From 8b4a3b88f41c648bb4bce76879f8294f7735ba4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Thu, 13 Jun 2024 16:56:38 +0200 Subject: [PATCH] kgo: add missing customentities policy rules --- charts/gateway-operator/CHANGELOG.md | 9 + charts/gateway-operator/Chart.lock | 6 +- charts/gateway-operator/Chart.yaml | 4 +- charts/gateway-operator/README.md | 2 +- .../charts/kic-crds/Chart.yaml | 4 +- .../charts/kic-crds/crds/kic-crds.yaml | 239 ++++++++++++++++-- .../scripts/update-rbac-resources.sh | 20 +- .../templates/rbac-resources.yaml | 50 ++-- 8 files changed, 283 insertions(+), 51 deletions(-) diff --git a/charts/gateway-operator/CHANGELOG.md b/charts/gateway-operator/CHANGELOG.md index 94ab0a873..193399fd3 100644 --- a/charts/gateway-operator/CHANGELOG.md +++ b/charts/gateway-operator/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## 0.1.9 + +### Fixes + +- Fix missing `customentities` RBAC policy rules in operator's manager-role + [#1089](https://github.com/Kong/charts/pull/1089) +- Bump KIC's CRDs to 3.2.0 + [#1089](https://github.com/Kong/charts/pull/1089) + ## 0.1.8 ### Features diff --git a/charts/gateway-operator/Chart.lock b/charts/gateway-operator/Chart.lock index 854c10c20..c39b051fb 100644 --- a/charts/gateway-operator/Chart.lock +++ b/charts/gateway-operator/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: kic-crds repository: "" - version: 3.1.2 + version: 3.2.0 - name: gwapi-standard-crds repository: "" version: 1.0.0 - name: gwapi-experimental-crds repository: "" version: 1.0.0 -digest: sha256:c72ffe17253b0cd11caf5e1b03c2458b2c280528461a1621f6f90832d2979889 -generated: "2024-03-16T07:20:29.547504039+08:00" +digest: sha256:17c486ff3a5f012cb2efaaf09419a8489686e8d1eab896b46b9ef323d53d5d05 +generated: "2024-06-13T17:00:08.148357+02:00" diff --git a/charts/gateway-operator/Chart.yaml b/charts/gateway-operator/Chart.yaml index 1acb9eb7d..dc9244e52 100644 --- a/charts/gateway-operator/Chart.yaml +++ b/charts/gateway-operator/Chart.yaml @@ -8,14 +8,14 @@ maintainers: name: gateway-operator sources: - https://github.com/Kong/charts/tree/main/charts/gateway-operator -version: 0.1.8 +version: 0.1.9 appVersion: "1.2" annotations: artifacthub.io/prerelease: "false" dependencies: - name: kic-crds - version: 3.1.2 + version: 3.2.0 condition: kic-crds.enabled - name: gwapi-standard-crds version: 1.0.0 diff --git a/charts/gateway-operator/README.md b/charts/gateway-operator/README.md index 3d9a1f30e..66c271832 100644 --- a/charts/gateway-operator/README.md +++ b/charts/gateway-operator/README.md @@ -9,4 +9,4 @@ helm repo add kong https://charts.konghq.com helm repo update helm install kgo kong/gateway-operator -n kong-system --create-namespace -``` \ No newline at end of file +``` diff --git a/charts/gateway-operator/charts/kic-crds/Chart.yaml b/charts/gateway-operator/charts/kic-crds/Chart.yaml index 1e24dd4c0..a5af00834 100644 --- a/charts/gateway-operator/charts/kic-crds/Chart.yaml +++ b/charts/gateway-operator/charts/kic-crds/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: kic-crds -version: 3.1.2 -appVersion: "3.1.2" +version: 3.2.0 +appVersion: "3.2.0" description: A Helm chart for Kong Ingress Controller's CRDs diff --git a/charts/gateway-operator/charts/kic-crds/crds/kic-crds.yaml b/charts/gateway-operator/charts/kic-crds/crds/kic-crds.yaml index 08081b973..74e45d219 100644 --- a/charts/gateway-operator/charts/kic-crds/crds/kic-crds.yaml +++ b/charts/gateway-operator/charts/kic-crds/crds/kic-crds.yaml @@ -1,9 +1,10 @@ -# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.1.0' +# DO NOT EDIT: This file is generated by running: +# kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.2.0' > kic-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: ingressclassparameterses.configuration.konghq.com spec: group: configuration.konghq.com @@ -60,7 +61,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: kongclusterplugins.configuration.konghq.com spec: group: configuration.konghq.com @@ -381,7 +382,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: kongconsumergroups.configuration.konghq.com spec: group: configuration.konghq.com @@ -528,7 +529,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: kongconsumers.configuration.konghq.com spec: group: configuration.konghq.com @@ -574,6 +575,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set credentials: description: |- Credentials are references to secrets containing a credential to be @@ -581,6 +583,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set custom_id: description: |- CustomID is a Kong cluster-unique existing ID for the consumer - useful for mapping @@ -704,7 +707,204 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + name: kongcustomentities.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongCustomEntity + listKind: KongCustomEntityList + plural: kongcustomentities + shortNames: + - kce + singular: kongcustomentity + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: type of the Kong entity + jsonPath: .spec.type + name: Entity Type + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: KongCustomEntity defines a "custom" Kong entity that KIC cannot + support the entity type directly. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName specifies the controller that should reconcile + it, like ingress class. + type: string + fields: + description: Fields defines the fields of the Kong entity itself. + x-kubernetes-preserve-unknown-fields: true + parentRef: + description: |- + ParentRef references the kubernetes resource it attached to when its scope is "attached". + Currently only KongPlugin/KongClusterPlugin allowed. This will make the custom entity to be attached + to the entity(service/route/consumer) where the plugin is attached. + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + description: Empty namespace means the same namespace of the owning + object. + type: string + required: + - name + type: object + type: + description: EntityType is the type of the Kong entity. The type is + used in generating declarative configuration. + type: string + required: + - controllerName + - fields + - type + type: object + status: + description: Status stores the reconciling status of the resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongCustomEntityStatus. + + + Known condition types are: + + + * "Programmed" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: The spec.type field is immutable + rule: self.spec.type == oldSelf.spec.type + - message: The spec.type field cannot be known Kong entity types + rule: '!(self.spec.type in [''services'',''routes'',''upstreams'',''targets'',''plugins'',''consumers'',''consumer_groups''])' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 name: kongingresses.configuration.konghq.com spec: group: configuration.konghq.com @@ -1095,7 +1295,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: konglicenses.configuration.konghq.com spec: group: configuration.konghq.com @@ -1308,7 +1508,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: kongplugins.configuration.konghq.com spec: group: configuration.konghq.com @@ -1623,7 +1823,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 labels: gateway.networking.k8s.io/policy: direct name: kongupstreampolicies.configuration.konghq.com @@ -2070,7 +2270,7 @@ spec: * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, experimental, ClusterIP Services only) + * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific. @@ -2156,9 +2356,6 @@ spec: Support: Extended - - - format: int32 maximum: 65535 minimum: 1 @@ -2169,14 +2366,12 @@ spec: following resources, SectionName is interpreted as the following: - * Gateway: Listener Name. When both Port (experimental) and SectionName + * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. - * Service: Port Name. When both Port (experimental) and SectionName + * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match - both specified values. Note that attaching Routes to Services as Parents - is part of experimental Mesh support and is not supported for any other - purpose. + both specified values. Implementations MAY choose to support attaching Routes to other resources. @@ -2366,7 +2561,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: kongvaults.configuration.konghq.com spec: group: configuration.konghq.com @@ -2563,7 +2758,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: tcpingresses.configuration.konghq.com spec: group: configuration.konghq.com @@ -2759,6 +2954,7 @@ spec: x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic type: object type: object type: object @@ -2771,7 +2967,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: udpingresses.configuration.konghq.com spec: group: configuration.konghq.com @@ -2931,6 +3127,7 @@ spec: x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic type: object type: object type: object diff --git a/charts/gateway-operator/scripts/update-rbac-resources.sh b/charts/gateway-operator/scripts/update-rbac-resources.sh index c151cb190..e1c6ed613 100755 --- a/charts/gateway-operator/scripts/update-rbac-resources.sh +++ b/charts/gateway-operator/scripts/update-rbac-resources.sh @@ -40,25 +40,35 @@ then exit 1 fi +SED=sed +if [[ $(uname -s) == "Darwin" ]]; then + if gsed --version 2>&1 >/dev/null ; then + SED=gsed + else + echo "GNU sed is required on macOS. You can install it via Homebrew with 'brew install gnu-sed'." + exit 1 + fi +fi + # create a function named update_rbac_resources function update_rbac_resources { # build the kustomize resources kustomize build $KGO_REPO_PATH/config/rbac > /tmp/rbac-resources.yaml # replace the namespace - sed -i 's/namespace: kong-system/namespace: {{ template "kong.namespace" . }}/g' /tmp/rbac-resources.yaml + ${SED} -i 's/namespace: kong-system/namespace: {{ template "kong.namespace" . }}/g' /tmp/rbac-resources.yaml # replace the service account name - sed -i 's/name: controller-manager$/name: {{ template "kong.serviceAccountName" . }}/g' /tmp/rbac-resources.yaml + ${SED} -i 's/name: controller-manager$/name: {{ template "kong.serviceAccountName" . }}/g' /tmp/rbac-resources.yaml # replace the role name - sed -i 's/name: gateway-operator-manager-role/name: {{ template "kong.fullname" . }}-manager-role/g' /tmp/rbac-resources.yaml + ${SED} -i 's/name: gateway-operator-manager-role/name: {{ template "kong.fullname" . }}-manager-role/g' /tmp/rbac-resources.yaml # replace the metrics service name - sed -i 's/name: controller-manager-metrics-service/name: {{ template "kong.fullname" . }}-metrics-service/g' /tmp/rbac-resources.yaml + ${SED} -i 's/name: controller-manager-metrics-service/name: {{ template "kong.fullname" . }}-metrics-service/g' /tmp/rbac-resources.yaml # replace the name of the resources - sed -i '/name: {{\|name: https/!s/name: /name: {{ template "kong.fullname" . }}-/g' /tmp/rbac-resources.yaml + ${SED} -i '/name: {{\|name: https/!s/name: /name: {{ template "kong.fullname" . }}-/g' /tmp/rbac-resources.yaml # copy the contents of the file except for the Service Account resource (head -n 4 $CHARTS_REPO_PATH/charts/gateway-operator/templates/rbac-resources.yaml && tail -n +6 /tmp/rbac-resources.yaml) > /tmp/new-rbac-resources.yaml diff --git a/charts/gateway-operator/templates/rbac-resources.yaml b/charts/gateway-operator/templates/rbac-resources.yaml index 0e2fa3e36..0f4af6bd0 100644 --- a/charts/gateway-operator/templates/rbac-resources.yaml +++ b/charts/gateway-operator/templates/rbac-resources.yaml @@ -43,6 +43,23 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + creationTimestamp: null + name: {{ template "kong.fullname" . }}-kong-mtls-secret-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: {{ template "kong.fullname" . }}-manager-role rules: @@ -177,6 +194,22 @@ rules: - get - patch - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update - apiGroups: - configuration.konghq.com resources: @@ -740,23 +773,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - creationTimestamp: null - name: {{ template "kong.fullname" . }}-kong-mtls-secret-role -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - create - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: name: {{ template "kong.fullname" . }}-metrics-reader rules: