diff --git a/cmd/fetcher/kodata/config.yaml b/cmd/fetcher/kodata/config.yaml index 9ffb2ea7b5..a1387d1f78 100644 --- a/cmd/fetcher/kodata/config.yaml +++ b/cmd/fetcher/kodata/config.yaml @@ -23,16 +23,19 @@ ingress: - s3: bucket: "gs-noauth://knative-releases" prefix: "net-istio/previous" + ingressService: istio include: - "net-istio.yaml" - s3: bucket: "gs-noauth://knative-releases" prefix: "net-contour/previous" + ingressService: contour include: - "net-contour.yaml" - s3: bucket: "gs-noauth://knative-releases" prefix: "net-kourier/previous" + ingressService: kourier include: - "kourier.yaml" knative-eventing: diff --git a/cmd/operator/kodata/ingress/1.6/net-contour.yaml b/cmd/operator/kodata/ingress/1.6/contour/net-contour.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.6/net-contour.yaml rename to cmd/operator/kodata/ingress/1.6/contour/net-contour.yaml diff --git a/cmd/operator/kodata/ingress/1.6/net-istio.yaml b/cmd/operator/kodata/ingress/1.6/istio/net-istio.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.6/net-istio.yaml rename to cmd/operator/kodata/ingress/1.6/istio/net-istio.yaml diff --git a/cmd/operator/kodata/ingress/1.6/kourier.yaml b/cmd/operator/kodata/ingress/1.6/kourier/kourier.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.6/kourier.yaml rename to cmd/operator/kodata/ingress/1.6/kourier/kourier.yaml diff --git a/cmd/operator/kodata/ingress/1.7/net-contour.yaml b/cmd/operator/kodata/ingress/1.7/contour/net-contour.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.7/net-contour.yaml rename to cmd/operator/kodata/ingress/1.7/contour/net-contour.yaml diff --git a/cmd/operator/kodata/ingress/1.7/net-istio.yaml b/cmd/operator/kodata/ingress/1.7/istio/net-istio.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.7/net-istio.yaml rename to cmd/operator/kodata/ingress/1.7/istio/net-istio.yaml diff --git a/cmd/operator/kodata/ingress/1.7/kourier.yaml b/cmd/operator/kodata/ingress/1.7/kourier/kourier.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.7/kourier.yaml rename to cmd/operator/kodata/ingress/1.7/kourier/kourier.yaml diff --git a/cmd/operator/kodata/ingress/1.8/net-contour.yaml b/cmd/operator/kodata/ingress/1.8/contour/net-contour.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.8/net-contour.yaml rename to cmd/operator/kodata/ingress/1.8/contour/net-contour.yaml diff --git a/cmd/operator/kodata/ingress/1.8/net-istio.yaml b/cmd/operator/kodata/ingress/1.8/istio/net-istio.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.8/net-istio.yaml rename to cmd/operator/kodata/ingress/1.8/istio/net-istio.yaml diff --git a/cmd/operator/kodata/ingress/1.8/kourier.yaml b/cmd/operator/kodata/ingress/1.8/kourier/kourier.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.8/kourier.yaml rename to cmd/operator/kodata/ingress/1.8/kourier/kourier.yaml diff --git a/cmd/operator/kodata/ingress/1.9/net-contour.yaml b/cmd/operator/kodata/ingress/1.9/contour/net-contour.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.9/net-contour.yaml rename to cmd/operator/kodata/ingress/1.9/contour/net-contour.yaml diff --git a/cmd/operator/kodata/ingress/1.9/net-istio.yaml b/cmd/operator/kodata/ingress/1.9/istio/net-istio.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.9/net-istio.yaml rename to cmd/operator/kodata/ingress/1.9/istio/net-istio.yaml diff --git a/cmd/operator/kodata/ingress/1.9/kourier.yaml b/cmd/operator/kodata/ingress/1.9/kourier/kourier.yaml similarity index 100% rename from cmd/operator/kodata/ingress/1.9/kourier.yaml rename to cmd/operator/kodata/ingress/1.9/kourier/kourier.yaml diff --git a/pkg/packages/config.go b/pkg/packages/config.go index abdf6dce6a..58aef7df40 100644 --- a/pkg/packages/config.go +++ b/pkg/packages/config.go @@ -63,7 +63,8 @@ type Source struct { S3 S3Source `json:"s3,omitempty"` // EventingService represents the name of the service for the eventing source EventingService string `json:"eventingService,omitempty"` - + // IngressService represents the name of the network plugin for the ingress + IngressService string `json:"ingressService,omitempty"` // Overrides provides a mechanism for modifying include/exclude (and // possibly other settings) on a per-release or per-minor-version basis, to // allow fixing up discontinuities in release patterns. diff --git a/pkg/packages/release.go b/pkg/packages/release.go index 4d0cbab55b..20e5c0c7d9 100644 --- a/pkg/packages/release.go +++ b/pkg/packages/release.go @@ -255,6 +255,13 @@ func handleAlternatives(ctx context.Context, base string, client *http.Client, p return err } } + if src.IngressService != "" { + resourcePath = filepath.Join(path, src.IngressService) + err := os.MkdirAll(resourcePath, 0755) + if err != nil { + return err + } + } release := latestMinor(minor, candidates) // Download assets and concatenate them. assets := release.Assets.FilterAssets(src.Accept(release.TagName)) diff --git a/pkg/reconciler/common/releases_test.go b/pkg/reconciler/common/releases_test.go index abcdbe26f6..1593a610c8 100644 --- a/pkg/reconciler/common/releases_test.go +++ b/pkg/reconciler/common/releases_test.go @@ -246,11 +246,11 @@ func TestTargetVersion(t *testing.T) { component: &v1beta1.KnativeServing{ Spec: v1beta1.KnativeServingSpec{ CommonSpec: base.CommonSpec{ - Version: "0.22.0", + Version: "1.9.0", }, }, }, - expected: "0.22.0", + expected: "1.9.0", }, { name: "eventing CR with major.minor.patch version not available", component: &v1beta1.KnativeEventing{ @@ -1135,7 +1135,7 @@ func TestInstalledManifest(t *testing.T) { }, }, Status: v1beta1.KnativeServingStatus{ - Version: "0.22.0", + Version: "1.9.0", }, }, expectedManifestsPath: "testdata/kodata/empty/empty-resource.yaml", diff --git a/pkg/reconciler/knativeserving/common/conversion.go b/pkg/reconciler/knativeserving/common/conversion.go new file mode 100644 index 0000000000..547e064974 --- /dev/null +++ b/pkg/reconciler/knativeserving/common/conversion.go @@ -0,0 +1,31 @@ +/* +Copyright 2022 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package common + +import ( + "knative.dev/operator/pkg/apis/operator/base" + "knative.dev/operator/pkg/apis/operator/v1beta1" +) + +func ConvertToKS(instance base.KComponent) *v1beta1.KnativeServing { + ks := &v1beta1.KnativeServing{} + switch instance := instance.(type) { + case *v1beta1.KnativeServing: + ks = instance + } + return ks +} diff --git a/pkg/reconciler/knativeserving/ingress/contour.go b/pkg/reconciler/knativeserving/ingress/contour.go index f297df45ec..12b1349c74 100644 --- a/pkg/reconciler/knativeserving/ingress/contour.go +++ b/pkg/reconciler/knativeserving/ingress/contour.go @@ -23,8 +23,6 @@ import ( "knative.dev/operator/pkg/apis/operator/v1beta1" ) -var contourFilter = ingressFilter("contour") - func contourTransformers(ctx context.Context, instance *v1beta1.KnativeServing) []mf.Transformer { return nil } diff --git a/pkg/reconciler/knativeserving/ingress/ingress.go b/pkg/reconciler/knativeserving/ingress/ingress.go index c540e5934a..eea9c4ec8f 100644 --- a/pkg/reconciler/knativeserving/ingress/ingress.go +++ b/pkg/reconciler/knativeserving/ingress/ingress.go @@ -24,51 +24,12 @@ import ( mf "github.com/manifestival/manifestival" "golang.org/x/mod/semver" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "knative.dev/operator/pkg/apis/operator/base" "knative.dev/operator/pkg/apis/operator/v1beta1" "knative.dev/operator/pkg/reconciler/common" + servingcommon "knative.dev/operator/pkg/reconciler/knativeserving/common" ) -const providerLabel = "networking.knative.dev/ingress-provider" - -func ingressFilter(name string) mf.Predicate { - return func(u *unstructured.Unstructured) bool { - provider, hasLabel := u.GetLabels()[providerLabel] - if !hasLabel { - return true - } - return provider == name - } -} - -// noneFilter drops all ingresses but allows everything else. -func noneFilter(u *unstructured.Unstructured) bool { - _, hasLabel := u.GetLabels()[providerLabel] - return !hasLabel -} - -// Filters makes sure the disabled ingress resources are removed from the manifest. -func Filters(ks *v1beta1.KnativeServing) mf.Predicate { - var filters []mf.Predicate - if ks.Spec.Ingress == nil { - return istioFilter - } - if ks.Spec.Ingress.Istio.Enabled { - filters = append(filters, istioFilter) - } - if ks.Spec.Ingress.Kourier.Enabled { - filters = append(filters, kourierFilter) - } - if ks.Spec.Ingress.Contour.Enabled { - filters = append(filters, contourFilter) - } - if len(filters) == 0 { - return noneFilter - } - return mf.Any(filters...) -} - // Transformers returns a list of transformers based on the enabled ingresses func Transformers(ctx context.Context, ks *v1beta1.KnativeServing) []mf.Transformer { if ks.Spec.Ingress == nil { @@ -87,61 +48,76 @@ func Transformers(ctx context.Context, ks *v1beta1.KnativeServing) []mf.Transfor return transformers } -func getIngress(version string) (mf.Manifest, error) { - // If we can not determine the version, append no ingress manifest. - if version == "" { +func getIngress(path string) (mf.Manifest, error) { + if path == "" { return mf.Manifest{}, nil } + return common.FetchManifest(path) +} + +func getIngressPath(version string, ks *v1beta1.KnativeServing) string { + var urls []string koDataDir := os.Getenv(common.KoEnvKey) - // Ingresses are saved in the directory named major.minor. We remove the patch number. - ingressVersion := common.LATEST_VERSION + sourceVersion := common.LATEST_VERSION if !strings.EqualFold(version, common.LATEST_VERSION) { - ingressVersion = semver.MajorMinor(common.SanitizeSemver(version))[1:] + sourceVersion = semver.MajorMinor(common.SanitizeSemver(version))[1:] + } + + // This line can make sure a valid available source version is returned. + ingressPath := filepath.Join(koDataDir, "ingress", sourceVersion) + if ks.Spec.Ingress == nil { + url := filepath.Join(ingressPath, "istio") + urls = append(urls, url) + return strings.Join(urls, common.COMMA) } - // This line can make sure a valid available ingress version is returned. - ingressVersion = common.GetLatestIngressRelease(ingressVersion) - ingressPath := filepath.Join(koDataDir, "ingress", ingressVersion) - return common.FetchManifest(ingressPath) + if ks.Spec.Ingress.Istio.Enabled { + url := filepath.Join(ingressPath, "istio") + urls = append(urls, url) + } + if ks.Spec.Ingress.Contour.Enabled { + url := filepath.Join(ingressPath, "contour") + urls = append(urls, url) + } + if ks.Spec.Ingress.Kourier.Enabled { + url := filepath.Join(ingressPath, "kourier") + urls = append(urls, url) + } + + return strings.Join(urls, common.COMMA) } -// AppendTargetIngresses appends the manifests of ingresses to be installed -func AppendTargetIngresses(ctx context.Context, manifest *mf.Manifest, instance base.KComponent) error { - m, err := getIngress(common.TargetVersion(instance)) +// AppendTargetIngress appends the manifests of the ingress to be installed +func AppendTargetIngress(ctx context.Context, manifest *mf.Manifest, instance base.KComponent) error { + version := common.TargetVersion(instance) + ingressPath := getIngressPath(version, servingcommon.ConvertToKS(instance)) + m, err := getIngress(ingressPath) if err == nil { *manifest = manifest.Append(m) } - if len(instance.GetSpec().GetManifests()) != 0 { - // If spec.manifests is not empty, it is possible that the ingress is not available with the specified version. - // The user can specify the ingress link in the spec.manifests. + // If spec.manifests is not empty, it is possible that the eventing source is not available with the + // specified version. The user can specify the eventing source link in the spec.manifests. return nil } return err } -// AppendInstalledIngresses appends the installed manifests of ingresses +// AppendInstalledIngresses appends all the manifests of the ingresses func AppendInstalledIngresses(ctx context.Context, manifest *mf.Manifest, instance base.KComponent) error { version := instance.GetStatus().GetVersion() if version == "" { version = common.TargetVersion(instance) } - - m, err := getIngress(version) + ingressPath := getIngressPath(version, servingcommon.ConvertToKS(instance)) + m, err := getIngress(ingressPath) if err == nil { *manifest = manifest.Append(m) } // It is possible that the ingress is not available with the specified version. - // If the user specified a version with a minor version, which is not supported by the current operator, as long as - // spec.manifests contains all the manifest links, the operator can still work. This function can always return nil, + // If the user specified a version with a minor version, which is not supported by the current operator, the operator + // can still work, as long as spec.manifests contains all the manifest links. This function can always return nil, // even if the ingress is not available. return nil } - -func hasProviderLabel(u *unstructured.Unstructured) bool { - if _, hasLabel := u.GetLabels()[providerLabel]; hasLabel { - return true - } - return false -} diff --git a/pkg/reconciler/knativeserving/ingress/ingress_test.go b/pkg/reconciler/knativeserving/ingress/ingress_test.go index ceb0bb676c..0081be2dd2 100644 --- a/pkg/reconciler/knativeserving/ingress/ingress_test.go +++ b/pkg/reconciler/knativeserving/ingress/ingress_test.go @@ -23,166 +23,122 @@ import ( "testing" mf "github.com/manifestival/manifestival" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/client-go/kubernetes/scheme" "knative.dev/operator/pkg/apis/operator/base" servingv1beta1 "knative.dev/operator/pkg/apis/operator/v1beta1" "knative.dev/operator/pkg/reconciler/common" util "knative.dev/operator/pkg/reconciler/common/testing" ) -func TestGetIngress(t *testing.T) { - os.Setenv(common.KoEnvKey, "testdata/kodata") - defer os.Unsetenv(common.KoEnvKey) - +// TODO: This test verifies the number of transformers. It should be rewritten by better test. +func TestTransformers(t *testing.T) { tests := []struct { - name string - version string - expectedIngressPath string - expectedErr error + name string + instance servingv1beta1.KnativeServing + expected int }{{ - name: "Available ingresses", - version: "0.21.0", - expectedErr: nil, - expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.21", - }, { - name: "Unavailable ingresses", - version: "0.16.1", - expectedErr: fmt.Errorf("stat testdata/kodata/ingress/0.16: no such file or directory"), + name: "Available istio ingress", + instance: servingv1beta1.KnativeServing{ + Spec: servingv1beta1.KnativeServingSpec{ + Ingress: &servingv1beta1.IngressConfigs{ + Istio: base.IstioIngressConfiguration{ + Enabled: true, + }, + }, + }, + }, + expected: 1, }, { - name: "Missing version", - version: "", - expectedErr: nil, - expectedIngressPath: "", - }} - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - manifest, _ := mf.ManifestFrom(mf.Slice{}) - m, err := getIngress(tt.version) - if err != nil { - util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) - util.AssertEqual(t, len(manifest.Resources()), 0) - } else { - manifest = manifest.Append(m) - util.AssertEqual(t, err, tt.expectedErr) - util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) - } - }) - } -} - -func TestAppendInstalledIngresses(t *testing.T) { - os.Setenv(common.KoEnvKey, "testdata/kodata") - defer os.Unsetenv(common.KoEnvKey) - - tests := []struct { - name string - instance servingv1beta1.KnativeServing - expectedIngressPath string - expectedErr error - }{{ - name: "Available installed ingresses", + name: "Available kourier ingress", instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{}, - Status: servingv1beta1.KnativeServingStatus{ - Version: "0.21.0", + Spec: servingv1beta1.KnativeServingSpec{ + Ingress: &servingv1beta1.IngressConfigs{ + Kourier: base.KourierIngressConfiguration{ + Enabled: true, + }, + }, }, }, - expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.21", - expectedErr: nil, + expected: 3, }, { - name: "Available installed ingresses for missing status.version", + name: "Available contour ingress", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: "0.21.0", + Ingress: &servingv1beta1.IngressConfigs{ + Contour: base.ContourIngressConfiguration{ + Enabled: true, + }, }, }, - Status: servingv1beta1.KnativeServingStatus{}, }, - expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.21", - expectedErr: nil, + expected: 0, }, { - name: "Unavailable installed ingresses for the unavailable status.version", + name: "Empty ingress for default istio", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{}, - Status: servingv1beta1.KnativeServingStatus{ - Version: "0.12.1", + }, + expected: 1, + }, { + name: "All ingresses enabled", + instance: servingv1beta1.KnativeServing{ + Spec: servingv1beta1.KnativeServingSpec{ + Ingress: &servingv1beta1.IngressConfigs{ + Contour: base.ContourIngressConfiguration{ + Enabled: true, + }, + Kourier: base.KourierIngressConfiguration{ + Enabled: true, + }, + Istio: base.IstioIngressConfiguration{ + Enabled: true, + }, + }, }, }, - // We still return nil, even if the ingress is not available. - expectedErr: nil, + expected: 4, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - manifest, _ := mf.ManifestFrom(mf.Slice{}) - err := AppendInstalledIngresses(context.TODO(), &manifest, &tt.instance) - if err != nil { - util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) - util.AssertEqual(t, len(manifest.Resources()), 0) - } else { - util.AssertEqual(t, err, tt.expectedErr) - util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) - } + transformers := Transformers(context.TODO(), &tt.instance) + util.AssertEqual(t, len(transformers), tt.expected) }) } } -func TestAppendTargetIngresses(t *testing.T) { +func TestGetIngress(t *testing.T) { os.Setenv(common.KoEnvKey, "testdata/kodata") defer os.Unsetenv(common.KoEnvKey) tests := []struct { name string - instance servingv1beta1.KnativeServing + ingressPath string expectedIngressPath string expectedErr error }{{ - name: "Available target ingresses", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: "0.21.0", - }, - }, - }, - expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.21", + name: "Available ingresses", + ingressPath: "testdata/kodata/ingress/1.9/kourier", expectedErr: nil, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.9/kourier", }, { - name: "Unavailable target ingresses", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: "0.12.1", - }, - }, - }, - expectedErr: fmt.Errorf("stat testdata/kodata/ingress/0.12: no such file or directory"), + name: "Unavailable ingresses", + ingressPath: "testdata/kodata/ingress/0.16/istio", + expectedErr: fmt.Errorf("stat testdata/kodata/ingress/0.16/istio: no such file or directory"), }, { - name: "Get the latest target ingresses when the directory latest is unavailable", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: "latest", - }, - }, - }, - expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.22", + name: "Missing version", + ingressPath: "", expectedErr: nil, + expectedIngressPath: "", }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { manifest, _ := mf.ManifestFrom(mf.Slice{}) - err := AppendTargetIngresses(context.TODO(), &manifest, &tt.instance) + m, err := getIngress(tt.ingressPath) if err != nil { util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) util.AssertEqual(t, len(manifest.Resources()), 0) } else { + manifest = manifest.Append(m) util.AssertEqual(t, err, tt.expectedErr) util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) } @@ -190,454 +146,245 @@ func TestAppendTargetIngresses(t *testing.T) { } } -func TestGetIngressWithFilters(t *testing.T) { +func TestGetIngressPath(t *testing.T) { os.Setenv(common.KoEnvKey, "testdata/kodata") defer os.Unsetenv(common.KoEnvKey) - version := "0.21" + tests := []struct { - name string - instance servingv1beta1.KnativeServing - expectedManifestPath string - expected bool + name string + version string + ks *servingv1beta1.KnativeServing + expectedPath string }{{ - name: "Enabled Istio ingress for target manifests", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, - Ingress: &servingv1beta1.IngressConfigs{ - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - }, - }, - }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-istio.yaml", + name: "Available ingress path for istio", + version: "1.9", + ks: &servingv1beta1.KnativeServing{}, + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/1.9/istio", }, { - name: "Enabled Contour ingress for target manifests", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, - Ingress: &servingv1beta1.IngressConfigs{ - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, - }, - }, - }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-contour.yaml", - }, { - name: "Enabled Kourier ingress for target manifests", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, - Ingress: &servingv1beta1.IngressConfigs{ - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, - }, - }, + name: "Available ingress path for istio with empty spec", + version: "1.9", + ks: &servingv1beta1.KnativeServing{ + Spec: servingv1beta1.KnativeServingSpec{}, }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/kourier.yaml", + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/1.9/istio", }, { - name: "Enabled Contour and Kourier ingress for target manifests", - instance: servingv1beta1.KnativeServing{ + name: "Available ingress path for istio with nil ingress", + version: "1.8", + ks: &servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, - Ingress: &servingv1beta1.IngressConfigs{ - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, - }, + Ingress: nil, }, }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-contour.yaml" + "," + - os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/kourier.yaml", + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/istio", }, { - name: "Enabled Istio and Kourier ingress for target manifests", - instance: servingv1beta1.KnativeServing{ + name: "Available ingress path for kourier", + version: "1.8", + ks: &servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, Ingress: &servingv1beta1.IngressConfigs{ Kourier: base.KourierIngressConfiguration{ Enabled: true, }, - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, }, }, }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/kourier.yaml" + "," + - os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-istio.yaml", + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/kourier", }, { - name: "Enabled Istio and Contour ingress for target manifests", - instance: servingv1beta1.KnativeServing{ + name: "Available ingress path for contour", + version: "1.7.5", + ks: &servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, Ingress: &servingv1beta1.IngressConfigs{ Contour: base.ContourIngressConfiguration{ Enabled: true, }, - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, }, }, }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-contour.yaml" + "," + - os.Getenv(common.KoEnvKey) + "/ingress/" + version + "/net-istio.yaml", + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/1.7/contour", }, { - name: "Enabled All ingresses for target manifests", - instance: servingv1beta1.KnativeServing{ + name: "Available ingress path for contour of the latest version", + version: "latest", + ks: &servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - CommonSpec: base.CommonSpec{ - Version: version, - }, Ingress: &servingv1beta1.IngressConfigs{ Contour: base.ContourIngressConfiguration{ Enabled: true, }, - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, }, }, }, - expected: true, - expectedManifestPath: os.Getenv(common.KoEnvKey) + "/ingress/" + version, + expectedPath: os.Getenv(common.KoEnvKey) + "/ingress/latest/contour", }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - targetIngressManifests, err := common.FetchManifest(tt.expectedManifestPath) - util.AssertEqual(t, err, nil) - manifest, _ := mf.ManifestFrom(mf.Slice{}) - m, err := getIngress(version) - util.AssertEqual(t, err == nil, tt.expected) - manifest = manifest.Append(m) - manifest = manifest.Filter(Filters(&tt.instance)) - // The resources loaded with the enabled istio ingress returns exactly the same resources as we - // expect from the ingress yaml file. - // The manifest could have more resources than targetIngressManifests, because if the resource is not - // labelled with the ingress provider, it will be kept. We can make sure all the resources in targetIngressManifests - // exist in the manifest. - util.AssertEqual(t, len(targetIngressManifests.Filter(mf.Not(mf.In(manifest))).Resources()), 0) + path := getIngressPath(tt.version, tt.ks) + util.AssertEqual(t, path, tt.expectedPath) }) } } -func TestIngressFilter(t *testing.T) { - tests := []struct { - name string - ingressName string - label string - expected bool - }{{ - name: "Available installed ingresses", - ingressName: "istio", - label: "istio", - expected: true, - }, { - name: "Missing ingress label", - ingressName: "istio", - label: "", - expected: true, - }, { - name: "Wrong ingress label", - ingressName: "istio", - label: "kourier", - expected: false, - }} - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - u := makeIngressResource(t, "test-resource", "knative-serving", tt.label) - result := ingressFilter(tt.ingressName)(u) - util.AssertEqual(t, result, tt.expected) - }) - } -} +func TestAppendTargetIngress(t *testing.T) { + os.Setenv(common.KoEnvKey, "testdata/kodata") + defer os.Unsetenv(common.KoEnvKey) -// TestFilters checks if s certain resource with a network provider label will be correctly returned when passing -// the filters. If the resource is not labelled with the network provider label, it will be returned by default, -// regardless of the configuration of the filters. -func TestFilters(t *testing.T) { - servicename := "test-service" - namespace := "knative-serving" tests := []struct { - name string - instance servingv1beta1.KnativeServing - // This label is used to mark the tested resource to indicate which ingress it belongs to. - // Empty label means no label for the resource. - labels []string - // The expected result indicates whether the resource is kept or not. - // If it is true, the resource is kept after the filter. - // If it is false, the resource is removed after the filter. - expected []bool + name string + instance servingv1beta1.KnativeServing + expectedIngressPath string + expectedErr error }{{ - name: "Enabled Istio ingress for all resources", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - }, - }, - }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{true, false, false, true}, - }, { - name: "Default ingress for all resources", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{}, - }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{true, false, false, true}, - }, { - name: "Enabled kourier ingress for all resources", + name: "Available target ingresses", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, + CommonSpec: base.CommonSpec{ + Version: "1.9", }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{false, false, true, true}, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.9/istio", + expectedErr: nil, }, { - name: "Enabled Contour ingress for all resources", + name: "Available target ingresses with Istio specified", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, + CommonSpec: base.CommonSpec{ + Version: "1.8", }, - }, - }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{false, true, false, true}, - }, { - name: "Enabled Contour and Istio ingress for all resources", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ Ingress: &servingv1beta1.IngressConfigs{ - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, Istio: base.IstioIngressConfiguration{ Enabled: true, }, }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{true, true, false, true}, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/istio", + expectedErr: nil, }, { - name: "Enabled Kourier and Istio ingress for all resources", + name: "Available target ingresses with Kourier specified", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ + CommonSpec: base.CommonSpec{ + Version: "1.8", + }, Ingress: &servingv1beta1.IngressConfigs{ Kourier: base.KourierIngressConfiguration{ Enabled: true, }, - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{true, false, true, true}, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/kourier", + expectedErr: nil, }, { - name: "Enabled Kourier and Contour ingress for all resources", + name: "Available target ingresses with Contour specified", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ + CommonSpec: base.CommonSpec{ + Version: "1.8", + }, Ingress: &servingv1beta1.IngressConfigs{ - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, Contour: base.ContourIngressConfiguration{ Enabled: true, }, }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{false, true, true, true}, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/contour", + expectedErr: nil, }, { - name: "Enabled All ingress for all resources", + name: "Unavailable target ingresses", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, + CommonSpec: base.CommonSpec{ + Version: "0.12", }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{true, true, true, true}, + expectedErr: fmt.Errorf("stat testdata/kodata/ingress/0.12/istio: no such file or directory"), }, { - name: "Disabled All ingress", + name: "Get the latest target ingresses when the directory latest is unavailable", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Istio: base.IstioIngressConfiguration{ - Enabled: false, - }, - Kourier: base.KourierIngressConfiguration{ - Enabled: false, - }, - Contour: base.ContourIngressConfiguration{ - Enabled: false, - }, + CommonSpec: base.CommonSpec{ + Version: "latest", }, }, }, - labels: []string{"istio", "contour", "kourier", ""}, - expected: []bool{false, false, false, true}, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.9/istio", + expectedErr: nil, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - for i, label := range tt.labels { - ingressResource := makeIngressResource(t, servicename, namespace, label) - result := Filters(&tt.instance)(ingressResource) - util.AssertEqual(t, result, tt.expected[i]) + manifest, _ := mf.ManifestFrom(mf.Slice{}) + err := AppendTargetIngress(context.TODO(), &manifest, &tt.instance) + if err != nil { + util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) + util.AssertEqual(t, len(manifest.Resources()), 0) + } else { + util.AssertEqual(t, err, tt.expectedErr) + util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) } }) } } -// TODO: This test verifies the number of transformers. It should be rewritten by better test. -func TestTransformers(t *testing.T) { +func TestAppendInstalledIngresses(t *testing.T) { + os.Setenv(common.KoEnvKey, "testdata/kodata") + defer os.Unsetenv(common.KoEnvKey) + tests := []struct { - name string - instance servingv1beta1.KnativeServing - expected int + name string + instance servingv1beta1.KnativeServing + expectedIngressPath string + expectedErr error }{{ - name: "Available istio ingress", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - }, - }, - }, - expected: 1, - }, { - name: "Available kourier ingress", + name: "Available installed ingresses", instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, - }, + Spec: servingv1beta1.KnativeServingSpec{}, + Status: servingv1beta1.KnativeServingStatus{ + Version: "1.8.0", }, }, - expected: 3, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/istio", + expectedErr: nil, }, { - name: "Available contour ingress", + name: "Available installed ingresses for missing status.version", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, + CommonSpec: base.CommonSpec{ + Version: "1.8.0", }, }, + Status: servingv1beta1.KnativeServingStatus{}, }, - expected: 0, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/1.8/istio", + expectedErr: nil, }, { - name: "Empty ingress for default istio", + name: "Unavailable installed ingresses for the unavailable status.version", instance: servingv1beta1.KnativeServing{ Spec: servingv1beta1.KnativeServingSpec{}, - }, - expected: 1, - }, { - name: "All ingresses enabled", - instance: servingv1beta1.KnativeServing{ - Spec: servingv1beta1.KnativeServingSpec{ - Ingress: &servingv1beta1.IngressConfigs{ - Contour: base.ContourIngressConfiguration{ - Enabled: true, - }, - Kourier: base.KourierIngressConfiguration{ - Enabled: true, - }, - Istio: base.IstioIngressConfiguration{ - Enabled: true, - }, - }, + Status: servingv1beta1.KnativeServingStatus{ + Version: "0.12.1", }, }, - expected: 4, + // We still return nil, even if the ingress is not available. + expectedErr: nil, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - transformers := Transformers(context.TODO(), &tt.instance) - util.AssertEqual(t, len(transformers), tt.expected) + manifest, _ := mf.ManifestFrom(mf.Slice{}) + err := AppendInstalledIngresses(context.TODO(), &manifest, &tt.instance) + if err != nil { + util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) + util.AssertEqual(t, len(manifest.Resources()), 0) + } else { + util.AssertEqual(t, err, tt.expectedErr) + util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) + } }) } } - -func makeIngressResource(t *testing.T, name, ns, ingressLabel string) *unstructured.Unstructured { - labels := map[string]string{} - if ingressLabel != "" { - labels = map[string]string{ - "networking.knative.dev/ingress-provider": ingressLabel, - } - } - service := &v1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: ns, - Labels: labels, - }, - } - result := &unstructured.Unstructured{} - err := scheme.Scheme.Convert(service, result, nil) - if err != nil { - t.Fatalf("Could not create unstructured Service: %v, err: %v", service, err) - } - - return result -} diff --git a/pkg/reconciler/knativeserving/ingress/istio.go b/pkg/reconciler/knativeserving/ingress/istio.go index 86352daec3..e3f3c7bd72 100644 --- a/pkg/reconciler/knativeserving/ingress/istio.go +++ b/pkg/reconciler/knativeserving/ingress/istio.go @@ -30,8 +30,6 @@ import ( "knative.dev/pkg/logging" ) -var istioFilter = ingressFilter("istio") - func istioTransformers(ctx context.Context, instance *v1beta1.KnativeServing) []mf.Transformer { logger := logging.FromContext(ctx) return []mf.Transformer{gatewayTransform(instance, logger)} diff --git a/pkg/reconciler/knativeserving/ingress/kourier.go b/pkg/reconciler/knativeserving/ingress/kourier.go index ff31d203f5..ca0ece70bb 100644 --- a/pkg/reconciler/knativeserving/ingress/kourier.go +++ b/pkg/reconciler/knativeserving/ingress/kourier.go @@ -38,8 +38,6 @@ const ( var kourierControllerDeploymentNames = sets.NewString("3scale-kourier-control", "net-kourier-controller") -var kourierFilter = ingressFilter("kourier") - func kourierTransformers(ctx context.Context, instance *v1beta1.KnativeServing) []mf.Transformer { return []mf.Transformer{ replaceGWNamespace(), @@ -52,7 +50,7 @@ func kourierTransformers(ctx context.Context, instance *v1beta1.KnativeServing) // namespace of the deployment its set on. func replaceGWNamespace() mf.Transformer { return func(u *unstructured.Unstructured) error { - if u.GetKind() == "Deployment" && kourierControllerDeploymentNames.Has(u.GetName()) && hasProviderLabel(u) { + if u.GetKind() == "Deployment" && kourierControllerDeploymentNames.Has(u.GetName()) { deployment := &appsv1.Deployment{} if err := scheme.Scheme.Convert(u, deployment, nil); err != nil { return err @@ -79,7 +77,7 @@ func replaceGWNamespace() mf.Transformer { // configureGWServiceType configures Kourier GW's service type such as ClusterIP, LoadBalancer and NodePort. func configureGWServiceType(instance *v1beta1.KnativeServing) mf.Transformer { return func(u *unstructured.Unstructured) error { - if u.GetKind() == "Service" && u.GetName() == kourierGatewayServiceName && hasProviderLabel(u) { + if u.GetKind() == "Service" && u.GetName() == kourierGatewayServiceName { if instance.Spec.Ingress.Kourier.ServiceType == "" { // Do nothing if ServiceType is not configured. return nil @@ -110,7 +108,7 @@ func configureGWServiceType(instance *v1beta1.KnativeServing) mf.Transformer { // configureBootstrapConfigMap sets Kourier GW's bootstrap configmap name. func configureBootstrapConfigMap(instance *v1beta1.KnativeServing) mf.Transformer { return func(u *unstructured.Unstructured) error { - if u.GetKind() == "Deployment" && u.GetName() == kourierGatewayDeploymentNames && hasProviderLabel(u) { + if u.GetKind() == "Deployment" && u.GetName() == kourierGatewayDeploymentNames { if instance.Spec.Ingress.Kourier.BootstrapConfigmapName == "" { // Do nothing if BootstrapConfigmapName is not configured. return nil diff --git a/pkg/reconciler/knativeserving/ingress/kourier_test.go b/pkg/reconciler/knativeserving/ingress/kourier_test.go index 3d20815902..ef22eee661 100644 --- a/pkg/reconciler/knativeserving/ingress/kourier_test.go +++ b/pkg/reconciler/knativeserving/ingress/kourier_test.go @@ -56,7 +56,6 @@ func TestTransformKourierManifest(t *testing.T) { tests := []struct { name string instance *servingv1beta1.KnativeServing - dropLabel bool expNamespace string expServiceType string expConfigMapName string @@ -87,30 +86,16 @@ func TestTransformKourierManifest(t *testing.T) { expServiceType: "Foo", expConfigMapName: kourierDefaultVolumeName, expError: fmt.Errorf("unknown service type \"Foo\""), - }, { - name: "Do not transform without the ingress provier label", - dropLabel: true, - instance: servingInstance(servingNamespace, "ClusterIP", "my-bootstrap"), - expNamespace: "kourier-system", // kourier default namespace - expConfigMapName: kourierDefaultVolumeName, - expServiceType: "LoadBalancer", // kourier GW default service type }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { client := fake.New() - manifest, err := mf.NewManifest("testdata/kodata/ingress/0.20/kourier.yaml", mf.UseClient(client)) + manifest, err := mf.NewManifest("testdata/kodata/ingress/1.9/kourier/kourier.yaml", mf.UseClient(client)) if err != nil { t.Fatalf("Failed to read manifest: %v", err) } - if tt.dropLabel { - manifest, err = manifest.Transform(removeLabels()) - if err != nil { - t.Fatalf("Failed to transform manifest: %v", err) - } - } - manifest, err = manifest.Transform(replaceGWNamespace()) if err != nil { t.Fatalf("Failed to transform manifest: %v", err) diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/contour/net-contour.yaml similarity index 87% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/contour/net-contour.yaml index fb6acbc0dc..ac0deeafca 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/contour/net-contour.yaml @@ -3,9 +3,12 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: knative-contour-core + name: knative-serving-contour labels: networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" serving.knative.dev/controller: "true" rules: - apiGroups: ["projectcontour.io"] @@ -33,7 +36,9 @@ metadata: namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" data: _example: | ################################ @@ -84,7 +89,7 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: contour-ingress-controller + name: net-contour-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour @@ -92,18 +97,21 @@ spec: replicas: 1 selector: matchLabels: - app: contour-ingress-controller + app: net-contour-controller template: metadata: labels: - app: contour-ingress-controller + app: net-contour-controller + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" spec: serviceAccountName: controller containers: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:705ac18c11352a874ed35d7404eed1792d599bbd5fcdaed7b945484b1d567bd9 + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:5ef9f8fbfc651f7aa02fd69f3de288490763f97bfa2b75524dee77c87cbbd8c3 resources: requests: cpu: 40m diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/istio/net-istio.yaml similarity index 81% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/istio/net-istio.yaml index 8796c156de..790fc4173f 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/istio/net-istio.yaml @@ -1,4 +1,4 @@ -# Generated when HEAD was 191bc5fe5a4b35b64f70577c3e44e44fb699cc5f +# Generated when HEAD was 31bdd1668cd75f9e8958fab08edc88f68679a3e0 # # Copyright 2019 The Knative Authors # @@ -20,7 +20,9 @@ metadata: # These are the permissions needed by the Istio Ingress implementation. name: knative-serving-istio labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: @@ -50,7 +52,9 @@ metadata: name: knative-ingress-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -87,7 +91,9 @@ metadata: name: knative-local-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -106,8 +112,11 @@ metadata: name: knative-local-gateway namespace: istio-system labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio + experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: @@ -117,154 +126,6 @@ spec: port: 80 targetPort: 8081 ---- -# Allows the Webhooks to be reached by kube-api with or without -# sidecar injection and with mTLS PERMISSIVE and STRICT. -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "domainmapping-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: domainmapping-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "istio-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: istio-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - objectSelector: - matchExpressions: - - {key: "serving.knative.dev/configuration", operator: Exists} - name: webhook.istio.networking.internal.knative.dev - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: istio-webhook-certs - namespace: knative-serving - labels: - serving.knative.dev/release: "v0.22.1" - networking.knative.dev/ingress-provider: istio - --- # Copyright 2018 The Knative Authors # @@ -286,9 +147,12 @@ metadata: name: config-istio namespace: knative-serving labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio data: + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. _example: | ################################ # # @@ -305,12 +169,10 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default Knative Gateway after v0.3. It points to the Istio - # standard istio-ingressgateway, instead of a custom one that we - # used pre-0.3. The configuration format should be `gateway. - # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. - # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} - # is optional; when it is omitted, the system will search for + # A gateway and Istio service to serve external traffic. + # The configuration format should be + # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. + # The {{gateway_namespace}} is optional; when it is omitted, the system will search for # the gateway in the serving system namespace `knative-serving` gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" @@ -330,14 +192,67 @@ data: # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - # To use only Istio service mesh and no knative-local-gateway, replace - # all local-gateway.* entries by the following entry. - local-gateway.mesh: "mesh" - # If true, knative will use the Istio VirtualService's status to determine # endpoint readiness. Otherwise, probe as usual. + # NOTE: This feature is currently experimental and should not be used in production. enable-virtualservice-status: "false" - # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "net-istio-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: net-istio-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE --- # Copyright 2019 The Knative Authors @@ -357,15 +272,17 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: networking-istio + name: net-istio-controller namespace: knative-serving labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: networking-istio + app: net-istio-controller template: metadata: annotations: @@ -375,15 +292,17 @@ spec: # this is the Istio controller, and so it may be Istio-aware. sidecar.istio.io/inject: "false" labels: - app: networking-istio - serving.knative.dev/release: "v0.22.1" + app: net-istio-controller + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" spec: serviceAccountName: controller containers: - - name: networking-istio + - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:ff8680da52ef47b8573ebc3393cbfa2f0f14b05c1e02232807f22699adbef57a + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:b10f96bca1f2d4cf6cf00b2aa046d92798ab1a8e7432f75f7f92f3dc6024987f resources: requests: cpu: 30m @@ -400,6 +319,8 @@ spec: value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio @@ -437,31 +358,35 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - serving.knative.dev/release: "v0.22.1" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: istio-webhook - role: istio-webhook + app: net-istio-webhook + role: net-istio-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: - app: istio-webhook - role: istio-webhook - serving.knative.dev/release: "v0.22.1" + app: net-istio-webhook + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" spec: serviceAccountName: controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:1e371db6b1a9f9265fc7a55d15d98c935c0c28925ffde351fb3b93f331c5a08e + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:1729c1244d1c35826036d4a65780070c1af89cb6189e279e51db0d73a735b4cb resources: requests: cpu: 20m @@ -482,7 +407,7 @@ spec: - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME - value: istio-webhook + value: net-istio-webhook securityContext: allowPrivilegeEscalation: false ports: @@ -508,14 +433,42 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Secret +metadata: + name: net-istio-webhook-certs + namespace: knative-serving + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - role: istio-webhook - serving.knative.dev/release: "v0.22.1" + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" networking.knative.dev/ingress-provider: istio spec: ports: @@ -530,6 +483,85 @@ spec: port: 443 targetPort: 8443 selector: - app: istio-webhook + app: net-istio-webhook + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.6.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + objectSelector: + matchLabels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-istio --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/kourier/kourier.yaml similarity index 65% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/kourier/kourier.yaml index 342f6822c6..88567228f7 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.6/kourier/kourier.yaml @@ -18,7 +18,9 @@ metadata: name: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" --- # Copyright 2020 The Knative Authors @@ -42,18 +44,23 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving data: envoy-bootstrap.yaml: | dynamic_resources: ads_config: + transport_api_version: V3 api_type: GRPC + rate_limit_settings: {} grpc_services: - - envoy_grpc: - cluster_name: xds_cluster + - envoy_grpc: {cluster_name: xds_cluster} cds_config: + resource_api_version: V3 ads: {} lds_config: + resource_api_version: V3 ads: {} node: cluster: kourier-knative @@ -110,7 +117,7 @@ data: endpoint: address: socket_address: - address: "kourier-control.knative-serving" + address: "net-kourier-controller.knative-serving" port_value: 18000 http2_protocol_options: {} type: STRICT_DNS @@ -120,6 +127,82 @@ data: pipe: path: /tmp/envoy.admin +--- +# Copyright 2021 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Specifies whether requests reaching the Kourier gateway + # in the context of services should be logged. Readiness + # probes etc. must be configured via the bootstrap config. + enable-service-access-logging: "true" + + # Specifies whether to use proxy-protocol in order to safely + # transport connection information such as a client's address + # across multiple layers of TCP proxies. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + enable-proxy-protocol: "false" + + # The server certificates to serve the internal TLS traffic for Kourier Gateway. + # It is specified by the secret name in controller namespace, which has + # the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-cert-secret: "" + + # Specifies the amount of time that Kourier waits for the incoming requests. + stream-idle-timeout: "300s" + + # Control the desired level of incoming traffic isolation. + # + # When set to an empty value (default), all incoming traffic flows through + # a shared ingress and listeners. + # + # When set to "port", incoming traffic is isolated by using different + # listener ports. + # + # NOTE: This flag is in an alpha state. + traffic-isolation: "" + --- # Copyright 2020 The Knative Authors # @@ -138,20 +221,24 @@ data: apiVersion: v1 kind: ServiceAccount metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] resources: ["events"] @@ -162,6 +249,9 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] @@ -175,17 +265,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: 3scale-kourier + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: 3scale-kourier + name: net-kourier subjects: - kind: ServiceAccount - name: 3scale-kourier + name: net-kourier namespace: knative-serving --- @@ -206,24 +298,26 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: 3scale-kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving spec: replicas: 1 selector: matchLabels: - app: 3scale-kourier-control + app: net-kourier-controller template: metadata: labels: - app: 3scale-kourier-control + app: net-kourier-controller spec: containers: - - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:7f10e56399b567a59bac93e8c59912acd073d9a1e3b3c0f763284083d0707e47 - name: kourier-control + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:08114089cf84290fc3571220a92a98879d8c5aabe7f680a509e053ed9d0911b7 + name: controller env: - name: CERTS_SECRET_NAMESPACE value: "" @@ -237,10 +331,15 @@ spec: value: "knative.dev/samples" - name: KOURIER_GATEWAY_NAMESPACE value: "kourier-system" + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" ports: - name: http2-xds containerPort: 18000 protocol: TCP + readinessProbe: + exec: + command: ["/ko-app/kourier", "-probe-addr=:18000"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -249,16 +348,18 @@ spec: drop: - all restartPolicy: Always - serviceAccountName: 3scale-kourier + serviceAccountName: net-kourier --- apiVersion: v1 kind: Service metadata: - name: kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: grpc-xds @@ -266,7 +367,7 @@ spec: protocol: TCP targetPort: 18000 selector: - app: 3scale-kourier-control + app: net-kourier-controller type: ClusterIP --- @@ -291,8 +392,15 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 selector: matchLabels: app: 3scale-kourier-gateway @@ -300,6 +408,10 @@ spec: metadata: labels: app: 3scale-kourier-gateway + annotations: + # v0.26 supports envoy v3 API, so + # adding this label to restart pod. + networking.knative.dev/poke: "v0.26" spec: containers: - args: @@ -308,7 +420,7 @@ spec: - --log-level info command: - /usr/local/bin/envoy - image: docker.io/envoyproxy/envoy:v1.16-latest + image: docker.io/envoyproxy/envoy:v1.20-latest name: kourier-gateway ports: - name: http2-external @@ -320,6 +432,12 @@ spec: - name: https-external containerPort: 8443 protocol: TCP + - name: http-probe + containerPort: 8090 + protocol: TCP + - name: https-probe + containerPort: 9443 + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false @@ -357,7 +475,9 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 @@ -379,13 +499,19 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.22.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.6.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 port: 80 protocol: TCP targetPort: 8081 + - name: https + port: 443 + protocol: TCP + targetPort: 8444 selector: app: 3scale-kourier-gateway type: ClusterIP diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/contour/net-contour.yaml similarity index 86% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/contour/net-contour.yaml index 53bdf8c883..345f479735 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/contour/net-contour.yaml @@ -3,9 +3,12 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: knative-contour-core + name: knative-serving-contour labels: networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" serving.knative.dev/controller: "true" rules: - apiGroups: ["projectcontour.io"] @@ -33,7 +36,9 @@ metadata: namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" data: _example: | ################################ @@ -46,7 +51,7 @@ data: timeout-policy-idle: "infinity" # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec - timeou-policy-response: "infinity" + timeout-policy-response: "infinity" # If auto-TLS is disabled fallback to the following certificate # @@ -84,7 +89,7 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: contour-ingress-controller + name: net-contour-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour @@ -92,18 +97,21 @@ spec: replicas: 1 selector: matchLabels: - app: contour-ingress-controller + app: net-contour-controller template: metadata: labels: - app: contour-ingress-controller + app: net-contour-controller + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" spec: serviceAccountName: controller containers: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:5654ef5be4f506909bba6cbb59e7049d6c4bfc866066f2546bcabd2ff547307f + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:9ac595b67aaf822576c5d870acd9d8b69fffa72aeda809b3d35d31f266f7d7f6 resources: requests: cpu: 40m diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/istio/net-istio.yaml similarity index 81% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/istio/net-istio.yaml index e5ee1a1762..3ba1646221 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/istio/net-istio.yaml @@ -1,4 +1,4 @@ -# Generated when HEAD was 59b2af9679f7997fffd9befb57dedec35e1a302d +# Generated when HEAD was 103896085b70302c7438252509ec11b3056aa196 # # Copyright 2019 The Knative Authors # @@ -20,12 +20,14 @@ metadata: # These are the permissions needed by the Istio Ingress implementation. name: knative-serving-istio labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: - apiGroups: ["networking.istio.io"] - resources: ["virtualservices", "gateways"] + resources: ["virtualservices", "gateways", "destinationrules"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- @@ -50,7 +52,9 @@ metadata: name: knative-ingress-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -87,7 +91,9 @@ metadata: name: knative-local-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -106,8 +112,11 @@ metadata: name: knative-local-gateway namespace: istio-system labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio + experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: @@ -117,154 +126,6 @@ spec: port: 80 targetPort: 8081 ---- -# Allows the Webhooks to be reached by kube-api with or without -# sidecar injection and with mTLS PERMISSIVE and STRICT. -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "domainmapping-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: domainmapping-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "istio-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: istio-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - objectSelector: - matchExpressions: - - {key: "serving.knative.dev/configuration", operator: Exists} - name: webhook.istio.networking.internal.knative.dev - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: istio-webhook-certs - namespace: knative-serving - labels: - serving.knative.dev/release: "v0.21.0" - networking.knative.dev/ingress-provider: istio - --- # Copyright 2018 The Knative Authors # @@ -286,9 +147,12 @@ metadata: name: config-istio namespace: knative-serving labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio data: + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. _example: | ################################ # # @@ -305,12 +169,10 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default Knative Gateway after v0.3. It points to the Istio - # standard istio-ingressgateway, instead of a custom one that we - # used pre-0.3. The configuration format should be `gateway. - # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. - # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} - # is optional; when it is omitted, the system will search for + # A gateway and Istio service to serve external traffic. + # The configuration format should be + # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. + # The {{gateway_namespace}} is optional; when it is omitted, the system will search for # the gateway in the serving system namespace `knative-serving` gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" @@ -330,14 +192,67 @@ data: # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - # To use only Istio service mesh and no knative-local-gateway, replace - # all local-gateway.* entries by the following entry. - local-gateway.mesh: "mesh" - # If true, knative will use the Istio VirtualService's status to determine # endpoint readiness. Otherwise, probe as usual. + # NOTE: This feature is currently experimental and should not be used in production. enable-virtualservice-status: "false" - # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "net-istio-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: net-istio-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE --- # Copyright 2019 The Knative Authors @@ -357,15 +272,17 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: networking-istio + name: net-istio-controller namespace: knative-serving labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: networking-istio + app: net-istio-controller template: metadata: annotations: @@ -375,15 +292,17 @@ spec: # this is the Istio controller, and so it may be Istio-aware. sidecar.istio.io/inject: "false" labels: - app: networking-istio - serving.knative.dev/release: "v0.21.0" + app: net-istio-controller + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" spec: serviceAccountName: controller containers: - - name: networking-istio + - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:5555b83528d9f694268c521c78caae0a9c31c7e1c98795d854f6fe990d561312 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:c110b0b5d545561f220d23bdb48a6c75f5591d068de9fb079baad47c82903e28 resources: requests: cpu: 30m @@ -400,6 +319,8 @@ spec: value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio @@ -437,31 +358,35 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: istio-webhook - role: istio-webhook + app: net-istio-webhook + role: net-istio-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: - app: istio-webhook - role: istio-webhook - serving.knative.dev/release: "v0.21.0" + app: net-istio-webhook + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" spec: serviceAccountName: controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:203acf3ac797f1e66a6ea3aa02a7060d199af521d7fbc5633ef79a05a4aec8fa + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:d74e79f7db426c1d24e060009e31344cad2d6e8c7e161184f121fde78b2f4a1d resources: requests: cpu: 20m @@ -482,7 +407,7 @@ spec: - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME - value: istio-webhook + value: net-istio-webhook securityContext: allowPrivilegeEscalation: false ports: @@ -508,14 +433,42 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Secret +metadata: + name: net-istio-webhook-certs + namespace: knative-serving + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - role: istio-webhook - serving.knative.dev/release: "v0.21.0" + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" networking.knative.dev/ingress-provider: istio spec: ports: @@ -530,6 +483,85 @@ spec: port: 443 targetPort: 8443 selector: - app: istio-webhook + app: net-istio-webhook + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.7.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + objectSelector: + matchLabels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-istio --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/kourier/kourier.yaml similarity index 65% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/kourier/kourier.yaml index 4efa510c1f..47becc8d61 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.7/kourier/kourier.yaml @@ -18,7 +18,9 @@ metadata: name: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" --- # Copyright 2020 The Knative Authors @@ -42,18 +44,23 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving data: envoy-bootstrap.yaml: | dynamic_resources: ads_config: + transport_api_version: V3 api_type: GRPC + rate_limit_settings: {} grpc_services: - - envoy_grpc: - cluster_name: xds_cluster + - envoy_grpc: {cluster_name: xds_cluster} cds_config: + resource_api_version: V3 ads: {} lds_config: + resource_api_version: V3 ads: {} node: cluster: kourier-knative @@ -110,7 +117,7 @@ data: endpoint: address: socket_address: - address: "kourier-control.knative-serving" + address: "net-kourier-controller.knative-serving" port_value: 18000 http2_protocol_options: {} type: STRICT_DNS @@ -120,6 +127,83 @@ data: pipe: path: /tmp/envoy.admin +--- +# Copyright 2021 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Specifies whether requests reaching the Kourier gateway + # in the context of services should be logged. Readiness + # probes etc. must be configured via the bootstrap config. + enable-service-access-logging: "true" + + # Specifies whether to use proxy-protocol in order to safely + # transport connection information such as a client's address + # across multiple layers of TCP proxies. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + enable-proxy-protocol: "false" + + # The server certificates to serve the internal TLS traffic for Kourier Gateway. + # It is specified by the secret name in controller namespace, which has + # the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-cert-secret: "" + + # Specifies the amount of time that Kourier waits for the incoming requests. + # The default, 0s, imposes no timeout at all. + stream-idle-timeout: "0s" + + # Control the desired level of incoming traffic isolation. + # + # When set to an empty value (default), all incoming traffic flows through + # a shared ingress and listeners. + # + # When set to "port", incoming traffic is isolated by using different + # listener ports. + # + # NOTE: This flag is in an alpha state. + traffic-isolation: "" + --- # Copyright 2020 The Knative Authors # @@ -138,20 +222,24 @@ data: apiVersion: v1 kind: ServiceAccount metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] resources: ["events"] @@ -162,6 +250,9 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] @@ -175,17 +266,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: 3scale-kourier + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: 3scale-kourier + name: net-kourier subjects: - kind: ServiceAccount - name: 3scale-kourier + name: net-kourier namespace: knative-serving --- @@ -206,24 +299,26 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: 3scale-kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving spec: replicas: 1 selector: matchLabels: - app: 3scale-kourier-control + app: net-kourier-controller template: metadata: labels: - app: 3scale-kourier-control + app: net-kourier-controller spec: containers: - - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:5ec9c41be4475d325e3cba284f3725d6147ca1f0ac766cd9ff22f97c36a9def5 - name: kourier-control + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:4afd09c1642f97071c703ff73f3edc622fbde6ac4b684df6341a58853a2cf1eb + name: controller env: - name: CERTS_SECRET_NAMESPACE value: "" @@ -237,10 +332,15 @@ spec: value: "knative.dev/samples" - name: KOURIER_GATEWAY_NAMESPACE value: "kourier-system" + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" ports: - name: http2-xds containerPort: 18000 protocol: TCP + readinessProbe: + exec: + command: ["/ko-app/kourier", "-probe-addr=:18000"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -249,16 +349,18 @@ spec: drop: - all restartPolicy: Always - serviceAccountName: 3scale-kourier + serviceAccountName: net-kourier --- apiVersion: v1 kind: Service metadata: - name: kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: grpc-xds @@ -266,7 +368,7 @@ spec: protocol: TCP targetPort: 18000 selector: - app: 3scale-kourier-control + app: net-kourier-controller type: ClusterIP --- @@ -291,8 +393,15 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 selector: matchLabels: app: 3scale-kourier-gateway @@ -300,6 +409,10 @@ spec: metadata: labels: app: 3scale-kourier-gateway + annotations: + # v0.26 supports envoy v3 API, so + # adding this label to restart pod. + networking.knative.dev/poke: "v0.26" spec: containers: - args: @@ -308,7 +421,7 @@ spec: - --log-level info command: - /usr/local/bin/envoy - image: docker.io/envoyproxy/envoy:v1.16-latest + image: docker.io/envoyproxy/envoy:v1.20-latest name: kourier-gateway ports: - name: http2-external @@ -320,6 +433,12 @@ spec: - name: https-external containerPort: 8443 protocol: TCP + - name: http-probe + containerPort: 8090 + protocol: TCP + - name: https-probe + containerPort: 9443 + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false @@ -357,7 +476,9 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 @@ -379,13 +500,19 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.7.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 port: 80 protocol: TCP targetPort: 8081 + - name: https + port: 443 + protocol: TCP + targetPort: 8444 selector: app: 3scale-kourier-gateway type: ClusterIP diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/contour/net-contour.yaml similarity index 86% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/contour/net-contour.yaml index 00575a12be..a9f58b0ad5 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/contour/net-contour.yaml @@ -3,16 +3,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: knative-contour-core + name: knative-serving-contour labels: networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" serving.knative.dev/controller: "true" rules: - apiGroups: ["projectcontour.io"] resources: ["httpproxies"] verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] ---- # Copyright 2019 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,7 +28,7 @@ rules: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- apiVersion: v1 kind: ConfigMap metadata: @@ -34,7 +36,9 @@ metadata: namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" data: _example: | ################################ @@ -47,7 +51,7 @@ data: timeout-policy-idle: "infinity" # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec - timeou-policy-response: "infinity" + timeout-policy-response: "infinity" # If auto-TLS is disabled fallback to the following certificate # @@ -68,7 +72,6 @@ data: class: contour-internal service: contour-internal/envoy ---- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -82,11 +85,11 @@ data: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- apiVersion: apps/v1 kind: Deployment metadata: - name: contour-ingress-controller + name: net-contour-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour @@ -94,18 +97,21 @@ spec: replicas: 1 selector: matchLabels: - app: contour-ingress-controller + app: net-contour-controller template: metadata: labels: - app: contour-ingress-controller + app: net-contour-controller + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" spec: serviceAccountName: controller containers: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:bdff6f57bbded077639f223459acd92a9b2639ffb0f8569736019c2e0ece9612 + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:6d28fb33deeba91d75fab35f9fec587dceacf5b64d19ae0ebcd4b4f9d955e6c5 resources: requests: cpu: 40m @@ -136,5 +142,5 @@ spec: capabilities: drop: - all - --- + diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/istio/net-istio.yaml similarity index 78% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/istio/net-istio.yaml index 7d86670be2..89d700b3ca 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/istio/net-istio.yaml @@ -1,4 +1,4 @@ -# Generated when HEAD was 9f0302e48909925303ccbdc2da86ca9b93d2cff0 +# Generated when HEAD was 17a528017026d0f30b5c854387f19881dac49956 # # Copyright 2019 The Knative Authors # @@ -20,12 +20,14 @@ metadata: # These are the permissions needed by the Istio Ingress implementation. name: knative-serving-istio labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: - apiGroups: ["networking.istio.io"] - resources: ["virtualservices", "gateways"] + resources: ["virtualservices", "gateways", "destinationrules"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- @@ -50,7 +52,9 @@ metadata: name: knative-ingress-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio spec: selector: @@ -87,7 +91,9 @@ metadata: name: knative-local-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio spec: selector: @@ -106,8 +112,11 @@ metadata: name: knative-local-gateway namespace: istio-system labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio + experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: @@ -117,136 +126,6 @@ spec: port: 80 targetPort: 8081 ---- -# Allows the Webhooks to be reached by kube-api with or without -# sidecar injection and with mTLS PERMISSIVE and STRICT. -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.20.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: webhook - mtls: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "istio-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.20.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: istio-webhook - mtls: - mode: PERMISSIVE - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.20.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - objectSelector: - matchExpressions: - - {key: "serving.knative.dev/configuration", operator: Exists} - name: webhook.istio.networking.internal.knative.dev - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.20.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: istio-webhook-certs - namespace: knative-serving - labels: - serving.knative.dev/release: "v0.20.0" - networking.knative.dev/ingress-provider: istio - --- # Copyright 2018 The Knative Authors # @@ -268,9 +147,12 @@ metadata: name: config-istio namespace: knative-serving labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio data: + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. _example: | ################################ # # @@ -287,12 +169,10 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default Knative Gateway after v0.3. It points to the Istio - # standard istio-ingressgateway, instead of a custom one that we - # used pre-0.3. The configuration format should be `gateway. - # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. - # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} - # is optional; when it is omitted, the system will search for + # A gateway and Istio service to serve external traffic. + # The configuration format should be + # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. + # The {{gateway_namespace}} is optional; when it is omitted, the system will search for # the gateway in the serving system namespace `knative-serving` gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" @@ -312,14 +192,67 @@ data: # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - # To use only Istio service mesh and no knative-local-gateway, replace - # all local-gateway.* entries by the following entry. - local-gateway.mesh: "mesh" - # If true, knative will use the Istio VirtualService's status to determine # endpoint readiness. Otherwise, probe as usual. + # NOTE: This feature is currently experimental and should not be used in production. enable-virtualservice-status: "false" - # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "net-istio-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: net-istio-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE --- # Copyright 2019 The Knative Authors @@ -339,15 +272,17 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: networking-istio + name: net-istio-controller namespace: knative-serving labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: networking-istio + app: net-istio-controller template: metadata: annotations: @@ -357,15 +292,17 @@ spec: # this is the Istio controller, and so it may be Istio-aware. sidecar.istio.io/inject: "false" labels: - app: networking-istio - serving.knative.dev/release: "v0.20.0" + app: net-istio-controller + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" spec: serviceAccountName: controller containers: - - name: networking-istio + - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:f3791f496a075898d20b51b179c193dcb55d3acd3006815853dd7f07b6e63425 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:3884f73730ea36379f0e1b45619d357f28877fbbee14d6618eb1c52b39e4855e resources: requests: cpu: 30m @@ -382,6 +319,8 @@ spec: value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio @@ -391,7 +330,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -419,31 +360,35 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: istio-webhook - role: istio-webhook + app: net-istio-webhook + role: net-istio-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: - app: istio-webhook - role: istio-webhook - serving.knative.dev/release: "v0.20.0" + app: net-istio-webhook + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" spec: serviceAccountName: controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:d044519f9b1f1e9eff45cf9657d73b6b3d943266eda5684ff5b9cd3c312dfebb + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:e5e6934a665927513dfedece047d890bfb4cb80c62483370fba075d9f4e04118 resources: requests: cpu: 20m @@ -464,9 +409,15 @@ spec: - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME - value: istio-webhook + value: net-istio-webhook securityContext: + runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -490,14 +441,42 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Secret +metadata: + name: net-istio-webhook-certs + namespace: knative-serving + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - role: istio-webhook - serving.knative.dev/release: "v0.20.0" + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" networking.knative.dev/ingress-provider: istio spec: ports: @@ -512,6 +491,85 @@ spec: port: 443 targetPort: 8443 selector: - app: istio-webhook + app: net-istio-webhook + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.8.2" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + objectSelector: + matchLabels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-istio --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/kourier/kourier.yaml similarity index 57% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/kourier/kourier.yaml index b4f71db2ee..808516a2fc 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.8/kourier/kourier.yaml @@ -18,7 +18,206 @@ metadata: name: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + transport_api_version: V3 + api_type: GRPC + rate_limit_settings: {} + grpc_services: + - envoy_grpc: {cluster_name: xds_cluster} + cds_config: + resource_api_version: V3 + ads: {} + lds_config: + resource_api_version: V3 + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + # This keepalive is recommended by envoy docs. + # https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + connect_timeout: 1s + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "net-kourier-controller.knative-serving" + port_value: 18000 + type: STRICT_DNS + admin: + access_log_path: "/dev/stdout" + address: + pipe: + path: /tmp/envoy.admin + layered_runtime: + layers: + - name: static-layer + static_layer: + envoy.reloadable_features.override_request_timeout_by_gateway_timeout: false + +--- +# Copyright 2021 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Specifies whether requests reaching the Kourier gateway + # in the context of services should be logged. Readiness + # probes etc. must be configured via the bootstrap config. + enable-service-access-logging: "true" + + # Specifies whether to use proxy-protocol in order to safely + # transport connection information such as a client's address + # across multiple layers of TCP proxies. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + enable-proxy-protocol: "false" + + # The server certificates to serve the internal TLS traffic for Kourier Gateway. + # It is specified by the secret name in controller namespace, which has + # the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-cert-secret: "" + + # Specifies the amount of time that Kourier waits for the incoming requests. + # The default, 0s, imposes no timeout at all. + stream-idle-timeout: "0s" + + # Control the desired level of incoming traffic isolation. + # + # When set to an empty value (default), all incoming traffic flows through + # a shared ingress and listeners. + # + # When set to "port", incoming traffic is isolated by using different + # listener ports. + # + # NOTE: This flag is in an alpha state. + traffic-isolation: "" --- # Copyright 2020 The Knative Authors @@ -38,20 +237,23 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: 3scale-kourier - namespace: knative-serving + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] resources: ["events"] @@ -62,6 +264,9 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] @@ -75,17 +280,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: 3scale-kourier + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: 3scale-kourier + name: net-kourier subjects: - kind: ServiceAccount - name: 3scale-kourier + name: net-kourier namespace: knative-serving --- @@ -106,24 +313,26 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: 3scale-kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving spec: replicas: 1 selector: matchLabels: - app: 3scale-kourier-control + app: net-kourier-controller template: metadata: labels: - app: 3scale-kourier-control + app: net-kourier-controller spec: containers: - - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:ca4090e564c601bc32a487f586ad3d748d682d0e62cfce1c0c80ee0858a735e0 - name: kourier-control + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:e561e3b910d5e52c4c7c5c9e4b863e412f7dcc1ae248470952e2137c4a6cf1cd + name: controller env: - name: CERTS_SECRET_NAMESPACE value: "" @@ -137,28 +346,37 @@ spec: value: "knative.dev/samples" - name: KOURIER_GATEWAY_NAMESPACE value: "kourier-system" + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" ports: - name: http2-xds containerPort: 18000 protocol: TCP + readinessProbe: + exec: + command: ["/ko-app/kourier", "-probe-addr=:18000"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault restartPolicy: Always - serviceAccountName: 3scale-kourier + serviceAccountName: net-kourier --- apiVersion: v1 kind: Service metadata: - name: kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving spec: ports: - name: grpc-xds @@ -166,7 +384,7 @@ spec: protocol: TCP targetPort: 18000 selector: - app: 3scale-kourier-control + app: net-kourier-controller type: ClusterIP --- @@ -191,8 +409,15 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 selector: matchLabels: app: 3scale-kourier-gateway @@ -200,6 +425,10 @@ spec: metadata: labels: app: 3scale-kourier-gateway + annotations: + # v0.26 supports envoy v3 API, so + # adding this label to restart pod. + networking.knative.dev/poke: "v0.26" spec: containers: - args: @@ -208,7 +437,7 @@ spec: - --log-level info command: - /usr/local/bin/envoy - image: docker.io/maistra/proxyv2-ubi8:2.0.0 + image: docker.io/envoyproxy/envoy:v1.21-latest name: kourier-gateway ports: - name: http2-external @@ -220,13 +449,23 @@ spec: - name: https-external containerPort: 8443 protocol: TCP + - name: http-probe + containerPort: 8090 + protocol: TCP + - name: https-probe + containerPort: 9443 + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false - runAsNonRoot: false + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - name: config-volume mountPath: /tmp/config @@ -257,7 +496,9 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 @@ -279,100 +520,21 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.8.2" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 port: 80 protocol: TCP targetPort: 8081 + - name: https + port: 443 + protocol: TCP + targetPort: 8444 selector: app: 3scale-kourier-gateway type: ClusterIP ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kourier-bootstrap - namespace: kourier-system - labels: - networking.knative.dev/ingress-provider: kourier - serving.knative.dev/release: "v0.20.0" -data: - envoy-bootstrap.yaml: | - dynamic_resources: - ads_config: - api_type: GRPC - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - cds_config: - ads: {} - lds_config: - ads: {} - node: - cluster: kourier-knative - id: 3scale-kourier-gateway - static_resources: - listeners: - - name: stats_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: stats_server - http_filters: - - name: envoy.filters.http.router - route_config: - virtual_hosts: - - name: admin_interface - domains: - - "*" - routes: - - match: - safe_regex: - google_re2: {} - regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' - headers: - - name: ':method' - exact_match: GET - route: - cluster: service_stats - clusters: - - name: service_stats - connect_timeout: 0.250s - type: static - load_assignment: - cluster_name: service_stats - endpoints: - lb_endpoints: - endpoint: - address: - pipe: - path: /tmp/envoy.admin - - name: xds_cluster - connect_timeout: 1s - type: strict_dns - load_assignment: - cluster_name: xds_cluster - endpoints: - lb_endpoints: - endpoint: - address: - socket_address: - address: "kourier-control.knative-serving" - port_value: 18000 - http2_protocol_options: {} - type: STRICT_DNS - admin: - access_log_path: "/dev/stdout" - address: - pipe: - path: /tmp/envoy.admin --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/contour/net-contour.yaml similarity index 77% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/contour/net-contour.yaml index 4ffdbfbf33..8a15f25e3d 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/contour/net-contour.yaml @@ -3,9 +3,12 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: knative-contour-core + name: knative-serving-contour labels: networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.2" serving.knative.dev/controller: "true" rules: - apiGroups: ["projectcontour.io"] @@ -33,7 +36,9 @@ metadata: namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour - serving.knative.dev/release: "v0.21.0" + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.2" data: _example: | ################################ @@ -46,7 +51,7 @@ data: timeout-policy-idle: "infinity" # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec - timeou-policy-response: "infinity" + timeout-policy-response: "infinity" # If auto-TLS is disabled fallback to the following certificate # @@ -84,26 +89,32 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: contour-ingress-controller + name: net-contour-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.2" spec: replicas: 1 selector: matchLabels: - app: contour-ingress-controller + app: net-contour-controller template: metadata: labels: - app: contour-ingress-controller + app: net-contour-controller + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.2" spec: serviceAccountName: controller containers: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:61d2fcbe586e99d755447550d465897ddd1c54157399fd79e51547ed75108c3a + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:616f1bece9e576ec89421b86c40b03d27e97c9f960708336e77420f27620cbc4 resources: requests: cpu: 40m @@ -133,6 +144,23 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL +--- +#! Used when internal-encryption is set to "true" +apiVersion: projectcontour.io/v1 +kind: TLSCertificateDelegation +metadata: + name: knative-serving-certs + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour + app.kubernetes.io/component: net-contour + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.2" +spec: + delegations: + - secretName: knative-serving-certs + targetNamespaces: + - "*" --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/istio/net-istio.yaml similarity index 75% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/istio/net-istio.yaml index 174839d513..e1fe7ad861 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/istio/net-istio.yaml @@ -1,4 +1,4 @@ -# Generated when HEAD was 6d3c16ed030af079d882d8ef2f9d0f2925c425df +# Generated when HEAD was 26dd4768b8d06c3b080274ec6d632c28792118c9 # # Copyright 2019 The Knative Authors # @@ -20,12 +20,14 @@ metadata: # These are the permissions needed by the Istio Ingress implementation. name: knative-serving-istio labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: - apiGroups: ["networking.istio.io"] - resources: ["virtualservices", "gateways"] + resources: ["virtualservices", "gateways", "destinationrules"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- @@ -50,7 +52,9 @@ metadata: name: knative-ingress-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -83,30 +87,13 @@ spec: # do have a service mesh setup, this isn't required. apiVersion: networking.istio.io/v1alpha3 kind: Gateway -metadata: - name: cluster-local-gateway - namespace: knative-serving - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - istio: cluster-local-gateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway metadata: name: knative-local-gateway namespace: knative-serving labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio spec: selector: @@ -125,8 +112,11 @@ metadata: name: knative-local-gateway namespace: istio-system labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio + experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: @@ -136,136 +126,6 @@ spec: port: 80 targetPort: 8081 ---- -# Allows the Webhooks to be reached by kube-api with or without -# sidecar injection and with mTLS PERMISSIVE and STRICT. -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: webhook - mtls: - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" -metadata: - name: "istio-webhook" - namespace: "knative-serving" - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: istio-webhook - mtls: - mode: PERMISSIVE - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - objectSelector: - matchExpressions: - - {key: "serving.knative.dev/configuration", operator: Exists} - name: webhook.istio.networking.internal.knative.dev - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: istio-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: istio-webhook-certs - namespace: knative-serving - labels: - serving.knative.dev/release: "v0.19.0" - networking.knative.dev/ingress-provider: istio - --- # Copyright 2018 The Knative Authors # @@ -287,9 +147,12 @@ metadata: name: config-istio namespace: knative-serving labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio data: + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. _example: | ################################ # # @@ -306,12 +169,10 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default Knative Gateway after v0.3. It points to the Istio - # standard istio-ingressgateway, instead of a custom one that we - # used pre-0.3. The configuration format should be `gateway. - # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. - # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} - # is optional; when it is omitted, the system will search for + # A gateway and Istio service to serve external traffic. + # The configuration format should be + # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. + # The {{gateway_namespace}} is optional; when it is omitted, the system will search for # the gateway in the serving system namespace `knative-serving` gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" @@ -329,12 +190,69 @@ data: # {{local_gateway_namespace}} is optional; when it is omitted, the system # will search for the local gateway in the serving system namespace # `knative-serving` - local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local" + local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - # To use only Istio service mesh and no cluster-local-gateway, replace - # all local-gateway.* entries by the following entry. - local-gateway.mesh: "mesh" - # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + # If true, knative will use the Istio VirtualService's status to determine + # endpoint readiness. Otherwise, probe as usual. + # NOTE: This feature is currently experimental and should not be used in production. + enable-virtualservice-status: "false" + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "net-istio-webhook" + namespace: "knative-serving" + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: net-istio-webhook + portLevelMtls: + "8443": + mode: PERMISSIVE --- # Copyright 2019 The Knative Authors @@ -354,15 +272,17 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: networking-istio + name: net-istio-controller namespace: knative-serving labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: networking-istio + app: net-istio-controller template: metadata: annotations: @@ -372,15 +292,17 @@ spec: # this is the Istio controller, and so it may be Istio-aware. sidecar.istio.io/inject: "false" labels: - app: networking-istio - serving.knative.dev/release: "v0.19.0" + app: net-istio-controller + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" spec: serviceAccountName: controller containers: - - name: networking-istio + - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:824a65ea309850962629c778aafa4dc2f9c8a807c817089236d468a773153d73 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:1789605811db61ac05052cf4be81c57030420ea7dfaf2a69c11e328dd080e2b5 resources: requests: cpu: 30m @@ -397,6 +319,8 @@ spec: value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio @@ -406,7 +330,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -434,31 +360,35 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - serving.knative.dev/release: "v0.19.0" + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: - app: istio-webhook - role: istio-webhook + app: net-istio-webhook + role: net-istio-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: - app: istio-webhook - role: istio-webhook - serving.knative.dev/release: "v0.19.0" + app: net-istio-webhook + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" spec: serviceAccountName: controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:c8bf9cf76139083d6623c40215426c8998acd46eb156cc7ff998c8c2b9e4051c + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:44f41f0a80fc800e7b39cf987cea73cd7cae610766b1cf7a8a6069bb24092ec3 resources: requests: cpu: 20m @@ -479,9 +409,19 @@ spec: - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME - value: istio-webhook + value: net-istio-webhook + # If you change WEBHOOK_PORT, you will also need to change the + # containerPort "https-webhook" to the same value. + - name: WEBHOOK_PORT + value: "8443" securityContext: + runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -505,28 +445,135 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Secret +metadata: + name: net-istio-webhook-certs + namespace: knative-serving + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: - name: istio-webhook + name: net-istio-webhook namespace: knative-serving labels: - role: istio-webhook - serving.knative.dev/release: "v0.19.0" + role: net-istio-webhook + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" networking.knative.dev/ingress-provider: istio spec: ports: # Define metrics and profiling for them to be accessible within service meshes. - name: http-metrics port: 9090 - targetPort: 9090 + targetPort: metrics - name: http-profiling port: 8008 - targetPort: 8008 + targetPort: profiling - name: https-webhook port: 443 - targetPort: 8443 + targetPort: https-webhook selector: - app: istio-webhook + app: net-istio-webhook + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + app.kubernetes.io/component: net-istio + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.9.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: net-istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + objectSelector: + matchLabels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-istio --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/kourier/kourier.yaml similarity index 50% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/kourier/kourier.yaml index 36e1061201..5bce4aa194 100644 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/1.9/kourier/kourier.yaml @@ -18,6 +18,220 @@ metadata: name: kourier-system labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + transport_api_version: V3 + api_type: GRPC + rate_limit_settings: {} + grpc_services: + - envoy_grpc: {cluster_name: xds_cluster} + cds_config: + resource_api_version: V3 + ads: {} + lds_config: + resource_api_version: V3 + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + # This keepalive is recommended by envoy docs. + # https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + connect_timeout: 1s + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "net-kourier-controller.knative-serving" + port_value: 18000 + type: STRICT_DNS + admin: + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + address: + pipe: + path: /tmp/envoy.admin + layered_runtime: + layers: + - name: static-layer + static_layer: + envoy.reloadable_features.override_request_timeout_by_gateway_timeout: false + +--- +# Copyright 2021 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Specifies whether requests reaching the Kourier gateway + # in the context of services should be logged. Readiness + # probes etc. must be configured via the bootstrap config. + enable-service-access-logging: "true" + + # Specifies whether to use proxy-protocol in order to safely + # transport connection information such as a client's address + # across multiple layers of TCP proxies. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + enable-proxy-protocol: "false" + + # The server certificates to serve the internal TLS traffic for Kourier Gateway. + # It is specified by the secret name in controller namespace, which has + # the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-cert-secret: "" + + # Specifies the amount of time that Kourier waits for the incoming requests. + # The default, 0s, imposes no timeout at all. + stream-idle-timeout: "0s" + + # Control the desired level of incoming traffic isolation. + # + # When set to an empty value (default), all incoming traffic flows through + # a shared ingress and listeners. + # + # When set to "port", incoming traffic is isolated by using different + # listener ports. + # + # NOTE: This flag is in an alpha state. + traffic-isolation: "" + + + # Specifies whether to use CryptoMB private key provider in order to + # acclerate the TLS handshake. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE. + enable-cryptomb: "false" + + + # Configures the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + trusted-hops-count: "0" --- # Copyright 2020 The Knative Authors @@ -37,18 +251,23 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - name: 3scale-kourier + name: net-kourier namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: 3scale-kourier - namespace: knative-serving + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] resources: ["events"] @@ -59,6 +278,9 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] @@ -72,16 +294,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: 3scale-kourier + name: net-kourier labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: 3scale-kourier + name: net-kourier subjects: - kind: ServiceAccount - name: 3scale-kourier + name: net-kourier namespace: knative-serving --- @@ -102,23 +327,35 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: 3scale-kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% replicas: 1 selector: matchLabels: - app: 3scale-kourier-control + app: net-kourier-controller template: metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + prometheus.io/path: "/metrics" labels: - app: 3scale-kourier-control + app: net-kourier-controller spec: containers: - - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:072e2bb12eae88d5fde8b2fa77d20542ce0f4708d9e09a59c3b65c499462a8fc - name: kourier-control + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:0a259191d22d8414cd2986eea528b992fcd576fe775c330b9bdb2ef480cbb8df + name: controller env: - name: CERTS_SECRET_NAMESPACE value: "" @@ -132,27 +369,44 @@ spec: value: "knative.dev/samples" - name: KOURIER_GATEWAY_NAMESPACE value: "kourier-system" + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" ports: - name: http2-xds containerPort: 18000 protocol: TCP + readinessProbe: + exec: + command: ["/ko-app/kourier", "-probe-addr=:18000"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + cpu: 500m + memory: 500Mi restartPolicy: Always - serviceAccountName: 3scale-kourier + serviceAccountName: net-kourier --- apiVersion: v1 kind: Service metadata: - name: kourier-control + name: net-kourier-controller namespace: knative-serving labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: grpc-xds @@ -160,7 +414,7 @@ spec: protocol: TCP targetPort: 18000 selector: - app: 3scale-kourier-control + app: net-kourier-controller type: ClusterIP --- @@ -185,7 +439,15 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% selector: matchLabels: app: 3scale-kourier-gateway @@ -193,6 +455,13 @@ spec: metadata: labels: app: 3scale-kourier-gateway + annotations: + # v0.26 supports envoy v3 API, so + # adding this label to restart pod. + networking.knative.dev/poke: "v0.26" + prometheus.io/scrape: "true" + prometheus.io/port: "9000" + prometheus.io/path: "/stats/prometheus" spec: containers: - args: @@ -201,7 +470,7 @@ spec: - --log-level info command: - /usr/local/bin/envoy - image: docker.io/maistra/proxyv2-ubi8:2.0.0 + image: docker.io/envoyproxy/envoy:v1.22-latest name: kourier-gateway ports: - name: http2-external @@ -213,13 +482,23 @@ spec: - name: https-external containerPort: 8443 protocol: TCP + - name: http-probe + containerPort: 8090 + protocol: TCP + - name: https-probe + containerPort: 9443 + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false - runAsNonRoot: false + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - name: config-volume mountPath: /tmp/config @@ -237,6 +516,13 @@ spec: scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + cpu: 500m + memory: 500Mi volumes: - name: config-volume configMap: @@ -250,6 +536,9 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 @@ -271,92 +560,21 @@ metadata: namespace: kourier-system labels: networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.9.1" + app.kubernetes.io/name: knative-serving spec: ports: - name: http2 port: 80 protocol: TCP targetPort: 8081 + - name: https + port: 443 + protocol: TCP + targetPort: 8444 selector: app: 3scale-kourier-gateway type: ClusterIP ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kourier-bootstrap - namespace: kourier-system - labels: - networking.knative.dev/ingress-provider: kourier -data: - envoy-bootstrap.yaml: | - dynamic_resources: - ads_config: - api_type: GRPC - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - cds_config: - ads: {} - lds_config: - ads: {} - node: - cluster: kourier-knative - id: 3scale-kourier-gateway - static_resources: - listeners: - - name: stats_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - stat_prefix: stats_server - route_config: - virtual_hosts: - - name: admin_interface - domains: - - "*" - routes: - - match: - safe_regex: - google_re2: {} - regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' - headers: - - name: ':method' - exact_match: GET - route: - cluster: service_stats - http_filters: - - name: envoy.router - config: {} - clusters: - - name: service_stats - connect_timeout: 0.250s - type: static - load_assignment: - cluster_name: service_stats - endpoints: - lb_endpoints: - endpoint: - address: - pipe: - path: /tmp/envoy.admin - - name: xds_cluster - connect_timeout: 1s - hosts: - - socket_address: - address: "kourier-control.knative-serving" - port_value: 18000 - http2_protocol_options: {} - type: STRICT_DNS - admin: - access_log_path: "/dev/stdout" - address: - pipe: - path: /tmp/envoy.admin --- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/0.22.0/serving-core.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/1.8.0/serving-core.yaml similarity index 100% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/0.22.0/serving-core.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/1.8.0/serving-core.yaml diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/latest/serving-core.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/1.9.0/serving-core.yaml similarity index 100% rename from pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/latest/serving-core.yaml rename to pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/1.9.0/serving-core.yaml diff --git a/pkg/reconciler/knativeserving/knativeserving.go b/pkg/reconciler/knativeserving/knativeserving.go index fbc9289232..1b027224e4 100644 --- a/pkg/reconciler/knativeserving/knativeserving.go +++ b/pkg/reconciler/knativeserving/knativeserving.go @@ -116,10 +116,9 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ks *v1beta1.KnativeServi } stages := common.Stages{ common.AppendTarget, - ingress.AppendTargetIngresses, + ingress.AppendTargetIngress, security.AppendTargetSecurity, common.AppendAdditionalManifests, - r.filterDisabledIngresses, r.appendExtensionManifests, r.transform, common.Install, @@ -130,13 +129,6 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ks *v1beta1.KnativeServi return stages.Execute(ctx, &manifest, ks) } -// filterDisabledIngresses removes the disabled ingresses from the manifests -func (r *Reconciler) filterDisabledIngresses(ctx context.Context, manifest *mf.Manifest, instance base.KComponent) error { - ks := instance.(*v1beta1.KnativeServing) - *manifest = manifest.Filter(ingress.Filters(ks)) - return nil -} - // transform mutates the passed manifest to one with common, component // and platform transformations applied func (r *Reconciler) transform(ctx context.Context, manifest *mf.Manifest, comp base.KComponent) error { @@ -156,7 +148,7 @@ func (r *Reconciler) transform(ctx context.Context, manifest *mf.Manifest, comp func (r *Reconciler) installed(ctx context.Context, instance base.KComponent) (*mf.Manifest, error) { // Create new, empty manifest with valid client and logger installed := r.manifest.Append() - stages := common.Stages{common.AppendInstalled, ingress.AppendInstalledIngresses, r.filterDisabledIngresses, r.transform} + stages := common.Stages{common.AppendInstalled, ingress.AppendInstalledIngresses, r.transform} err := stages.Execute(ctx, &installed, instance) return &installed, err } diff --git a/pkg/reconciler/knativeserving/security/security.go b/pkg/reconciler/knativeserving/security/security.go index 1f7b00d32a..e315383b7f 100644 --- a/pkg/reconciler/knativeserving/security/security.go +++ b/pkg/reconciler/knativeserving/security/security.go @@ -28,12 +28,13 @@ import ( "knative.dev/operator/pkg/apis/operator/base" "knative.dev/operator/pkg/apis/operator/v1beta1" "knative.dev/operator/pkg/reconciler/common" + servingcommon "knative.dev/operator/pkg/reconciler/knativeserving/common" ) // AppendTargetSecurity appends the manifests of the security guard to be installed func AppendTargetSecurity(ctx context.Context, manifest *mf.Manifest, instance base.KComponent) error { version := common.TargetVersion(instance) - m, err := getSecurity(version, convertToKS(instance)) + m, err := getSecurity(version, servingcommon.ConvertToKS(instance)) if err == nil { *manifest = manifest.Append(m) @@ -61,15 +62,6 @@ func Transformers(ctx context.Context, ks *v1beta1.KnativeServing) []mf.Transfor return transformers } -func convertToKS(instance base.KComponent) *v1beta1.KnativeServing { - ks := &v1beta1.KnativeServing{} - switch instance := instance.(type) { - case *v1beta1.KnativeServing: - ks = instance - } - return ks -} - func getSecurity(version string, ks *v1beta1.KnativeServing) (mf.Manifest, error) { if ks.Spec.Security == nil || !ks.Spec.Security.SecurityGuard.Enabled { // If no security option is defined, return an empty string. diff --git a/test/upgrade/postdowngrade.go b/test/upgrade/postdowngrade.go index 542d52bd04..ab523d39e6 100644 --- a/test/upgrade/postdowngrade.go +++ b/test/upgrade/postdowngrade.go @@ -24,7 +24,6 @@ import ( "knative.dev/operator/pkg/apis/operator/v1beta1" "knative.dev/operator/pkg/reconciler/common" util "knative.dev/operator/pkg/reconciler/common/testing" - "knative.dev/operator/pkg/reconciler/knativeserving/ingress" "knative.dev/operator/test" "knative.dev/operator/test/client" "knative.dev/operator/test/resources" @@ -134,7 +133,7 @@ func servingCRPostDowngrade(t *testing.T) { if err != nil { t.Fatalf("Failed to get KnativeServing manifest: %v", err) } - expectedDeployments := resources.GetExpectedDeployments(preManifest.Filter(ingress.Filters(instance))) + expectedDeployments := resources.GetExpectedDeployments(preManifest) util.AssertEqual(t, len(expectedDeployments) > 0, true) resources.AssertKnativeDeploymentStatus(t, clients, names.Namespace, common.TargetVersion(instance), "", expectedDeployments) diff --git a/test/upgrade/postupgrade.go b/test/upgrade/postupgrade.go index 3c105c4db5..90518ea403 100644 --- a/test/upgrade/postupgrade.go +++ b/test/upgrade/postupgrade.go @@ -26,7 +26,6 @@ import ( "knative.dev/operator/pkg/apis/operator/v1beta1" "knative.dev/operator/pkg/reconciler/common" util "knative.dev/operator/pkg/reconciler/common/testing" - "knative.dev/operator/pkg/reconciler/knativeserving/ingress" "knative.dev/operator/test" "knative.dev/operator/test/client" "knative.dev/operator/test/resources" @@ -101,7 +100,7 @@ func servingCRPostUpgrade(t *testing.T) { if err != nil { t.Fatalf("Failed to get the manifest for Knative: %v", err) } - expectedDeployments := resources.GetExpectedDeployments(targetManifest.Filter(ingress.Filters(ks))) + expectedDeployments := resources.GetExpectedDeployments(targetManifest) util.AssertEqual(t, len(expectedDeployments) > 0, true) resources.AssertKnativeDeploymentStatus(t, clients, names.Namespace, common.TargetVersion(ks), test.OperatorFlags.PreviousServingVersion, expectedDeployments)