Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add accessPolicy field to Server CRD #12845

Merged
merged 3 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 98 additions & 1 deletion charts/linkerd-crds/templates/policy/server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ spec:
served: true
storage: false
deprecated: true
deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta2 Server"
deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta3 Server"
schema:
openAPIV3Schema:
type: object
Expand Down Expand Up @@ -133,6 +133,94 @@ spec:
description: The protocol of the server
jsonPath: .spec.proxyProtocol
- name: v1beta2
served: true
storage: false
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
type: object
required:
- port
oneOf:
- required: [podSelector]
- required: [externalWorkloadSelector]
properties:
podSelector:
type: object
description: >-
Selects pods in the same namespace.

The result of matchLabels and matchExpressions are ANDed.
Selects all if empty.
properties:
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
matchExpressions:
type: array
items:
type: object
required: [key, operator]
properties:
key:
type: string
operator:
type: string
enum: [In, NotIn, Exists, DoesNotExist]
values:
type: array
items:
type: string
externalWorkloadSelector:
type: object
description: >-
Selects ExternalWorkloads in the same namespace.

The result of matchLabels and matchExpressions are ANDed.
Selects all if empty.
properties:
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
matchExpressions:
type: array
items:
type: object
required: [key, operator]
properties:
key:
type: string
operator:
type: string
enum: [In, NotIn, Exists, DoesNotExist]
values:
type: array
items:
type: string
port:
description: >-
A port name or number. Must exist in a pod spec.
x-kubernetes-int-or-string: true
proxyProtocol:
description: >-
Configures protocol discovery for inbound connections.

Supersedes the `config.linkerd.io/opaque-ports` annotation.
type: string
default: unknown
additionalPrinterColumns:
- name: Port
type: string
description: The port the server is listening on
jsonPath: .spec.port
- name: Protocol
type: string
description: The protocol of the server
jsonPath: .spec.proxyProtocol
- name: v1beta3
served: true
storage: true
schema:
Expand All @@ -148,6 +236,11 @@ spec:
- required: [podSelector]
- required: [externalWorkloadSelector]
properties:
accessPolicy:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are adding a new field to the resource, should we also bump the resource version?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was relying on this being BC to not bump the version, but good call, if someone wants to use this field the only way to guarantee it's supported is through the version.

type: string
default: deny
description: >-
Default access policy to apply when the traffic doesn't match any of the policy rules.
podSelector:
type: object
description: >-
Expand Down Expand Up @@ -220,3 +313,7 @@ spec:
type: string
description: The protocol of the server
jsonPath: .spec.proxyProtocol
- name: Access Policy
type: string
description: The default access policy applied when the traffic doesn't match any of the policy rules
jsonPath: .spec.accessPolicy
99 changes: 98 additions & 1 deletion cli/cmd/testdata/install_crds.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

99 changes: 98 additions & 1 deletion cli/cmd/testdata/install_helm_crds_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading