diff --git a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.in.yaml b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.in.yaml index f5bb5f15a1..3e2632f219 100644 --- a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.in.yaml +++ b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.in.yaml @@ -13,6 +13,34 @@ gateways: allowedRoutes: namespaces: from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: test-ns + name: gateway-3 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -21,7 +49,7 @@ httpRoutes: name: httproute-1 spec: parentRefs: - - namespace: envoy-gateway + - namespace: default name: gateway-1 rules: - matches: @@ -29,4 +57,93 @@ httpRoutes: value: "/" backendRefs: - name: service-1 + namespace: default + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + parentRefs: + - namespace: default + name: gateway-2 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-2 + namespace: default + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: test-ns + name: httproute-3 + spec: + parentRefs: + - namespace: test-ns + name: gateway-3 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-3 + namespace: test-ns port: 8080 +services: + - apiVersion: v1 + kind: Service + metadata: + namespace: default + name: service-1 + spec: + clusterIP: 1.1.1.1 + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + - apiVersion: v1 + kind: Service + metadata: + namespace: default + name: service-2 + spec: + clusterIP: 2.2.2.2 + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + - apiVersion: v1 + kind: Service + metadata: + namespace: default + name: service-2 + spec: + clusterIP: 2.2.2.2 + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + - apiVersion: v1 + kind: Service + metadata: + namespace: test-ns + name: service-3 + spec: + clusterIP: 2.2.2.2 + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 +namespaces: + - apiVersion: v1 + kind: Namespace + metadata: + name: test-ns diff --git a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml index f9565bc813..8d453faf57 100644 --- a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml @@ -16,7 +16,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 0 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -39,6 +39,192 @@ gateways: kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-3 + namespace: test-ns + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: default + rules: + - backendRefs: + - name: service-1 + namespace: default + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + parentRefs: + - name: gateway-2 + namespace: default + rules: + - backendRefs: + - name: service-2 + namespace: default + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: default +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-3 + namespace: test-ns + spec: + parentRefs: + - name: gateway-3 + namespace: test-ns + rules: + - backendRefs: + - name: service-3 + namespace: test-ns + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-3 + namespace: test-ns infraIR: default/gateway-1: proxy: @@ -56,6 +242,38 @@ infraIR: gateway.envoyproxy.io/owning-gateway-namespace: default name: default/gateway-1 namespace: default + default/gateway-2: + proxy: + listeners: + - address: null + name: default/gateway-2/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-2 + namespace: default + test-ns/gateway-3: + proxy: + listeners: + - address: null + name: test-ns/gateway-3/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-3 + gateway.envoyproxy.io/owning-gateway-namespace: test-ns + name: test-ns/gateway-3 + namespace: test-ns xdsIR: default/gateway-1: accessLog: @@ -76,6 +294,112 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + name: httproute/default/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + default/gateway-2: + accessLog: + json: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: default + sectionName: http + name: default/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + name: httproute/default/httproute-2/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + test-ns/gateway-3: + accessLog: + json: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-3 + namespace: test-ns + sectionName: http + name: test-ns/gateway-3/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: test-ns + name: httproute/test-ns/httproute-3/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index 3d9b5ef316..f8165efacb 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -568,11 +568,6 @@ func TestDeployment(t *testing.T) { Name: ptr.To("custom-deployment-name"), }, }, - { - caseName: "gateway-namespace-mode", - infra: newTestInfraWithNamespace("ns1"), - gatewayNamespaceMode: true, - }, } for _, tc := range cases { t.Run(tc.caseName, func(t *testing.T) { @@ -618,19 +613,6 @@ func TestDeployment(t *testing.T) { tc.infra.Proxy.Config.Spec.ExtraArgs = tc.extraArgs } infraNamespace := cfg.ControllerNamespace - if tc.gatewayNamespaceMode { - deployType := egv1a1.KubernetesDeployModeType(egv1a1.KubernetesDeployModeTypeGatewayNamespace) - cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{ - Type: egv1a1.ProviderTypeKubernetes, - Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{ - Deploy: &egv1a1.KubernetesDeployMode{ - Type: &deployType, - }, - }, - } - infraNamespace = tc.infra.GetProxyInfra().Namespace - } - r := NewResourceRender(infraNamespace, cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) dp, err := r.Deployment() require.NoError(t, err) @@ -1695,3 +1677,164 @@ func TestIPFamilyPresentInSpec(t *testing.T) { }) } } + +func TestGatewayNamespaceModeMultipleResources(t *testing.T) { + cfg, err := config.New(os.Stdout) + require.NoError(t, err) + + // Configure gateway namespace mode + deployType := egv1a1.KubernetesDeployModeType(egv1a1.KubernetesDeployModeTypeGatewayNamespace) + cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{ + Deploy: &egv1a1.KubernetesDeployMode{ + Type: &deployType, + }, + }, + } + + // Create test infra with multiple namespaces + var infraList []*ir.Infra + infra1 := newTestInfraWithNamespace("namespace-1") + infra1.Proxy.Name = "namespace-1/gateway-1" + infra1.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = "gateway-1" + // Add HPA config to first infra + if infra1.Proxy.Config == nil { + infra1.Proxy.Config = &egv1a1.EnvoyProxy{Spec: egv1a1.EnvoyProxySpec{}} + } + if infra1.Proxy.Config.Spec.Provider == nil { + infra1.Proxy.Config.Spec.Provider = &egv1a1.EnvoyProxyProvider{} + } + infra1.Proxy.Config.Spec.Provider.Type = egv1a1.ProviderTypeKubernetes + if infra1.Proxy.Config.Spec.Provider.Kubernetes == nil { + infra1.Proxy.Config.Spec.Provider.Kubernetes = &egv1a1.EnvoyProxyKubernetesProvider{} + } + infra1.Proxy.Config.Spec.Provider.Kubernetes.EnvoyHpa = &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + MinReplicas: ptr.To[int32](1), + MaxReplicas: ptr.To[int32](3), + } + + infra2 := newTestInfraWithNamespace("namespace-2") + infra2.Proxy.Name = "namespace-2/gateway-2" + infra2.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = "gateway-2" + // Add HPA config to second infra + if infra2.Proxy.Config == nil { + infra2.Proxy.Config = &egv1a1.EnvoyProxy{Spec: egv1a1.EnvoyProxySpec{}} + } + if infra2.Proxy.Config.Spec.Provider == nil { + infra2.Proxy.Config.Spec.Provider = &egv1a1.EnvoyProxyProvider{} + } + infra2.Proxy.Config.Spec.Provider.Type = egv1a1.ProviderTypeKubernetes + if infra2.Proxy.Config.Spec.Provider.Kubernetes == nil { + infra2.Proxy.Config.Spec.Provider.Kubernetes = &egv1a1.EnvoyProxyKubernetesProvider{} + } + infra2.Proxy.Config.Spec.Provider.Kubernetes.EnvoyHpa = &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + MinReplicas: ptr.To[int32](1), + MaxReplicas: ptr.To[int32](3), + } + + infraList = append(infraList, infra1, infra2) + + deployments := make([]*appsv1.Deployment, 0, len(infraList)) + services := make([]*corev1.Service, 0, len(infraList)) + serviceAccounts := make([]*corev1.ServiceAccount, 0, len(infraList)) + hpas := make([]*autoscalingv2.HorizontalPodAutoscaler, 0, len(infraList)) + + for _, infra := range infraList { + namespace := infra.GetProxyInfra().Namespace + r := NewResourceRender(namespace, cfg.ControllerNamespace, cfg.DNSDomain, + infra.GetProxyInfra(), cfg.EnvoyGateway) + + dp, err := r.Deployment() + require.NoError(t, err) + deployments = append(deployments, dp) + + svc, err := r.Service() + require.NoError(t, err) + services = append(services, svc) + + sa, err := r.ServiceAccount() + require.NoError(t, err) + serviceAccounts = append(serviceAccounts, sa) + + hpa, err := r.HorizontalPodAutoscaler() + require.NoError(t, err) + hpas = append(hpas, hpa) + + } + + // Verify correct number of resources + require.Len(t, deployments, len(infraList)) + require.Len(t, services, len(infraList)) + require.Len(t, serviceAccounts, len(infraList)) + require.Len(t, hpas, len(infraList)) + + if test.OverrideTestData() { + deploymentInterfaces := make([]any, len(deployments)) + for i, dp := range deployments { + deploymentInterfaces[i] = dp + } + + err := writeTestDataToFile("testdata/gateway-namespace-mode/deployment.yaml", deploymentInterfaces) + require.NoError(t, err) + + serviceInterfaces := make([]any, len(services)) + for i, svc := range services { + serviceInterfaces[i] = svc + } + err = writeTestDataToFile("testdata/gateway-namespace-mode/service.yaml", serviceInterfaces) + require.NoError(t, err) + + saInterfaces := make([]any, len(serviceAccounts)) + for i, sa := range serviceAccounts { + saInterfaces[i] = sa + } + err = writeTestDataToFile("testdata/gateway-namespace-mode/serviceaccount.yaml", saInterfaces) + require.NoError(t, err) + + hpaInterfaces := make([]any, len(hpas)) + for i, hpa := range hpas { + hpaInterfaces[i] = hpa + } + err = writeTestDataToFile("testdata/gateway-namespace-mode/hpa.yaml", hpaInterfaces) + require.NoError(t, err) + + return + } + + for i, infra := range infraList { + expectedNamespace := infra.GetProxyInfra().Namespace + expectedName := ExpectedResourceHashedName(infra.GetProxyInfra().Name) + + require.Equal(t, expectedNamespace, deployments[i].Namespace) + require.Equal(t, expectedName, deployments[i].Name) + + require.Equal(t, expectedNamespace, services[i].Namespace) + require.Equal(t, expectedName, services[i].Name) + + require.Equal(t, expectedNamespace, serviceAccounts[i].Namespace) + require.Equal(t, expectedName, serviceAccounts[i].Name) + + if i < len(hpas) { + require.Equal(t, expectedNamespace, hpas[i].Namespace) + require.Equal(t, expectedName, hpas[i].Name) + require.Equal(t, expectedName, hpas[i].Spec.ScaleTargetRef.Name) + } + } +} + +func writeTestDataToFile(filename string, resources []any) error { + var combinedYAML []byte + for i, resource := range resources { + resourceYAML, err := yaml.Marshal(resource) + if err != nil { + return err + } + if i > 0 { + combinedYAML = append(combinedYAML, []byte("---\n")...) + } + combinedYAML = append(combinedYAML, resourceYAML...) + } + + return os.WriteFile(filename, combinedYAML, 0o600) +} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml deleted file mode 100644 index 822afe93f2..0000000000 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml +++ /dev/null @@ -1,443 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: proxy - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy - gateway.envoyproxy.io/owning-gateway-name: default - gateway.envoyproxy.io/owning-gateway-namespace: ns1 - name: envoy-default-37a8eec1 - namespace: ns1 -spec: - progressDeadlineSeconds: 600 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: proxy - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy - gateway.envoyproxy.io/owning-gateway-name: default - gateway.envoyproxy.io/owning-gateway-namespace: ns1 - strategy: - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /stats/prometheus - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: proxy - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy - gateway.envoyproxy.io/owning-gateway-name: default - gateway.envoyproxy.io/owning-gateway-namespace: ns1 - spec: - containers: - - args: - - --service-cluster default - - --service-node $(ENVOY_POD_NAME) - - | - --config-yaml admin: - access_log: - - name: envoy.access_loggers.file - typed_config: - "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - cluster_manager: - local_cluster_name: local_cluster - node: - locality: - zone: "$(ENVOY_SERVICE_ZONE)" - layered_runtime: - layers: - - name: global_config - static_layer: - envoy.restart_features.use_eds_cache_for_ads: true - re2.max_program_size.error_level: 4294967295 - re2.max_program_size.warn_level: 1000 - dynamic_resources: - ads_config: - api_type: DELTA_GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - lds_config: - ads: {} - resource_api_version: V3 - cds_config: - ads: {} - resource_api_version: V3 - static_resources: - listeners: - - name: envoy-gateway-proxy-stats-0.0.0.0-19001 - address: - socket_address: - address: '0.0.0.0' - port_value: 19001 - protocol: TCP - bypass_overload_manager: true - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: eg-stats-http - normalize_path: true - route_config: - name: local_route - virtual_hosts: - - name: prometheus_stats - domains: - - "*" - routes: - - match: - path: /stats/prometheus - headers: - - name: ":method" - string_match: - exact: GET - route: - cluster: prometheus_stats - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: prometheus_stats - connect_timeout: 0.250s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: prometheus_stats - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - - connect_timeout: 10s - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: local_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 10080 - load_balancing_weight: 1 - load_balancing_weight: 1 - locality: - zone: "$(ENVOY_SERVICE_ZONE)" - name: local_cluster - type: STATIC - - connect_timeout: 10s - load_assignment: - cluster_name: xds_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway.envoy-gateway-system.svc.cluster.local - port_value: 18000 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 30s - timeout: 5s - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - name: xds_cluster - type: STRICT_DNS - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 - secrets: - - name: jwt-sa-bearer - generic_secret: - secret: - filename: "/var/run/secrets/token/sa-token" - overload_manager: - refresh_interval: 0.25s - resource_monitors: - - name: "envoy.resource_monitors.global_downstream_max_connections" - typed_config: - "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig - max_active_downstream_connections: 50000 - - --log-level warn - - --cpuset-threads - - --drain-strategy immediate - - --drain-time-s 60 - command: - - envoy - env: - - name: ENVOY_GATEWAY_NAMESPACE - value: envoy-gateway-system - - name: ENVOY_SERVICE_ZONE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations['topology.kubernetes.io/zone'] - - name: ENVOY_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: docker.io/envoyproxy/envoy:distroless-dev - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - httpGet: - path: /shutdown/ready - port: 19002 - scheme: HTTP - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ready - port: 19003 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: envoy - ports: - - containerPort: 19001 - name: metrics - protocol: TCP - - containerPort: 19003 - name: readiness - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ready - port: 19003 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /ready - port: 19003 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /sds - name: sds - - mountPath: /var/run/secrets/token - name: sa-token - readOnly: true - - args: - - envoy - - shutdown-manager - command: - - envoy-gateway - env: - - name: ENVOY_GATEWAY_NAMESPACE - value: envoy-gateway-system - - name: ENVOY_SERVICE_ZONE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations['topology.kubernetes.io/zone'] - - name: ENVOY_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: docker.io/envoyproxy/gateway-dev:latest - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - envoy-gateway - - envoy - - shutdown - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 19002 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: shutdown-manager - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 19002 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 10m - memory: 32Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz - port: 19002 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 360 - volumes: - - name: sa-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: envoy-gateway.envoy-gateway-system.svc.cluster.local - expirationSeconds: 3600 - path: sa-token - - configMap: - defaultMode: 420 - items: - - key: ca.crt - path: ca.crt - name: envoy-default-37a8eec1 - optional: false - name: certs - - configMap: - defaultMode: 420 - items: - - key: xds-trusted-ca.json - path: xds-trusted-ca.json - name: envoy-default-37a8eec1 - optional: false - name: sds -status: {} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml new file mode 100644 index 0000000000..ba240a1208 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml @@ -0,0 +1,887 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + name: envoy-namespace-1-gateway-1-e2117e41 + namespace: namespace-1 +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + spec: + containers: + - args: + - --service-cluster namespace-1/gateway-1 + - --service-node $(ENVOY_POD_NAME) + - | + --config-yaml admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + cluster_manager: + local_cluster_name: local_cluster + node: + locality: + zone: "$(ENVOY_SERVICE_ZONE)" + layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 + dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + static_resources: + listeners: + - name: envoy-gateway-proxy-stats-0.0.0.0-19001 + address: + socket_address: + address: '0.0.0.0' + port_value: 19001 + protocol: TCP + bypass_overload_manager: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-stats-http + normalize_path: true + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + path: /stats/prometheus + headers: + - name: ":method" + string_match: + exact: GET + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + - connect_timeout: 10s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: local_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 10080 + load_balancing_weight: 1 + load_balancing_weight: 1 + locality: + zone: "$(ENVOY_SERVICE_ZONE)" + name: local_cluster + type: STATIC + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + http_filters: + - name: envoy.filters.http.credential_injector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector + credential: + name: envoy.http.injected_credentials.generic + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic + credential: + name: jwt-sa-bearer + overwrite: true + - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + http_filters: + - name: envoy.filters.http.credential_injector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector + credential: + name: envoy.http.injected_credentials.generic + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic + credential: + name: jwt-sa-bearer + overwrite: true + - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + secrets: + - name: jwt-sa-bearer + generic_secret: + secret: + filename: "/var/run/secrets/token/sa-token" + overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + - --log-level warn + - --cpuset-threads + - --drain-strategy immediate + - --drain-time-s 60 + command: + - envoy + env: + - name: ENVOY_GATEWAY_NAMESPACE + value: envoy-gateway-system + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/envoy:distroless-dev + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown/ready + port: 19002 + scheme: HTTP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: envoy + ports: + - containerPort: 19001 + name: metrics + protocol: TCP + - containerPort: 19003 + name: readiness + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /sds + name: sds + - mountPath: /var/run/secrets/token + name: sa-token + readOnly: true + - args: + - envoy + - shutdown-manager + command: + - envoy-gateway + env: + - name: ENVOY_GATEWAY_NAMESPACE + value: envoy-gateway-system + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - envoy-gateway + - envoy + - shutdown + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: shutdown-manager + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-namespace-1-gateway-1-e2117e41 + terminationGracePeriodSeconds: 360 + volumes: + - name: sa-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: envoy-gateway.envoy-gateway-system.svc.cluster.local + expirationSeconds: 3600 + path: sa-token + - configMap: + defaultMode: 420 + items: + - key: ca.crt + path: ca.crt + name: envoy-namespace-1-gateway-1-e2117e41 + optional: false + name: certs + - configMap: + defaultMode: 420 + items: + - key: xds-trusted-ca.json + path: xds-trusted-ca.json + name: envoy-namespace-1-gateway-1-e2117e41 + optional: false + name: sds +status: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + name: envoy-namespace-2-gateway-2-107e8cb2 + namespace: namespace-2 +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + spec: + containers: + - args: + - --service-cluster namespace-2/gateway-2 + - --service-node $(ENVOY_POD_NAME) + - | + --config-yaml admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + cluster_manager: + local_cluster_name: local_cluster + node: + locality: + zone: "$(ENVOY_SERVICE_ZONE)" + layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 + dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + static_resources: + listeners: + - name: envoy-gateway-proxy-stats-0.0.0.0-19001 + address: + socket_address: + address: '0.0.0.0' + port_value: 19001 + protocol: TCP + bypass_overload_manager: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-stats-http + normalize_path: true + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + path: /stats/prometheus + headers: + - name: ":method" + string_match: + exact: GET + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + - connect_timeout: 10s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: local_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 10080 + load_balancing_weight: 1 + load_balancing_weight: 1 + locality: + zone: "$(ENVOY_SERVICE_ZONE)" + name: local_cluster + type: STATIC + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + http_filters: + - name: envoy.filters.http.credential_injector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector + credential: + name: envoy.http.injected_credentials.generic + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic + credential: + name: jwt-sa-bearer + overwrite: true + - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + http_filters: + - name: envoy.filters.http.credential_injector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector + credential: + name: envoy.http.injected_credentials.generic + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic + credential: + name: jwt-sa-bearer + overwrite: true + - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + secrets: + - name: jwt-sa-bearer + generic_secret: + secret: + filename: "/var/run/secrets/token/sa-token" + overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + - --log-level warn + - --cpuset-threads + - --drain-strategy immediate + - --drain-time-s 60 + command: + - envoy + env: + - name: ENVOY_GATEWAY_NAMESPACE + value: envoy-gateway-system + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/envoy:distroless-dev + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown/ready + port: 19002 + scheme: HTTP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: envoy + ports: + - containerPort: 19001 + name: metrics + protocol: TCP + - containerPort: 19003 + name: readiness + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /sds + name: sds + - mountPath: /var/run/secrets/token + name: sa-token + readOnly: true + - args: + - envoy + - shutdown-manager + command: + - envoy-gateway + env: + - name: ENVOY_GATEWAY_NAMESPACE + value: envoy-gateway-system + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - envoy-gateway + - envoy + - shutdown + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: shutdown-manager + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-namespace-2-gateway-2-107e8cb2 + terminationGracePeriodSeconds: 360 + volumes: + - name: sa-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: envoy-gateway.envoy-gateway-system.svc.cluster.local + expirationSeconds: 3600 + path: sa-token + - configMap: + defaultMode: 420 + items: + - key: ca.crt + path: ca.crt + name: envoy-namespace-2-gateway-2-107e8cb2 + optional: false + name: certs + - configMap: + defaultMode: 420 + items: + - key: xds-trusted-ca.json + path: xds-trusted-ca.json + name: envoy-namespace-2-gateway-2-107e8cb2 + optional: false + name: sds +status: {} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/hpa.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/hpa.yaml new file mode 100644 index 0000000000..0724e0c089 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/hpa.yaml @@ -0,0 +1,53 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + name: envoy-namespace-1-gateway-1-e2117e41 + namespace: namespace-1 +spec: + maxReplicas: 3 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: envoy-namespace-1-gateway-1-e2117e41 +status: + currentMetrics: null + desiredReplicas: 0 +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + name: envoy-namespace-2-gateway-2-107e8cb2 + namespace: namespace-2 +spec: + maxReplicas: 3 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: envoy-namespace-2-gateway-2-107e8cb2 +status: + currentMetrics: null + desiredReplicas: 0 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/service.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/service.yaml new file mode 100644 index 0000000000..50e94c01d2 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/service.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + name: envoy-namespace-1-gateway-1-e2117e41 + namespace: namespace-1 +spec: + externalTrafficPolicy: Local + selector: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + sessionAffinity: None + type: LoadBalancer +status: + loadBalancer: {} +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + name: envoy-namespace-2-gateway-2-107e8cb2 + namespace: namespace-2 +spec: + externalTrafficPolicy: Local + selector: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + sessionAffinity: None + type: LoadBalancer +status: + loadBalancer: {} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml new file mode 100644 index 0000000000..8c8b81a6b4 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 + name: envoy-namespace-1-gateway-1-e2117e41 + namespace: namespace-1 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 + name: envoy-namespace-2-gateway-2-107e8cb2 + namespace: namespace-2