Merge branch 'main' into feat/default-admission

Kong · Feb 2, 2023 · 61760a7 · 61760a7
2 parents c2f4833 + 69f9534
commit 61760a7
Show file tree

Hide file tree

Showing 12 changed files with 199 additions and 83 deletions.
diff --git a/.github/workflows/main-pr.yaml b/.github/workflows/main-pr.yaml
@@ -58,6 +58,17 @@ jobs:
 
   integration-test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        kubernetes-version:
+        - "1.19.16"
+        - "1.20.15"
+        - "1.21.14"
+        - "1.22.15"
+        - "1.23.13"
+        - "1.24.7"
+        - "1.25.3"
+        - "1.26.0"
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -70,6 +81,8 @@ jobs:
           version: v3.11.0
 
       - name: setup testing environment (kind-cluster)
+        env:
+          KUBERNETES_VERSION: ${{ matrix.kubernetes-version }}
         run: ./scripts/test-env.sh
 
       - name: run integration tests (integration)

diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -8,13 +8,23 @@ Nothing yet.
 
 ### Improvements
 
-* Enable users to specify their own labels and annotations to generated PodSecurityPolicy
+* Let users specify their own labels and annotations for generated PodSecurityPolicy.
   [#721](https://github.com/Kong/charts/pull/721)
 * Enable the admission webhook by default. This can reject configuration, but
   is not expected to be a meaningfully breaking change. Existing configuration
   is not affected, and any new changes that the webhook would reject would also
   be rejected by Kong.
   [#727](https://github.com/Kong/charts/pull/727)
+* Replaced static secret with projected volume in deployment.
+  [#722](https://github.com/Kong/charts/pull/722)
+* Reject invalid log config values.
+  [#733](https://github.com/Kong/charts/pull/733)
+* Update custom resource definitions to latest v2.8.1 from
+  kong/kubernetes-ingress-controller
+  [#730](https://github.com/Kong/charts/pull/730)
+* Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in
+  migrations Jobs. This was already the case for the Deployment.
+  [#729](https://github.com/Kong/charts/pull/729)
 
 ## 2.15.3
 
@@ -64,7 +74,7 @@ but doing so is not required.
 ### Improvements
 
 * Default Kong and KIC versions bumped to 3.1 and 2.8.
-* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). 
+* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream).
   This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so.
   [#682](https://github.com/Kong/charts/pull/682)
 * Supported `autoscaling/v2` API

diff --git a/charts/kong/README.md b/charts/kong/README.md
@@ -565,7 +565,7 @@ namespaces. Limiting access requires several changes to configuration:
 - Set `ingressController.watchNamespaces` to a list of namespaces you want to
   watch. The chart will automatically generate roles for each namespace and
   assign them to the controller's service account.
-- Optionally set `ingressContrller.installCRDs=false` if your user role (the
+- Optionally set `ingressController.installCRDs=false` if your user role (the
   role you use when running `helm install`, not the controller service
   account's role) does not have access to get CRDs. By default, the chart
   attempts to look up the controller CRDs for [a legacy behavior

diff --git a/charts/kong/crds/custom-resource-definitions.yaml b/charts/kong/crds/custom-resource-definitions.yaml
diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl
@@ -927,6 +927,11 @@ the template that it itself is using form the above sections.
 
 {{- $userEnv := dict -}}
 {{- range $key, $val := .Values.env }}
+  {{- if (contains "_log" $key) -}}
+    {{- if (eq (typeOf $val) "bool") -}}
+      {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}}
+	{{- end -}}
+  {{- end -}}
   {{- $upper := upper $key -}}
   {{- $var := printf "KONG_%s" $upper -}}
   {{- $_ := set $userEnv $var $val -}}

diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml
@@ -298,6 +298,24 @@ spec:
       {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
       {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
         - name: {{ template "kong.serviceAccountTokenName" . }}
+          {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+          projected:
+            sources:
+            - serviceAccountToken:
+                expirationSeconds: 3607
+                path: token
+            - configMap:
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                name: kube-root-ca.crt
+            - downwardAPI:
+                items:
+                - fieldRef:
+                    apiVersion: v1
+                    fieldPath: metadata.namespace
+                  path: namespace
+          {{- else }}
           secret:
             secretName: {{ template "kong.serviceAccountTokenName" . }}
             items:
@@ -307,5 +325,6 @@ spec:
               path: ca.crt
             - key: namespace
               path: namespace
+          {{- end }}
       {{- end }}
 {{- end }}
diff --git a/charts/kong/templates/migrations-post-upgrade.yaml b/charts/kong/templates/migrations-post-upgrade.yaml
@@ -33,10 +33,12 @@ spec:
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
       serviceAccountName: {{ template "kong.serviceAccountName" . }}
+      {{- end }}
+      {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
       automountServiceAccountToken: true
       {{- else }}
       automountServiceAccountToken: false
-      {{- end }}
+      {{ end }}
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
       {{- range .Values.image.pullSecrets }}

diff --git a/charts/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/templates/migrations-pre-upgrade.yaml
@@ -33,10 +33,12 @@ spec:
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
       serviceAccountName: {{ template "kong.serviceAccountName" . }}
+      {{- end }}
+      {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
       automountServiceAccountToken: true
       {{- else }}
       automountServiceAccountToken: false
-      {{- end }}
+      {{ end }}
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
       {{- range .Values.image.pullSecrets }}

diff --git a/charts/kong/templates/migrations.yaml b/charts/kong/templates/migrations.yaml
@@ -41,10 +41,12 @@ spec:
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
       serviceAccountName: {{ template "kong.serviceAccountName" . }}
+      {{- end }}
+      {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
       automountServiceAccountToken: true
       {{- else }}
       automountServiceAccountToken: false
-      {{- end }}
+      {{ end }}
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
       {{- range .Values.image.pullSecrets }}

diff --git a/charts/kong/templates/secret-sa-token.yaml b/charts/kong/templates/secret-sa-token.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
+{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20" .Capabilities.KubeVersion.Version) }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml
@@ -819,6 +819,7 @@ podSecurityPolicy:
       - 'configMap'
       - 'secret'
       - 'emptyDir'
+      - 'projected'
     allowPrivilegeEscalation: false
     hostNetwork: false
     hostIPC: false

diff --git a/scripts/test-env.sh b/scripts/test-env.sh
@@ -31,6 +31,7 @@ set -euo pipefail
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 cd "${SCRIPT_DIR}/.."
 KIND_VERSION="${KIND_VERSION:-v0.17.0}"
+KUBERNETES_VERSION="${KUBERNETES_VERSION:-1.26.0}"
 
 # ------------------------------------------------------------------------------
 # Setup Tools - Docker
@@ -67,7 +68,7 @@ kind version 1>/dev/null
 if ! command -v ktf 1>/dev/null
 then
     mkdir -p "${HOME}"/.local/bin
-    curl --proto '=https' -sSf https://kong.github.io/kubernetes-testing-framework/install.sh | bash
+    GOBIN="${HOME}"/.local/bin go install github.com/kong/kubernetes-testing-framework/cmd/ktf@latest
     export PATH="${HOME}/.local/bin:$PATH"
 fi
 
@@ -78,7 +79,7 @@ ktf 1>/dev/null
 # Create Testing Environment
 # ------------------------------------------------------------------------------
 
-ktf environments create --name "${TEST_ENV_NAME}" --addon metallb --addon kuma --kubernetes-version 1.25.3
+ktf environments create --name "${TEST_ENV_NAME}" --addon metallb --addon kuma --kubernetes-version ${KUBERNETES_VERSION}
 
 kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.1" | kubectl apply -f -