxy/gateway:abcdef12 imagePullPolicy: IfNotPresent name: envoy-gateway-certgen securityContext: diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index d190ba4b24..3757e360d9 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml index 91b4e78f04..3f1fc56440 100644 --- a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: envoy/gateway:abcdef type: Kubernetes diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index edfb36bfdb..e98bd1e973 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 9b380eb332..fb1e51f220 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -49,8 +49,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml index c94040c7e8..6acac25c80 100644 --- a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: private.registry/envoy/gateway:abcdef type: Kubernetes diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml index 97e8d032e1..e70e8bd888 100644 --- a/test/helm/gateway-helm/global-registry-override-global.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: private.registry/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index 17bdea42fc..fb75b1bf84 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index c59b57d2b6..f72169d4f0 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -47,8 +47,6 @@ data: containers: - imagePullPolicy: IfNotPresent name: envoy-ratelimit - pod: - imagePullSecrets: [] shutdownManager: image: docker.io/envoyproxy/gateway-dev:latest type: Kubernetes