From 0c6e47bcbe4e5cbf6c3fa37b93519d962faebf91 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Mon, 9 Oct 2023 13:09:36 +0200 Subject: [PATCH] [release-1.11] Support Eventing TLS (#1586) * Handle TLS resources based on feature flag value Signed-off-by: Pierangelo Di Pilato * Fetch eventing-tls-networking.yaml file Signed-off-by: Pierangelo Di Pilato * Handle NoKind error and add permissions to operator Signed-off-by: Pierangelo Di Pilato * Fix license header Signed-off-by: Pierangelo Di Pilato * Run hack/update-codegen.sh Signed-off-by: Pierangelo Di Pilato --------- Signed-off-by: Pierangelo Di Pilato --- cmd/fetcher/kodata/config.yaml | 1 - .../1.11/kafka/eventing-kafka-controller.yaml | 70 +++--- .../kafka/eventing-kafka-post-install.yaml | 44 ++-- .../1.11/kafka/eventing-kafka-source.yaml | 14 +- .../1.10.0/3-eventing-tls-networking.yaml | 99 +++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.10.1/3-eventing-tls-networking.yaml | 99 +++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.10.2/3-eventing-tls-networking.yaml | 99 +++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.10.3/3-eventing-tls-networking.yaml | 99 +++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.11.0/3-eventing-tls-networking.yaml | 202 +++++++++++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.11.1/3-eventing-tls-networking.yaml | 202 +++++++++++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.11.2/3-eventing-tls-networking.yaml | 202 +++++++++++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.11.3/3-eventing-tls-networking.yaml | 205 ++++++++++++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 .../1.11.4/3-eventing-tls-networking.yaml | 205 ++++++++++++++++++ ...-channel.yaml => 4-in-memory-channel.yaml} | 0 ...l-broker.yaml => 5-mt-channel-broker.yaml} | 0 ...tall.yaml => 6-eventing-post-install.yaml} | 0 config/rbac/role.yaml | 15 ++ .../knativeeventing/eventing_tls.go | 80 +++++++ .../knativeeventing/knativeeventing.go | 1 + test/e2e-common.sh | 2 +- 44 files changed, 1573 insertions(+), 66 deletions(-) create mode 100644 cmd/operator/kodata/knative-eventing/1.10.0/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.10.0/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.0/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.0/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.10.1/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.10.1/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.1/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.1/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.10.2/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.10.2/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.2/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.2/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.10.3/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.10.3/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.3/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.10.3/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.11.0/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.11.0/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.0/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.0/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.11.1/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.11.1/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.1/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.1/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.11.2/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.11.2/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.2/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.2/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.11.3/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.11.3/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.3/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.3/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 cmd/operator/kodata/knative-eventing/1.11.4/3-eventing-tls-networking.yaml rename cmd/operator/kodata/knative-eventing/1.11.4/{3-in-memory-channel.yaml => 4-in-memory-channel.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.4/{4-mt-channel-broker.yaml => 5-mt-channel-broker.yaml} (100%) rename cmd/operator/kodata/knative-eventing/1.11.4/{5-eventing-post-install.yaml => 6-eventing-post-install.yaml} (100%) create mode 100644 pkg/reconciler/knativeeventing/eventing_tls.go diff --git a/cmd/fetcher/kodata/config.yaml b/cmd/fetcher/kodata/config.yaml index c3c69313c1..a1387d1f78 100644 --- a/cmd/fetcher/kodata/config.yaml +++ b/cmd/fetcher/kodata/config.yaml @@ -53,7 +53,6 @@ knative-eventing: - "heartbeats.yaml" - "recordevents.yaml" - "websocket-source.yaml" - - "eventing-tls-networking.yaml" # Eventing packaging has evolved in non-standard ways over the last few releases. overrides: v0.18: diff --git a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-controller.yaml b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-controller.yaml index b195336c94..827a7688ea 100644 --- a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-controller.yaml +++ b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-controller.yaml @@ -17,7 +17,7 @@ metadata: name: kafka-broker-config namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: default.topic.partitions: "10" default.topic.replication.factor: "3" @@ -43,7 +43,7 @@ metadata: name: kafka-channel-config namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: bootstrap.servers: "my-cluster-kafka-bootstrap.kafka:9092" @@ -67,7 +67,7 @@ kind: CustomResourceDefinition metadata: name: kafkachannels.messaging.knative.dev labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" @@ -336,7 +336,7 @@ kind: CustomResourceDefinition metadata: creationTimestamp: null labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" knative.dev/crd-install: "true" name: consumers.internal.kafka.eventing.knative.dev spec: @@ -392,7 +392,7 @@ kind: CustomResourceDefinition metadata: creationTimestamp: null labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" knative.dev/crd-install: "true" name: consumergroups.internal.kafka.eventing.knative.dev spec: @@ -463,7 +463,7 @@ metadata: labels: duck.knative.dev/addressable: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" spec: group: eventing.knative.dev names: @@ -627,7 +627,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" @@ -1067,7 +1067,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: eventing-kafka-source-observer labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" duck.knative.dev/source: "true" rules: - apiGroups: @@ -1100,7 +1100,7 @@ metadata: name: config-kafka-source-defaults namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: knative.dev/example-checksum: "b6ed351d" data: @@ -1160,7 +1160,7 @@ metadata: name: config-kafka-autoscaler namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: class: "keda.autoscaling.knative.dev" min-scale: "0" @@ -1191,7 +1191,7 @@ metadata: name: config-kafka-descheduler namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: predicates: | [] @@ -1264,7 +1264,7 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" name: config-kafka-leader-election namespace: knative-eventing annotations: @@ -1331,7 +1331,7 @@ metadata: name: config-kafka-scheduler namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: predicates: | [ @@ -1371,7 +1371,7 @@ metadata: name: kafka-config-logging namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" data: config.xml: | @@ -1428,7 +1428,7 @@ metadata: name: config-tracing namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" knative.dev/config-propagation: original knative.dev/config-category: eventing annotations: @@ -1488,7 +1488,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-kafka-addressable-resolver labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" duck.knative.dev/addressable: "true" # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -1531,7 +1531,7 @@ kind: ClusterRole metadata: name: knative-kafka-channelable-manipulator labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" duck.knative.dev/channelable: "true" # Do not use this role directly. These rules will be added to the "channelable-manipulator" role. rules: @@ -1568,7 +1568,7 @@ kind: ClusterRole metadata: name: kafka-controller labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: - apiGroups: - "" @@ -1837,7 +1837,7 @@ metadata: name: kafka-controller namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- # Copyright 2020 The Knative Authors @@ -1858,7 +1858,7 @@ kind: ClusterRoleBinding metadata: name: kafka-controller labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: kafka-controller @@ -1873,7 +1873,7 @@ kind: ClusterRoleBinding metadata: name: kafka-controller-addressable-resolver labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: kafka-controller @@ -1904,7 +1904,7 @@ metadata: namespace: knative-eventing labels: app: kafka-controller - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-controller app.kubernetes.io/name: knative-eventing spec: @@ -1916,7 +1916,7 @@ spec: name: kafka-controller labels: app: kafka-controller - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-controller app.kubernetes.io/name: knative-eventing spec: @@ -1942,7 +1942,7 @@ spec: weight: 100 containers: - name: controller - image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/kafka-controller@sha256:9c05a9e3e4dfc1966aef9cd5869d8fd9b7886c328a0f7a28ee28043a1b0e76d8 + image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/kafka-controller@sha256:40da46b8fc0999c35589c7f063ab880456a71548e949e4fb8a8f7ecf6e2e8c82 imagePullPolicy: IfNotPresent env: - name: BROKER_DATA_PLANE_CONFIG_MAP_NAMESPACE @@ -2077,7 +2077,7 @@ kind: ClusterRole metadata: name: kafka-webhook-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: # For watching logging configuration and getting certs. - apiGroups: @@ -2179,7 +2179,7 @@ metadata: name: kafka-webhook-eventing namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- # Copyright 2020 The Knative Authors @@ -2200,7 +2200,7 @@ kind: ClusterRoleBinding metadata: name: kafka-webhook-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: kafka-webhook-eventing @@ -2230,7 +2230,7 @@ kind: MutatingWebhookConfiguration metadata: name: defaulting.webhook.kafka.eventing.knative.dev labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -2262,7 +2262,7 @@ kind: MutatingWebhookConfiguration metadata: name: pods.defaulting.webhook.kafka.eventing.knative.dev labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" webhooks: # Dispatcher pods webhook config. - admissionReviewVersions: ["v1", "v1beta1"] @@ -2304,7 +2304,7 @@ metadata: name: kafka-webhook-eventing-certs namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" # The data is populated at install time. --- @@ -2327,7 +2327,7 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.kafka.eventing.knative.dev labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -2361,7 +2361,7 @@ metadata: namespace: knative-eventing labels: app: kafka-webhook-eventing - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-webhook-eventing app.kubernetes.io/name: knative-eventing spec: @@ -2372,7 +2372,7 @@ spec: metadata: labels: app: kafka-webhook-eventing - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-webhook-eventing app.kubernetes.io/name: knative-eventing spec: @@ -2392,7 +2392,7 @@ spec: containers: - name: kafka-webhook-eventing terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/webhook-kafka@sha256:08ed660d8bc2fd2bd7ac8605ddccfbfbee74155cfbb00f83b55385e9efef189d + image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/webhook-kafka@sha256:b0a4dc026dd2e9d5316806a4eae7a25d7b0d6e3b3f59fbb050b60e9e709a5208 resources: requests: cpu: 20m @@ -2456,7 +2456,7 @@ metadata: namespace: knative-eventing labels: app: kafka-webhook-eventing - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-webhook-eventing app.kubernetes.io/name: knative-eventing spec: diff --git a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-post-install.yaml b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-post-install.yaml index 8e7415f4f1..506fb15a2b 100644 --- a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-post-install.yaml +++ b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-post-install.yaml @@ -16,7 +16,7 @@ kind: ClusterRole metadata: name: knative-kafka-controller-post-install labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: [] --- @@ -39,7 +39,7 @@ metadata: name: knative-kafka-controller-post-install namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- # Copyright 2020 The Knative Authors @@ -61,7 +61,7 @@ kind: ClusterRole metadata: name: knative-kafka-storage-version-migrator labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: # Storage version upgrader needs to be able to patch CRDs. - apiGroups: @@ -144,14 +144,14 @@ metadata: name: knative-kafka-storage-version-migrator namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: knative-kafka-storage-version-migrator labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: knative-kafka-storage-version-migrator @@ -180,7 +180,7 @@ kind: ClusterRoleBinding metadata: name: knative-kafka-controller-post-install labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: knative-kafka-controller-post-install @@ -212,7 +212,7 @@ metadata: namespace: knative-eventing labels: app: kafka-controller-post-install - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" spec: ttlSecondsAfterFinished: 600 backoffLimit: 10 @@ -220,7 +220,7 @@ spec: metadata: labels: app: kafka-controller-post-install - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: sidecar.istio.io/inject: "false" spec: @@ -228,7 +228,7 @@ spec: restartPolicy: OnFailure containers: - name: post-install - image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/post-install@sha256:76c9d64e8ada54e579c93167327c286f9055e1e63350598642283238c6cb82ef + image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/post-install@sha256:52bb14dd7d92d3c91b1a70d0d97d2570a92b08483b767c2eaf159bdca34f48f8 env: - name: SYSTEM_NAMESPACE valueFrom: @@ -268,7 +268,7 @@ metadata: namespace: knative-eventing labels: app: "knative-kafka-storage-version-migrator" - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" spec: ttlSecondsAfterFinished: 600 backoffLimit: 10 @@ -276,7 +276,7 @@ spec: metadata: labels: app: "knative-kafka-storage-version-migrator" - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: sidecar.istio.io/inject: "false" spec: @@ -321,7 +321,7 @@ kind: ClusterRole metadata: name: knative-kafka-controller-post-install labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: [] --- @@ -344,7 +344,7 @@ metadata: name: knative-kafka-controller-post-install namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- # Copyright 2020 The Knative Authors @@ -366,7 +366,7 @@ kind: ClusterRole metadata: name: knative-kafka-storage-version-migrator labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: # Storage version upgrader needs to be able to patch CRDs. - apiGroups: @@ -449,14 +449,14 @@ metadata: name: knative-kafka-storage-version-migrator namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: knative-kafka-storage-version-migrator labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: knative-kafka-storage-version-migrator @@ -485,7 +485,7 @@ kind: ClusterRoleBinding metadata: name: knative-kafka-controller-post-install labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: knative-kafka-controller-post-install @@ -517,7 +517,7 @@ metadata: namespace: knative-eventing labels: app: kafka-controller-post-install - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" spec: ttlSecondsAfterFinished: 600 backoffLimit: 10 @@ -525,7 +525,7 @@ spec: metadata: labels: app: kafka-controller-post-install - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: sidecar.istio.io/inject: "false" spec: @@ -533,7 +533,7 @@ spec: restartPolicy: OnFailure containers: - name: post-install - image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/post-install@sha256:76c9d64e8ada54e579c93167327c286f9055e1e63350598642283238c6cb82ef + image: gcr.io/knative-releases/knative.dev/eventing-kafka-broker/control-plane/cmd/post-install@sha256:52bb14dd7d92d3c91b1a70d0d97d2570a92b08483b767c2eaf159bdca34f48f8 env: - name: SYSTEM_NAMESPACE valueFrom: @@ -573,7 +573,7 @@ metadata: namespace: knative-eventing labels: app: "knative-kafka-storage-version-migrator" - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" spec: ttlSecondsAfterFinished: 600 backoffLimit: 10 @@ -581,7 +581,7 @@ spec: metadata: labels: app: "knative-kafka-storage-version-migrator" - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: sidecar.istio.io/inject: "false" spec: diff --git a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-source.yaml b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-source.yaml index 3f2c1f4269..370299f184 100644 --- a/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-source.yaml +++ b/cmd/operator/kodata/eventing-source/1.11/kafka/eventing-kafka-source.yaml @@ -17,7 +17,7 @@ metadata: name: config-kafka-source-data-plane namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" annotations: knative.dev/example-checksum: "8157ecb1" data: @@ -178,7 +178,7 @@ kind: ClusterRole metadata: name: knative-kafka-source-data-plane labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" rules: - apiGroups: - "" @@ -209,7 +209,7 @@ metadata: name: knative-kafka-source-data-plane namespace: knative-eventing labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" --- # Copyright 2021 The Knative Authors @@ -230,7 +230,7 @@ kind: ClusterRoleBinding metadata: name: knative-kafka-source-data-plane labels: - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" subjects: - kind: ServiceAccount name: knative-kafka-source-data-plane @@ -261,7 +261,7 @@ metadata: namespace: knative-eventing labels: app: kafka-source-dispatcher - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-source-dispatcher app.kubernetes.io/name: knative-eventing spec: @@ -275,7 +275,7 @@ spec: name: kafka-source-dispatcher labels: app: kafka-source-dispatcher - app.kubernetes.io/version: "a369ce09d5ddf2dea545d1fbd9c44ab5c1c1026b" + app.kubernetes.io/version: "3c9194cfbae5b2d78d483f15cb8c612da44e5ca0" app.kubernetes.io/component: kafka-channel-dispatcher app.kubernetes.io/name: knative-eventing app.kubernetes.io/kind: kafka-dispatcher @@ -302,7 +302,7 @@ spec: runAsNonRoot: true containers: - name: kafka-source-dispatcher - image: gcr.io/knative-releases/knative-kafka-broker-dispatcher:v1.11.5 + image: gcr.io/knative-releases/knative-kafka-broker-dispatcher:v1.11.6 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /etc/config diff --git a/cmd/operator/kodata/knative-eventing/1.10.0/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.10.0/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..f6dfe17d57 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.10.0/3-eventing-tls-networking.yaml @@ -0,0 +1,99 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.10.0/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.10.0/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.0/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.10.0/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.0/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.10.0/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.0/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.10.0/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.0/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.10.0/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.0/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.10.0/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.1/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.10.1/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..f6dfe17d57 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.10.1/3-eventing-tls-networking.yaml @@ -0,0 +1,99 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.10.1/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.10.1/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.1/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.10.1/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.1/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.10.1/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.1/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.10.1/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.1/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.10.1/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.1/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.10.1/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.2/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.10.2/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..f6dfe17d57 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.10.2/3-eventing-tls-networking.yaml @@ -0,0 +1,99 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.10.2/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.10.2/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.2/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.10.2/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.2/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.10.2/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.2/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.10.2/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.2/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.10.2/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.2/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.10.2/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.3/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.10.3/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..f6dfe17d57 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.10.3/3-eventing-tls-networking.yaml @@ -0,0 +1,99 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.10.3/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.10.3/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.3/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.10.3/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.3/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.10.3/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.3/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.10.3/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.10.3/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.10.3/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.10.3/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.10.3/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.0/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.11.0/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..5e4c7069f4 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.11.0/3-eventing-tls-networking.yaml @@ -0,0 +1,202 @@ +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the issuer that every Eventing component should use to issue their server's certs. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: knative-eventing +spec: + ca: + secretName: eventing-ca + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the root issuer to bootstrap the eventing CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} +--- +# This is the Eventing CA certificate. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: knative-eventing +spec: + secretName: eventing-ca + isCA: true + commonName: selfsigned-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.11.0/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.11.0/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.0/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.11.0/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.0/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.11.0/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.0/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.11.0/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.0/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.11.0/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.0/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.11.0/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.1/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.11.1/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..5e4c7069f4 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.11.1/3-eventing-tls-networking.yaml @@ -0,0 +1,202 @@ +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the issuer that every Eventing component should use to issue their server's certs. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: knative-eventing +spec: + ca: + secretName: eventing-ca + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the root issuer to bootstrap the eventing CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} +--- +# This is the Eventing CA certificate. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: knative-eventing +spec: + secretName: eventing-ca + isCA: true + commonName: selfsigned-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.11.1/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.11.1/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.1/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.11.1/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.1/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.11.1/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.1/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.11.1/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.1/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.11.1/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.1/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.11.1/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.2/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.11.2/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..5e4c7069f4 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.11.2/3-eventing-tls-networking.yaml @@ -0,0 +1,202 @@ +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the issuer that every Eventing component should use to issue their server's certs. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: knative-eventing +spec: + ca: + secretName: eventing-ca + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the root issuer to bootstrap the eventing CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} +--- +# This is the Eventing CA certificate. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: knative-eventing +spec: + secretName: eventing-ca + isCA: true + commonName: selfsigned-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.11.2/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.11.2/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.2/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.11.2/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.2/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.11.2/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.2/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.11.2/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.2/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.11.2/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.2/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.11.2/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.3/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.11.3/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..9489887301 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.11.3/3-eventing-tls-networking.yaml @@ -0,0 +1,205 @@ +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the issuer that every Eventing component should use to issue their server's certs. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: knative-eventing +spec: + ca: + secretName: eventing-ca + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the root issuer to bootstrap the eventing CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} +--- +# This is the Eventing CA certificate. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: knative-eventing +spec: + secretName: eventing-ca + isCA: true + commonName: selfsigned-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + - imc-dispatcher.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + - broker-filter.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + - broker-ingress.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.11.3/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.11.3/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.3/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.11.3/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.3/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.11.3/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.3/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.11.3/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.3/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.11.3/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.3/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.11.3/6-eventing-post-install.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.4/3-eventing-tls-networking.yaml b/cmd/operator/kodata/knative-eventing/1.11.4/3-eventing-tls-networking.yaml new file mode 100644 index 0000000000..9489887301 --- /dev/null +++ b/cmd/operator/kodata/knative-eventing/1.11.4/3-eventing-tls-networking.yaml @@ -0,0 +1,205 @@ +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the issuer that every Eventing component should use to issue their server's certs. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: knative-eventing +spec: + ca: + secretName: eventing-ca + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the root issuer to bootstrap the eventing CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: knative-eventing +spec: + selfSigned: {} +--- +# This is the Eventing CA certificate. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: knative-eventing +spec: + secretName: eventing-ca + isCA: true + commonName: selfsigned-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: imc-dispatcher-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: imc-dispatcher-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: imc-dispatcher + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - imc-dispatcher.knative-eventing.svc.cluster.local + - imc-dispatcher.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-filter-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-filter-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-filter + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-filter.knative-eventing.svc.cluster.local + - broker-filter.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mt-broker-ingress-server-tls + namespace: knative-eventing +spec: + # Secret names are always required. + secretName: mt-broker-ingress-server-tls + secretTemplate: + labels: + app.kubernetes.io/component: broker-ingress + app.kubernetes.io/name: knative-eventing + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - local + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + dnsNames: + - broker-ingress.knative-eventing.svc.cluster.local + - broker-ingress.knative-eventing.svc + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer + group: cert-manager.io + +--- diff --git a/cmd/operator/kodata/knative-eventing/1.11.4/3-in-memory-channel.yaml b/cmd/operator/kodata/knative-eventing/1.11.4/4-in-memory-channel.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.4/3-in-memory-channel.yaml rename to cmd/operator/kodata/knative-eventing/1.11.4/4-in-memory-channel.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.4/4-mt-channel-broker.yaml b/cmd/operator/kodata/knative-eventing/1.11.4/5-mt-channel-broker.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.4/4-mt-channel-broker.yaml rename to cmd/operator/kodata/knative-eventing/1.11.4/5-mt-channel-broker.yaml diff --git a/cmd/operator/kodata/knative-eventing/1.11.4/5-eventing-post-install.yaml b/cmd/operator/kodata/knative-eventing/1.11.4/6-eventing-post-install.yaml similarity index 100% rename from cmd/operator/kodata/knative-eventing/1.11.4/5-eventing-post-install.yaml rename to cmd/operator/kodata/knative-eventing/1.11.4/6-eventing-post-install.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 833fdd50c4..5d273c7281 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -616,3 +616,18 @@ rules: - deployments verbs: - deletecollection + + # Eventing TLS + - apiGroups: + - "cert-manager.io" + resources: + - certificates + - issuers + verbs: + - create + - delete + - update + - list + - get + - watch + diff --git a/pkg/reconciler/knativeeventing/eventing_tls.go b/pkg/reconciler/knativeeventing/eventing_tls.go new file mode 100644 index 0000000000..bc33620718 --- /dev/null +++ b/pkg/reconciler/knativeeventing/eventing_tls.go @@ -0,0 +1,80 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package knativeeventing + +import ( + "context" + "fmt" + + mf "github.com/manifestival/manifestival" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "knative.dev/eventing/pkg/apis/feature" + + "knative.dev/operator/pkg/apis/operator/base" + "knative.dev/operator/pkg/apis/operator/v1beta1" +) + +func (r *Reconciler) handleTLSResources(ctx context.Context, manifests *mf.Manifest, comp base.KComponent) error { + instance := comp.(*v1beta1.KnativeEventing) + + if isTLSEnabled(instance) { + return nil + } + + tlsResourcesPred := byGroup("cert-manager.io") + + // Delete TLS resources (if present) + toBeDeleted := manifests.Filter(tlsResourcesPred) + if err := toBeDeleted.Delete(mf.IgnoreNotFound(true)); err != nil && !meta.IsNoMatchError(err) { + return fmt.Errorf("failed to delete TLS resources: %v", err) + } + + // Filter out TLS resources from the final list of manifests + *manifests = manifests.Filter(mf.Not(tlsResourcesPred)) + + return nil +} + +func byGroup(group string) mf.Predicate { + return func(u *unstructured.Unstructured) bool { + return u.GroupVersionKind().Group == group + } +} + +func isTLSEnabled(instance *v1beta1.KnativeEventing) bool { + cmData, ok := getFeaturesConfig(instance) + if !ok { + return false + } + + f, err := feature.NewFlagsConfigFromConfigMap(&corev1.ConfigMap{Data: cmData}) + if err != nil { + return false + } + + return f.IsPermissiveTransportEncryption() || f.IsStrictTransportEncryption() +} + +func getFeaturesConfig(instance *v1beta1.KnativeEventing) (map[string]string, bool) { + features, ok := instance.Spec.GetConfig()["features"] + if !ok { + features, ok = instance.Spec.GetConfig()["config-features"] + } + return features, ok +} diff --git a/pkg/reconciler/knativeeventing/knativeeventing.go b/pkg/reconciler/knativeeventing/knativeeventing.go index d29fcbf64f..cd82b40309 100644 --- a/pkg/reconciler/knativeeventing/knativeeventing.go +++ b/pkg/reconciler/knativeeventing/knativeeventing.go @@ -120,6 +120,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ke *v1beta1.KnativeEvent common.AppendAdditionalManifests, r.appendExtensionManifests, r.transform, + r.handleTLSResources, manifests.Install, common.CheckDeployments, common.DeleteObsoleteResources(ctx, ke, r.installed), diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 60400b0fcb..1e06abdd1b 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -49,7 +49,7 @@ release_eventing_yaml="$(mktemp)" readonly SERVING_ARTIFACTS=("serving" "serving-crds.yaml" "serving-core.yaml" "serving-hpa.yaml" "serving-post-install-jobs.yaml") readonly EVENTING_ARTIFACTS=("eventing" "eventing-crds.yaml" "eventing-core.yaml" "in-memory-channel.yaml" "mt-channel-broker.yaml" - "eventing-post-install.yaml") + "eventing-post-install.yaml" "eventing-tls-networking.yaml") function is_ingress_class() { [[ "${INGRESS_CLASS}" == *"${1}"* ]]