Test openshift nightly

.env.example

@@ -106,10 +106,6 @@ export BOOKWAREHOUSE_NAMESPACE=bookwarehouse
 # Default: false
 # export DEPLOY_PROMETHEUS=true
 
-# optional: ENABLE_PROMETHEUS_SCRAPING (true/false)
-# Default: true
-# export ENABLE_PROMETHEUS_SCRAPING=true
-
 # optional: Maximum of iterations to test for expected return codes. 0 means unlimited.
 # export CI_MAX_ITERATIONS_THRESHOLD=0
 

.github/workflows/openshift-nightly.yml

@@ -0,0 +1,35 @@
+name: OpenShift Nightly Job
+on: 
+  schedule:
+    - cron: "0 0 * * *"
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+jobs:
+  test:
+    name: OpenShift Nightly Job
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout v2
+        uses: actions/checkout@v2
+      - name: Authenticate and set context
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+          insecure_skip_tls_verify: true
+      - name: Test oc
+        run: oc version --client
+      - name: Setup Go 1.16
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+      - name: Run e2es
+        run: |
+          make build-osm
+          go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -ginkgo.skip="\bHTTP ingress\b" -ginkgo.skip="\bUpgrade\b" -test.timeout 180m -deployOnOpenShift=true
+        env: 
+          CTR_REGISTRY: openservicemesh
+          CTR_TAG: ed16e2b4a3b6c3ccb36e6e764804a8d18e242fb6

charts/osm/Chart.yaml

@@ -14,11 +14,11 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.9.0-rc.2
+version: 0.9.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v0.9.0-rc.2
+appVersion: v0.9.1
 
 # This specifies a particular range of k8s versions that the application is compatible with.
 kubeVersion: ">= 1.18.0"

charts/osm/README.md

@@ -75,7 +75,6 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.enableFluentbit | bool | `false` | Enable Fluent Bit sidecar deployment on OSM controller's pod |
 | OpenServiceMesh.enablePermissiveTrafficPolicy | bool | `false` | Enable permissive traffic policy mode |
 | OpenServiceMesh.enablePrivilegedInitContainer | bool | `false` | Run init container in privileged mode |
-| OpenServiceMesh.enablePrometheusScraping | bool | `true` | Enable Prometheus metrics scraping on sidecar proxies |
 | OpenServiceMesh.enforceSingleMesh | bool | `false` | Enforce only deploying one mesh in the cluster |
 | OpenServiceMesh.envoyLogLevel | string | `"error"` | Log level for the Envoy proxy sidecar |
 | OpenServiceMesh.featureFlags.enableEgressPolicy | bool | `true` | Enable OSM's Egress policy API. If specified, fine grained control over Egress (external) traffic is enforced |
@@ -95,13 +94,26 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.grafana.port | int | `3000` | Grafana service's port |
 | OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy |
 | OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry |
-| OpenServiceMesh.image.tag | string | `"v0.9.0-rc.2"` | Container image tag |
+| OpenServiceMesh.image.tag | string | `"v0.9.1"` | Container image tag |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
-| OpenServiceMesh.injector.podLabels | object | `{}` |  |
+| OpenServiceMesh.inboundPortExclusionList | list | `[]` | Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy. If specified, must be a list of positive integers. |
+| OpenServiceMesh.injector.autoScale | object | `{"enable":false,"maxReplicas":5,"minReplicas":1,"targetAverageUtilization":80}` | Auto scale configuration |
+| OpenServiceMesh.injector.autoScale.enable | bool | `false` | Enable Autoscale |
+| OpenServiceMesh.injector.autoScale.maxReplicas | int | `5` | Maximum replicas for autoscale |
+| OpenServiceMesh.injector.autoScale.minReplicas | int | `1` | Minimum replicas for autoscale |
+| OpenServiceMesh.injector.autoScale.targetAverageUtilization | int | `80` | Average target CPU utilization (%) |
+| OpenServiceMesh.injector.enablePodDisruptionBudget | bool | `false` | Enable Pod Disruption Budget |
+| OpenServiceMesh.injector.podLabels | object | `{}` | Sidecar injector's pod labels |
 | OpenServiceMesh.injector.replicaCount | int | `1` | Sidecar injector's replica count |
 | OpenServiceMesh.injector.resource | object | `{"limits":{"cpu":"0.5","memory":"64M"},"requests":{"cpu":"0.3","memory":"64M"}}` | Sidecar injector's container resource parameters |
 | OpenServiceMesh.maxDataPlaneConnections | int | `0` | Sets the max data plane connections allowed for an instance of osm-controller, set to 0 to not enforce limits |
 | OpenServiceMesh.meshName | string | `"osm"` | Identifier for the instance of a service mesh within a cluster |
+| OpenServiceMesh.osmController.autoScale | object | `{"enable":false,"maxReplicas":5,"minReplicas":1,"targetAverageUtilization":80}` | Auto scale configuration |
+| OpenServiceMesh.osmController.autoScale.enable | bool | `false` | Enable Autoscale |
+| OpenServiceMesh.osmController.autoScale.maxReplicas | int | `5` | Maximum replicas for autoscale |
+| OpenServiceMesh.osmController.autoScale.minReplicas | int | `1` | Minimum replicas for autoscale |
+| OpenServiceMesh.osmController.autoScale.targetAverageUtilization | int | `80` | Average target CPU utilization (%) |
+| OpenServiceMesh.osmController.enablePodDisruptionBudget | bool | `false` | Enable Pod Disruption Budget |
 | OpenServiceMesh.osmController.podLabels | object | `{}` | OSM controller's pod labels |
 | OpenServiceMesh.osmController.replicaCount | int | `1` | OSM controller's replica count |
 | OpenServiceMesh.osmController.resource | object | `{"limits":{"cpu":"1.5","memory":"512M"},"requests":{"cpu":"0.5","memory":"128M"}}` | OSM controller's container resource parameters |

charts/osm/crds/meshconfig.yaml

@@ -68,11 +68,10 @@ spec:
                       description: Image for the Envoy sidecar
                       type: string
                       default: "envoyproxy/envoy-alpine:v1.18.3"
-                      pattern: envoyproxy\/envoy-alpine:v\d+\.\d+\.\d+$
                     initContainerImage:
                       description: Image for the init container
                       type: string
-                      default: "openservicemesh/init:v0.9.0-rc.2"
+                      default: "openservicemesh/init:v0.9.1"
                     resources:
                       type: object
                       properties:
@@ -109,6 +108,13 @@ spec:
                         type: integer
                         minimum: 1
                         maximum: 65535
+                    inboundPortExclusionList:
+                      description: Global list of ports to exclude from inbound traffic interception by the sidecar proxy.
+                      type: array
+                      items:
+                        type: integer
+                        minimum: 1
+                        maximum: 65535
                     useHTTPSIngress:
                       description: Enable HTTPS ingress on the mesh
                       type: boolean
@@ -149,14 +155,14 @@ spec:
                   description: Configuration for observing the service mesh, including metrics, logs, tracing etc,.
                   type: object
                   properties:
+                    osmLogLevel:
+                      description: Allows setting OSM control plane log level at runtime
+                      type: string
+                      default: "info"
                     enableDebugServer:
                       description: Enables a debug endpoint on the osm-controller pod to list information regarding the mesh such as proxy connections, certificates, and SMI policies.
                       type: boolean
                       default: false
-                    prometheusScraping:
-                      description: Enables Prometheus metrics scraping on sidecar proxies.
-                      type: boolean
-                      default: true
                     tracing:
                       description: Configuration for distributed tracing
                       type: object
@@ -185,3 +191,16 @@ spec:
                       description: Sets the service certificate validity duration, represented as a sequence of decimal numbers each with optional fraction and a unit suffix.
                       type: string
                       default: "24h"
+                featureFlags:
+                  description: OSM feature flags
+                  type: object
+                  properties:
+                    enableWASMStats:
+                      type: boolean
+                      default: true
+                    enableEgressPolicy:
+                      type: boolean
+                      default: true
+                    enableMulticlusterMode:
+                      type: boolean
+                      default: false

charts/osm/templates/cleanup-hook.yaml

@@ -17,6 +17,9 @@ spec:
     spec:
       serviceAccountName: {{ .Release.Name }}-cleanup
       restartPolicy: Never
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/os: linux
       containers:
         - name: garbage-collector
           image: bitnami/kubectl

charts/osm/templates/grafana-deployment.yaml

@@ -24,6 +24,9 @@ spec:
       {{- include "restricted.securityContext" . | nindent 6 }}
       {{- end }}
       serviceAccountName: osm-grafana
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/os: linux
       containers:
         - name: grafana
           image: "grafana/grafana:7.0.1"

charts/osm/templates/jaeger-deployment.yaml

@@ -22,6 +22,9 @@ spec:
       {{- include "restricted.securityContext" . | nindent 6 }}
       {{- end }}
       serviceAccountName: jaeger
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/os: linux
       containers:
       - name: jaeger
         image: jaegertracing/all-in-one

charts/osm/templates/osm-controller-hpa.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.OpenServiceMesh.osmController.autoScale.enable }}
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: osm-controller-hpa
+  namespace: {{ include "osm.namespace" . }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: osm-controller
+  minReplicas: {{.Values.OpenServiceMesh.osmController.autoScale.minReplicas}}
+  maxReplicas: {{.Values.OpenServiceMesh.osmController.autoScale.maxReplicas}}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{.Values.OpenServiceMesh.osmController.autoScale.targetAverageUtilization}}
+{{- end }}

charts/osm/templates/osm-controller-pod-disruption-budget.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.OpenServiceMesh.osmController.enablePodDisruptionBudget }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: osm-controller-pdb
+  namespace: {{ include "osm.namespace" . }}
+  labels:
+    app: osm-controller
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: osm-controller
+{{- end }}

charts/osm/templates/osm-deployment.yaml

@@ -67,15 +67,6 @@ spec:
             "--cert-manager-issuer-name", "{{.Values.OpenServiceMesh.certmanager.issuerName}}",
             "--cert-manager-issuer-kind", "{{.Values.OpenServiceMesh.certmanager.issuerKind}}",
             "--cert-manager-issuer-group", "{{.Values.OpenServiceMesh.certmanager.issuerGroup}}",
-            {{- if .Values.OpenServiceMesh.featureFlags.enableWASMStats }}
-            "--stats-wasm-experimental",
-            {{- end }}
-            {{- if .Values.OpenServiceMesh.featureFlags.enableEgressPolicy }}
-            "--enable-egress-policy",
-            {{- end }}
-            {{- if .Values.OpenServiceMesh.featureFlags.enableMulticlusterMode }}
-            "--enable-multicluster",
-            {{- end }}
           ]
           resources:
             limits:

charts/osm/templates/osm-injector-hpa.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.OpenServiceMesh.injector.autoScale.enable }}
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: osm-injector-hpa
+  namespace: {{ include "osm.namespace" . }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: osm-injector
+  minReplicas: {{.Values.OpenServiceMesh.injector.autoScale.minReplicas}}
+  maxReplicas: {{.Values.OpenServiceMesh.injector.autoScale.maxReplicas}}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{.Values.OpenServiceMesh.injector.autoScale.targetAverageUtilization}}
+{{- end }}

charts/osm/templates/osm-injector-pod-disruption-budget.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.OpenServiceMesh.injector.enablePodDisruptionBudget }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: osm-injector-pdb
+  namespace: {{ include "osm.namespace" . }}
+  labels:
+    app: osm-injector
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: osm-injector
+{{- end }}

charts/osm/templates/osm-rbac.yaml

@@ -80,7 +80,10 @@ rules:
     resources: ["events"]
     verbs: ["create", "watch"]
   - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
+    resources: ["secrets"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
     verbs: ["create", "update"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]

charts/osm/templates/preset-mesh-config.yaml

@@ -15,10 +15,10 @@ spec:
     useHTTPSIngress: {{.Values.OpenServiceMesh.useHTTPSIngress}}
     enablePermissiveTrafficPolicyMode: {{.Values.OpenServiceMesh.enablePermissiveTrafficPolicy}}
     outboundPortExclusionList: {{.Values.OpenServiceMesh.outboundPortExclusionList}}
+    inboundPortExclusionList: {{.Values.OpenServiceMesh.inboundPortExclusionList}}
     outboundIPRangeExclusionList: {{.Values.OpenServiceMesh.outboundIPRangeExclusionList}}
   observability:
     enableDebugServer: {{.Values.OpenServiceMesh.enableDebugServer}}
-    prometheusScraping: {{.Values.OpenServiceMesh.enablePrometheusScraping}}
     tracing:
       enable: {{.Values.OpenServiceMesh.tracing.enable}}
       {{- if .Values.OpenServiceMesh.tracing.enable }}
@@ -27,4 +27,8 @@ spec:
       endpoint: {{.Values.OpenServiceMesh.tracing.endpoint  | quote}}
       {{- end }}
   certificate:
-    serviceCertValidityDuration: {{.Values.OpenServiceMesh.serviceCertValidityDuration}}
+    serviceCertValidityDuration: {{.Values.OpenServiceMesh.serviceCertValidityDuration}}
+  featureFlags: 
+    enableWASMStats: {{.Values.OpenServiceMesh.featureFlags.enableWASMStats}}
+    enableEgressPolicy: {{.Values.OpenServiceMesh.featureFlags.enableEgressPolicy}}
+    enableMulticlusterMode: {{.Values.OpenServiceMesh.featureFlags.enableMulticlusterMode}}

charts/osm/templates/prometheus-deployment.yaml

@@ -22,6 +22,9 @@ spec:
       {{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
       {{- include "restricted.securityContext" . | nindent 6 }}
       {{- end }}
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/os: linux
       containers:
       - name: prometheus
         ports: