From c1080f76a3e1629d2a9a29ee2f624ab46e0fc8ad Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Fri, 8 Nov 2024 16:11:30 -0300 Subject: [PATCH 01/12] WIP: checkpoint --- signadot/operator/README.md | 13 +++++++++ signadot/operator/templates/_helpers.tpl | 15 ++++++++++ .../signadot-cluster-config-configmap.yaml | 14 ++++++++++ signadot/operator/values.yaml | 28 ++++++++++++++++--- 4 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 signadot/operator/templates/_helpers.tpl create mode 100644 signadot/operator/templates/signadot-cluster-config-configmap.yaml diff --git a/signadot/operator/README.md b/signadot/operator/README.md index c77e7e7..2124616 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -152,6 +152,8 @@ style resources and are not needed in an installation which uses the new When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. +Enabling Istio will activate the Istio proxy in the following components: the Signadot `agent` (for control-plane access to the cluster), the `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and the managed job runner group (for executing in-cluster smart tests). + | Name | Description | Default | | ----------------------------------- | --------------------------------------------------------------------------------------------------------- | ------- | | `istio.enabled` | Enable Istio integration | `false` | @@ -159,3 +161,14 @@ When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates | `istio.additionalLabels` | Labels to add to istio VirtualServices if not present | `{}` | | `istio.enableDeprecatedHostRouting` | Enable sandbox routing by matching the `VirtualService.host` field. **This feature has been deprecated**. | `false` | + +### Linkerd Parameters + +Enabling Linkerd will activate the Linkerd proxy in the following components: the Signadot `agent` (for control-plane access to the cluster), the `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and the managed job runner group (for executing in-cluster smart tests). + +Note that, unlike with Istio, we don't have native integration for Linkerd. Therefore, to enable sandbox routing, DevMesh must be enabled in the relevant workloads. + +| Name | Description | Default | +| ----------------- | ------------------------ | ------- | +| `linkerd.enabled` | Enable Istio integration | `false` | + diff --git a/signadot/operator/templates/_helpers.tpl b/signadot/operator/templates/_helpers.tpl new file mode 100644 index 0000000..b9924cf --- /dev/null +++ b/signadot/operator/templates/_helpers.tpl @@ -0,0 +1,15 @@ +{{/* +cluster config template +*/}} +{{- define "compileClusterConfig" -}} +routing: + istio: + enabled: {{ with .Values }}{{ with .istio }}{{ with .enabled }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} + enableHostRouting: {{ with .Values }}{{ with .istio }}{{ with .enableDeprecatedHostRouting }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} + linkerd: + enabled: {{ with .Values }}{{ with .linkerd }}{{ with .enabled }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} + customHeaders: {{ with .Values }}{{ with .routing }}{{ with .customHeaders }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} +trafficCapture: + requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} + responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} +{{- end -}} \ No newline at end of file diff --git a/signadot/operator/templates/signadot-cluster-config-configmap.yaml b/signadot/operator/templates/signadot-cluster-config-configmap.yaml new file mode 100644 index 0000000..8ab853b --- /dev/null +++ b/signadot/operator/templates/signadot-cluster-config-configmap.yaml @@ -0,0 +1,14 @@ +{{- if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") .Values.istio.enabled + (hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") .Values.linkerd.enabled +}} +{{ fail "istio and linkerd cannot be enabled at the same time" }} +{{- end }} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: signadot-cluster-config + namespace: signadot +data: + cluster_config.yaml: | + {{- include "compileClusterConfig" . | nindent 4 }} \ No newline at end of file diff --git a/signadot/operator/values.yaml b/signadot/operator/values.yaml index 881068c..d85ab08 100644 --- a/signadot/operator/values.yaml +++ b/signadot/operator/values.yaml @@ -22,13 +22,12 @@ # serviceAnnotations: # exampleServiceLAnnotation: exampleServiceLAnnotationValue -# Add these labels or annotations to all istio objects when they are managed by -# Signadot Note that VirtualServices are only managed by Signadot when they -# route to some sandbox. -# +# Istio settings # istio: # # Enable the integration with Istio # enabled: true +# # Enable sandbox routing by matching the VirtualService.host field (deprecated) +# enableDeprecatedHostRouting: false # # Add these labels or annotations to all istio objects when they are managed by # # Signadot Note that virtual services are only managed by Signadot when they # # route to some sandbox. For virtual services, these labels or annotations are @@ -38,6 +37,11 @@ # additionalAnnotations: # exampleAnnotatonKey: exampleAnnotationValue +# Linkerd settings +# linkerd: +# # Enable the integration with Linkerd +# enabled: true + # By default, this chart will install the operator in # cluster-wide mode, where it watches all namespaces. @@ -171,3 +175,19 @@ # syncInterval: 60 # disableSSH: false # disableXAP: false + +# routing: +# # Define a list of custom routing headers +# customHeaders: +# - header1 +# - header2 + +# trafficCapture: +# # Request headers to be elided from traffic captures +# requestHeadersElide: +# - header1 +# - header2 +# # Response headers to be elided from traffic captures +# responseHeadersElide: +# - header1 +# - header2 \ No newline at end of file From 10034476ca6c5ddcb0ed5b3a2a0d66cd41f13593 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 11 Nov 2024 13:25:26 -0300 Subject: [PATCH 02/12] Routing and traffic capture parameters --- signadot/operator/README.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index 2124616..4af23d5 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -148,11 +148,11 @@ style resources and are not needed in an installation which uses the new | `tunnel.auditor.inboundRulesLuaScript` | All inbound traffic (from cluster to workstation) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` | | `tunnel.auditor.outboundRulesLuaScript` | All outbound traffic (from workstation to cluster) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` | | | | | -### Istio Parameters +### Istio parameters When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities. -Enabling Istio will activate the Istio proxy in the following components: the Signadot `agent` (for control-plane access to the cluster), the `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and the managed job runner group (for executing in-cluster smart tests). +Enabling Istio will activate the Istio proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests). | Name | Description | Default | | ----------------------------------- | --------------------------------------------------------------------------------------------------------- | ------- | @@ -162,13 +162,27 @@ Enabling Istio will activate the Istio proxy in the following components: the Si | `istio.enableDeprecatedHostRouting` | Enable sandbox routing by matching the `VirtualService.host` field. **This feature has been deprecated**. | `false` | -### Linkerd Parameters +### Linkerd parameters -Enabling Linkerd will activate the Linkerd proxy in the following components: the Signadot `agent` (for control-plane access to the cluster), the `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and the managed job runner group (for executing in-cluster smart tests). +Enabling Linkerd will activate the Linkerd proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests). -Note that, unlike with Istio, we don't have native integration for Linkerd. Therefore, to enable sandbox routing, DevMesh must be enabled in the relevant workloads. +Note that, unlike with Istio, we don't have a native integration for Linkerd. Therefore, to enable sandbox routing, DevMesh must be enabled in the relevant workloads. | Name | Description | Default | | ----------------- | ------------------------ | ------- | | `linkerd.enabled` | Enable Istio integration | `false` | + +### Routing parameters + +| Name | Description | Default | +| ----------------------- | ----------------------------------------------- | ------- | +| `routing.customHeaders` | List of custom headers used for sandbox routing | `[]` | + + +### Traffic capture parameters + +| Name | Description | Default | +| ------------------------------------- | ----------------------------------------------------------- | ------- | +| `trafficCapture.requestHeadersElide` | List of request headers to be elided from traffic captures | `[]` | +| `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]` | \ No newline at end of file From 6a4810b83e21103f19e85f7ef4fa0c9f996a0607 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 11 Nov 2024 14:08:17 -0300 Subject: [PATCH 03/12] Run make helm-chart --- .../templates/signadot-controller-manager-deployment.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index 2a09db7..4e03d43 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -60,10 +60,6 @@ spec: value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: IO_SIDECAR_IMAGE_PULL_SECRET value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - - name: ISTIO_ENABLED - value: {{ with .Values }}{{ with .istio }}{{ with .enabled }}{{ toString . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }} - - name: ISTIO_HOST_ROUTING - value: {{ with .Values }}{{ with .istio }}{{ with .enableDeprecatedHostRouting }}{{ toString . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }} - name: ISTIO_ADDITIONAL_LABELS value: {{ with .Values }}{{ with .istio }}{{ with .additionalLabels }}{{ mustToJson . | quote}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: ISTIO_ADDITIONAL_ANNOTATIONS From 6bd2d2a1b2f312a8b656daaf374f668f5e9311a5 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Tue, 12 Nov 2024 12:07:58 -0300 Subject: [PATCH 04/12] Fix cluster config integration with helm --- signadot/operator/templates/agent-deployment.yaml | 11 ++++++++++- .../operator/templates/tunnel-proxy-deployment.yaml | 11 ++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/signadot/operator/templates/agent-deployment.yaml b/signadot/operator/templates/agent-deployment.yaml index 3f343eb..b312141 100644 --- a/signadot/operator/templates/agent-deployment.yaml +++ b/signadot/operator/templates/agent-deployment.yaml @@ -1,4 +1,8 @@ # This file is generated. Do not edit. +{{- $istioEnabled := false -}} +{{- with .Values }}{{ with .istio }}{{- if hasKey . "enabled" }}{{ $istioEnabled = .enabled }}{{- end }}{{- end }}{{- end }} +{{- $linkerdEnabled := false -}} +{{- with .Values }}{{ with .linkerd }}{{- if hasKey . "enabled" }}{{ $linkerdEnabled = .enabled }}{{- end }}{{- end }}{{- end }} {{ if not .Values.disableAgent }} apiVersion: apps/v1 kind: Deployment @@ -27,15 +31,20 @@ spec: {{- range $key, $val := .Values.podAnnotations }} {{ $key | quote }}: {{ $val | quote }} {{- end }} + {{- if $linkerdEnabled }} + linkerd.io/inject: enabled + {{- end }} labels: app: signadot-agent - sidecar.istio.io/inject: "true" {{- range $key, $val := .Values.commonLabels }} {{ $key | quote }}: {{ $val | quote }} {{- end }} {{- range $key, $val := .Values.podLabels }} {{ $key | quote }}: {{ $val | quote }} {{- end }} + {{- if $istioEnabled }} + sidecar.istio.io/inject: "true" + {{- end }} spec: containers: - args: diff --git a/signadot/operator/templates/tunnel-proxy-deployment.yaml b/signadot/operator/templates/tunnel-proxy-deployment.yaml index f31a8d7..f55c1f5 100644 --- a/signadot/operator/templates/tunnel-proxy-deployment.yaml +++ b/signadot/operator/templates/tunnel-proxy-deployment.yaml @@ -1,6 +1,8 @@ # This file is generated. Do not edit. {{- $istioEnabled := false -}} {{- with .Values }}{{ with .istio }}{{- if hasKey . "enabled" }}{{ $istioEnabled = .enabled }}{{- end }}{{- end }}{{- end }} +{{- $linkerdEnabled := false -}} +{{- with .Values }}{{ with .linkerd }}{{- if hasKey . "enabled" }}{{ $linkerdEnabled = .enabled }}{{- end }}{{- end }}{{- end }} {{- $auditorEnabled := true -}} {{- with .Values }}{{ with .tunnel }}{{ with .auditor }}{{- if hasKey . "enabled" }}{{ $auditorEnabled = .enabled }}{{- end }}{{- end }}{{- end }}{{- end }} apiVersion: apps/v1 @@ -34,6 +36,9 @@ spec: {{- range $key, $val := .Values.podAnnotations }} {{ $key | quote }}: {{ $val | quote }} {{- end }} + {{- if $linkerdEnabled }} + linkerd.io/inject: enabled + {{- end }} labels: app: tunnel-proxy {{- range $key, $val := .Values.commonLabels }} @@ -72,7 +77,7 @@ spec: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .resources }} resources: {{ toYaml . | indent 10 }} {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }} - {{- if and (not $istioEnabled) $auditorEnabled }} + {{- if and (not $istioEnabled) (not $linkerdEnabled) $auditorEnabled }} - args: - -c - /etc/config.yaml @@ -99,7 +104,7 @@ spec: - mountPath: /usr/local/share/lua name: luarocks {{- end }} - {{- if and (not $istioEnabled) $auditorEnabled }} + {{- if and (not $istioEnabled) (not $linkerdEnabled) $auditorEnabled }} initContainers: - env: - name: LUA_ROCKS @@ -124,7 +129,7 @@ spec: {{- end }} serviceAccountName: tunnel-proxy volumes: - {{- if and (not $istioEnabled) $auditorEnabled }} + {{- if and (not $istioEnabled) (not $linkerdEnabled) $auditorEnabled }} - configMap: name: tunnel-auditor-config name: tunnel-auditor-config From 885c1a401a4f39a5e61f2a68fee2e4ba5f3d495e Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Tue, 12 Nov 2024 12:08:07 -0300 Subject: [PATCH 05/12] CRD update --- ...signadot.com-customresourcedefinition.yaml | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml index 492e8fc..fdd05de 100644 --- a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml @@ -7962,6 +7962,64 @@ spec: name: description: Name of the external workload type: string + routing: + description: |- + Routing exposes information about the routing status of the external + workload + properties: + devMesh: + description: |- + DevMesh provides information about the setup of the DevMesh sidecar for + the workload + properties: + enabled: + description: |- + Enabled means that the DevMesh sidecar container is present and ready in + all the baseline workload pods + type: boolean + required: + - enabled + type: object + istio: + description: |- + Istio provides information about the Virtual Service configuration for + each of the baseline services + items: + properties: + baselineService: + description: Baseline service name that includes the + target workload + type: string + matchedVirtualServices: + description: |- + MatchedVirtualServices is a list of the matching virtual services for + the baseline service, along with its status + items: + properties: + message: + description: Status related message + type: string + name: + description: This is the virtual service name + type: string + namespace: + description: This is the virtual service namespace + type: string + status: + description: Status information about the virtual + service configuration + type: string + required: + - name + - namespace + - status + type: object + type: array + required: + - baselineService + type: object + type: array + type: object tunnel: description: |- Tunnel exposes the status of the tunnel behind this external @@ -8035,6 +8093,95 @@ spec: - name type: object type: array + forkedWorkloads: + description: Status of each of the forked workloads + items: + properties: + forkTarget: + description: ForkTarget specifies the workload being forked + properties: + apiVersion: + description: APIVersion specifies the API Version (e.g. + "apps/v1") of the object to patch. + type: string + kind: + description: Kind specifies the Kind (e.g. "Deployment") + of the object to patch. + type: string + name: + description: Name specifies the name of the object to patch. + type: string + namespace: + description: Namespace optionally specifies which namespace + will be searched. + type: string + required: + - apiVersion + - kind + - name + type: object + routing: + description: |- + Routing exposes information about the routing status of the forked + workload + properties: + devMesh: + description: |- + DevMesh provides information about the setup of the DevMesh sidecar for + the workload + properties: + enabled: + description: |- + Enabled means that the DevMesh sidecar container is present and ready in + all the baseline workload pods + type: boolean + required: + - enabled + type: object + istio: + description: |- + Istio provides information about the Virtual Service configuration for + each of the baseline services + items: + properties: + baselineService: + description: Baseline service name that includes the + target workload + type: string + matchedVirtualServices: + description: |- + MatchedVirtualServices is a list of the matching virtual services for + the baseline service, along with its status + items: + properties: + message: + description: Status related message + type: string + name: + description: This is the virtual service name + type: string + namespace: + description: This is the virtual service namespace + type: string + status: + description: Status information about the virtual + service configuration + type: string + required: + - name + - namespace + - status + type: object + type: array + required: + - baselineService + type: object + type: array + type: object + required: + - forkTarget + type: object + type: array managedResources: description: Status of each of the managed resources items: From e7a63db82e7d20794358c2b02b97917a1ed1ce7e Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 18 Nov 2024 17:32:45 -0300 Subject: [PATCH 06/12] Add trafficCapture.enabled and sandboxTrafficManager to cluster config --- signadot/operator/templates/_helpers.tpl | 9 ++++++--- .../signadot-controller-manager-deployment.yaml | 2 -- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/signadot/operator/templates/_helpers.tpl b/signadot/operator/templates/_helpers.tpl index b9924cf..c4d92c2 100644 --- a/signadot/operator/templates/_helpers.tpl +++ b/signadot/operator/templates/_helpers.tpl @@ -4,12 +4,15 @@ cluster config template {{- define "compileClusterConfig" -}} routing: istio: - enabled: {{ with .Values }}{{ with .istio }}{{ with .enabled }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} - enableHostRouting: {{ with .Values }}{{ with .istio }}{{ with .enableDeprecatedHostRouting }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} + enabled: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") -}}{{ toString .Values.istio.enabled }}{{- else -}}false{{- end }} + enableHostRouting: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enableDeprecatedHostRouting") -}}{{ toString .Values.istio.enableDeprecatedHostRouting }}{{- else -}}false{{- end }} linkerd: - enabled: {{ with .Values }}{{ with .linkerd }}{{ with .enabled }}{{ toString .}}{{- else -}}false{{- end }}{{- else -}}false{{- end }}{{- else -}}false{{- end }} + enabled: {{ if and (hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") -}}{{ toString .Values.linkerd.enabled }}{{- else -}}false{{- end }} customHeaders: {{ with .Values }}{{ with .routing }}{{ with .customHeaders }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} +sandboxTrafficManager: + enabled: {{ if and (hasKey .Values "sandboxTrafficManager") (hasKey .Values.sandboxTrafficManager "enabled") -}}{{ toString .Values.sandboxTrafficManager.enabled }}{{- else -}}true{{- end }} trafficCapture: + enabled: {{ if and (hasKey .Values "trafficCapture") (hasKey .Values.trafficCapture "enabled") -}}{{ toString .Values.trafficCapture.enabled }}{{- else -}}true{{- end }} requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} {{- end -}} \ No newline at end of file diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index 4e03d43..7092d37 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -72,8 +72,6 @@ spec: value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: JOB_EXECUTOR_PROXY_IMAGE_PULL_SECRET value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - - name: SANDBOX_TRAFFICMANAGER_ENABLED - value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .enabled }}{{ toString . | quote}}{{- else -}}"true"{{- end }}{{- else -}}"true"{{- end }}{{- else -}}"true"{{- end }} - name: SANDBOX_TRAFFICMANAGER_INIT_IMAGE_PULL_POLICY value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .init }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: SANDBOX_TRAFFICMANAGER_INIT_IMAGE_PULL_SECRET From 867dca072a2d821f9ce77b811cba9e6c0e3bc9fc Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 18 Nov 2024 17:33:02 -0300 Subject: [PATCH 07/12] RBAC update from make helm-chart --- .../operator/templates/signadot-agent-clusterrole.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/signadot/operator/templates/signadot-agent-clusterrole.yaml b/signadot/operator/templates/signadot-agent-clusterrole.yaml index b75ce61..8862508 100644 --- a/signadot/operator/templates/signadot-agent-clusterrole.yaml +++ b/signadot/operator/templates/signadot-agent-clusterrole.yaml @@ -75,4 +75,14 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - signadot-cluster-config + resources: + - configmaps + verbs: + - get + - list + - watch {{ end }} From 80d3591761b92057a0ac67e2976f1d6848aed40d Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 18 Nov 2024 17:37:35 -0300 Subject: [PATCH 08/12] Update README --- signadot/operator/README.md | 1 + signadot/operator/values.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index 4af23d5..3463b29 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -184,5 +184,6 @@ Note that, unlike with Istio, we don't have a native integration for Linkerd. Th | Name | Description | Default | | ------------------------------------- | ----------------------------------------------------------- | ------- | +| `trafficCapture.enabled` | Enable traffic capture | `true` | | `trafficCapture.requestHeadersElide` | List of request headers to be elided from traffic captures | `[]` | | `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]` | \ No newline at end of file diff --git a/signadot/operator/values.yaml b/signadot/operator/values.yaml index d85ab08..98d78d9 100644 --- a/signadot/operator/values.yaml +++ b/signadot/operator/values.yaml @@ -183,6 +183,7 @@ # - header2 # trafficCapture: +# enabled: true # # Request headers to be elided from traffic captures # requestHeadersElide: # - header1 From 0de7c92ef704653c7166ce6328d5ca70c2920f04 Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 25 Nov 2024 18:17:33 -0300 Subject: [PATCH 09/12] Implement and document allowed namespaces --- signadot/operator/README.md | 9 ++++++++- signadot/operator/templates/_helpers.tpl | 21 ++++++++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index 3463b29..b187ab0 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -66,6 +66,14 @@ kubectl delete ns signadot | `serviceLabels` | Labels to add to all deployed `Service` objects | `{}` | | `serviceAnnotations` | Annotations to add to all deployed `Service` objects | `{}` | +### Controller Manager parameters + +| Name | Description | Default | +| ------------------------------- | --------------------------------------------------------------------------- | ------- | +| `allowedNamespaces` | Restrict the namespaces in which `signadot-controller-manager` will operate | `[]` | +| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true` | + + ### Image customization parameters The parameters in the table below allow one to specify image names for the @@ -120,7 +128,6 @@ style resources and are not needed in an installation which uses the new | `jobExecutorProxy.image` | Job Executor Proxy container image override | `signadot/job-executor-proxy:vX.Y.Z` | | `jobExecutorProxy.imagePullPolicy` | Job Executor Proxy container image pull policy | `IfNotPresent` | | `jobExecutorProxy.imagePullSecret` | Job Executor Proxy container image pull secret | `""` | -| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true` | | `sandboxTrafficManager.init.Image` | Sandbox traffic manager sidecar image override | `signadot/sandbox-traffic-manager:vX.Y.Z` | | `sandboxTrafficManager.init.ImagePullPolicy` | Sandbox traffic manager sidecar image pull policy | `IfNotPresent` | | `sandboxTrafficManager.init.ImagePullSecret` | Sandbox traffic manager sidecar image pull secret | `""` | diff --git a/signadot/operator/templates/_helpers.tpl b/signadot/operator/templates/_helpers.tpl index c4d92c2..e4dbc0d 100644 --- a/signadot/operator/templates/_helpers.tpl +++ b/signadot/operator/templates/_helpers.tpl @@ -1,7 +1,10 @@ + {{/* cluster config template */}} {{- define "compileClusterConfig" -}} +{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}} +allowedNamespaces: {{ if gt (len $allowedNamespaces) 0 }}{{ printf "\n" }}{{ toYaml $allowedNamespaces | indent 2}}{{- else -}}[]{{- end }} routing: istio: enabled: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") -}}{{ toString .Values.istio.enabled }}{{- else -}}false{{- end }} @@ -15,4 +18,20 @@ trafficCapture: enabled: {{ if and (hasKey .Values "trafficCapture") (hasKey .Values.trafficCapture "enabled") -}}{{ toString .Values.trafficCapture.enabled }}{{- else -}}true{{- end }} requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} + + +{{/* +get allowed namespaces +*/}} +{{- define "getAllowedNamespaces" -}} +{{- if .Values.allowedNamespaces }} + {{- $userNamespaces := .Values.allowedNamespaces -}} + {{- if not (has "signadot" $userNamespaces) }} + {{- $userNamespaces = append $userNamespaces "signadot" -}} + {{- end }} +{{- $userNamespaces | toJson -}} +{{- else -}} +[] +{{- end }} +{{- end }} \ No newline at end of file From 5909b779f5bf76d2f9013da3c69d07acac645f0c Mon Sep 17 00:00:00 2001 From: Daniel De Vera Date: Mon, 25 Nov 2024 18:17:54 -0300 Subject: [PATCH 10/12] Result of make helm-charts --- signadot/operator/templates/allowed_namespaces.yaml | 3 ++- .../signadot-controller-manager-deployment.yaml | 2 -- .../signadot-manager-namespaced-clusterrole.yaml | 1 + .../templates/signadot-manager-role-clusterrole.yaml | 12 ------------ 4 files changed, 3 insertions(+), 15 deletions(-) diff --git a/signadot/operator/templates/allowed_namespaces.yaml b/signadot/operator/templates/allowed_namespaces.yaml index ad80fee..97878e8 100644 --- a/signadot/operator/templates/allowed_namespaces.yaml +++ b/signadot/operator/templates/allowed_namespaces.yaml @@ -1,6 +1,7 @@ # Bind the ClusterRole containing namespaced permissions to the # controller-manager's ServiceAccount only in the specified namespaces. -{{ range $namespace := .Values.allowedNamespaces }} +{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}} +{{ range $namespace := $allowedNamespaces }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index 7092d37..d3f36f0 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -42,8 +42,6 @@ spec: command: - /manager env: - - name: ALLOWED_NAMESPACES - value: {{ range $i, $val := .Values.allowedNamespaces }}{{ if gt $i 0 }},{{ end }}{{ $val }}{{ else }}""{{ end }} - name: SIDECAR_INIT_IMAGE_PULL_POLICY value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: SIDECAR_INIT_IMAGE_PULL_SECRET diff --git a/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml b/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml index 31faa68..c62f1a0 100644 --- a/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml +++ b/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml @@ -26,6 +26,7 @@ rules: - "" resources: - pods + - endpoints verbs: - create - delete diff --git a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml index e618cba..77d8ba9 100644 --- a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml +++ b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml @@ -12,18 +12,6 @@ metadata: {{- end }} name: signadot-manager-role rules: -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - admissionregistration.k8s.io resourceNames: From 4c40ce59ddfc3d96a6f7e5ceaaf8c72c2e4d9363 Mon Sep 17 00:00:00 2001 From: Anirudh Ramanathan Date: Wed, 4 Dec 2024 07:08:47 -0800 Subject: [PATCH 11/12] Update README.md --- signadot/operator/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/signadot/operator/README.md b/signadot/operator/README.md index b187ab0..2709e08 100644 --- a/signadot/operator/README.md +++ b/signadot/operator/README.md @@ -173,11 +173,11 @@ Enabling Istio will activate the Istio proxy in the following components: in Sig Enabling Linkerd will activate the Linkerd proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests). -Note that, unlike with Istio, we don't have a native integration for Linkerd. Therefore, to enable sandbox routing, DevMesh must be enabled in the relevant workloads. +Note that, unlike with Istio, routing in Linkerd is not expressed via Linkerd CRDs, but by using the DevMesh sidecars in the relevant workloads. | Name | Description | Default | | ----------------- | ------------------------ | ------- | -| `linkerd.enabled` | Enable Istio integration | `false` | +| `linkerd.enabled` | Enable Linkerd integration | `false` | ### Routing parameters @@ -193,4 +193,4 @@ Note that, unlike with Istio, we don't have a native integration for Linkerd. Th | ------------------------------------- | ----------------------------------------------------------- | ------- | | `trafficCapture.enabled` | Enable traffic capture | `true` | | `trafficCapture.requestHeadersElide` | List of request headers to be elided from traffic captures | `[]` | -| `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]` | \ No newline at end of file +| `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]` | From cbac67c8378ce10154a391403ad141fdbb22e3b8 Mon Sep 17 00:00:00 2001 From: Anirudh Ramanathan Date: Wed, 4 Dec 2024 13:21:00 -0800 Subject: [PATCH 12/12] prepare for v0.19.1 --- signadot/operator/Chart.yaml | 4 ++-- .../operator/templates/agent-deployment.yaml | 4 +++- .../io-context-server-deployment.yaml | 2 +- .../templates/routeserver-deployment.yaml | 2 +- ...ignadot-controller-manager-deployment.yaml | 22 ++++++++++--------- .../templates/tunnel-api-deployment.yaml | 2 +- .../templates/tunnel-proxy-deployment.yaml | 4 ++-- 7 files changed, 22 insertions(+), 18 deletions(-) diff --git a/signadot/operator/Chart.yaml b/signadot/operator/Chart.yaml index 3d35147..d9c2bb7 100644 --- a/signadot/operator/Chart.yaml +++ b/signadot/operator/Chart.yaml @@ -6,10 +6,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.19.0" +version: "0.19.1" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.19.0" +appVersion: "0.19.1" diff --git a/signadot/operator/templates/agent-deployment.yaml b/signadot/operator/templates/agent-deployment.yaml index b312141..d10c797 100644 --- a/signadot/operator/templates/agent-deployment.yaml +++ b/signadot/operator/templates/agent-deployment.yaml @@ -31,6 +31,8 @@ spec: {{- range $key, $val := .Values.podAnnotations }} {{ $key | quote }}: {{ $val | quote }} {{- end }} + cluster-config-checksum: '{{ include (print $.Template.BasePath "/signadot-cluster-config-configmap.yaml") + . | sha256sum }}' {{- if $linkerdEnabled }} linkerd.io/inject: enabled {{- end }} @@ -57,7 +59,7 @@ spec: secretKeyRef: key: token name: cluster-agent - image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }} + image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: diff --git a/signadot/operator/templates/io-context-server-deployment.yaml b/signadot/operator/templates/io-context-server-deployment.yaml index c29635b..e581694 100644 --- a/signadot/operator/templates/io-context-server-deployment.yaml +++ b/signadot/operator/templates/io-context-server-deployment.yaml @@ -40,7 +40,7 @@ spec: - /app/io-context-server - -tls=secretns=signadot - -port=8443 - image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }} + image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: io-context-server ports: diff --git a/signadot/operator/templates/routeserver-deployment.yaml b/signadot/operator/templates/routeserver-deployment.yaml index bc836e3..952b64a 100644 --- a/signadot/operator/templates/routeserver-deployment.yaml +++ b/signadot/operator/templates/routeserver-deployment.yaml @@ -36,7 +36,7 @@ spec: {{- end }} spec: containers: - - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }} + - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: routeserver ports: diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index d3f36f0..5c03693 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -21,6 +21,8 @@ spec: template: metadata: annotations: + cluster-config-checksum: '{{ include (print $.Template.BasePath "/signadot-cluster-config-configmap.yaml") + . | sha256sum }}' {{- range $key, $val := .Values.commonAnnotations }} {{ $key | quote }}: {{ $val | quote }} {{- end }} @@ -79,26 +81,26 @@ spec: - name: SANDBOX_TRAFFICMANAGER_SIDECAR_IMAGE_PULL_SECRET value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .sidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: SIDECAR_INIT_IMAGE - value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar-init:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-init:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar-init:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar-init:v0.19.1{{- end }} - name: LEGACY_SIDECAR_INIT_IMAGE value: {{ with .Values }}{{ with .routeInit }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }} - name: ROUTE_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar:v0.19.1{{- end }} - name: LEGACY_ROUTE_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.0{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .legacy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar-legacy:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.1{{- end }}{{- else -}}signadot/route-sidecar-legacy:v0.19.1{{- end }} - name: IO_INIT_IMAGE - value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.19.0{{- end }}{{- else -}}signadot/io-init:v0.19.0{{- end }}{{- else -}}signadot/io-init:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.19.1{{- end }}{{- else -}}signadot/io-init:v0.19.1{{- end }}{{- else -}}signadot/io-init:v0.19.1{{- end }} - name: IO_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.19.0{{- end }}{{- else -}}signadot/io-sidecar:v0.19.0{{- end }}{{- else -}}signadot/io-sidecar:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.19.1{{- end }}{{- else -}}signadot/io-sidecar:v0.19.1{{- end }}{{- else -}}signadot/io-sidecar:v0.19.1{{- end }} - name: JOB_EXECUTOR_INIT_IMAGE - value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-init:v0.19.0{{- end }}{{- else -}}signadot/job-executor-init:v0.19.0{{- end }}{{- else -}}signadot/job-executor-init:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .jobExecutorInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-init:v0.19.1{{- end }}{{- else -}}signadot/job-executor-init:v0.19.1{{- end }}{{- else -}}signadot/job-executor-init:v0.19.1{{- end }} - name: JOB_EXECUTOR_PROXY_IMAGE - value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-proxy:v0.19.0{{- end }}{{- else -}}signadot/job-executor-proxy:v0.19.0{{- end }}{{- else -}}signadot/job-executor-proxy:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .jobExecutorProxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/job-executor-proxy:v0.19.1{{- end }}{{- else -}}signadot/job-executor-proxy:v0.19.1{{- end }}{{- else -}}signadot/job-executor-proxy:v0.19.1{{- end }} - name: SANDBOX_TRAFFICMANAGER_INIT_IMAGE - value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-init:v0.19.1{{- end }} - name: SANDBOX_TRAFFICMANAGER_SIDECAR_IMAGE - value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .sidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.0{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.0{{- end }} - image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.19.0{{- end }}{{- else -}}signadot/operator:v0.19.0{{- end }}{{- else -}}signadot/operator:v0.19.0{{- end }} + value: {{ with .Values }}{{ with .sandboxTrafficManager }}{{ with .sidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.1{{- end }}{{- else -}}signadot/sandbox-traffic-manager-sidecar:v0.19.1{{- end }} + image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.19.1{{- end }}{{- else -}}signadot/operator:v0.19.1{{- end }}{{- else -}}signadot/operator:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .operator }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: diff --git a/signadot/operator/templates/tunnel-api-deployment.yaml b/signadot/operator/templates/tunnel-api-deployment.yaml index 4c0713c..2d8df9b 100644 --- a/signadot/operator/templates/tunnel-api-deployment.yaml +++ b/signadot/operator/templates/tunnel-api-deployment.yaml @@ -45,7 +45,7 @@ spec: {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }} {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .externalDNS }}{{ with .syncInterval }} - --external-dns-resync-interval={{ . }} {{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }}{{- else -}}{{- end }} - image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.19.0{{- end }}{{- else -}}signadot/tunnel-api:v0.19.0{{- end }}{{- else -}}signadot/tunnel-api:v0.19.0{{- end }}{{- else -}}signadot/tunnel-api:v0.19.0{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.19.1{{- end }}{{- else -}}signadot/tunnel-api:v0.19.1{{- end }}{{- else -}}signadot/tunnel-api:v0.19.1{{- end }}{{- else -}}signadot/tunnel-api:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: tunnel-api ports: diff --git a/signadot/operator/templates/tunnel-proxy-deployment.yaml b/signadot/operator/templates/tunnel-proxy-deployment.yaml index f55c1f5..bba69f9 100644 --- a/signadot/operator/templates/tunnel-proxy-deployment.yaml +++ b/signadot/operator/templates/tunnel-proxy-deployment.yaml @@ -65,7 +65,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.19.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.0{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.19.1{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.1{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.1{{- end }}{{- else -}}signadot/tunnel-proxy:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: tunnel-proxy ports: @@ -113,7 +113,7 @@ spec: value: "10000" - name: OUTBOUND_AUDITOR_PORT value: "10001" - image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.19.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.0{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.19.1{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.1{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.1{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.1{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.19.1{{- end }} imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} name: auditor-init securityContext: