From 892774eb2780794e0cf7522d16a27f3dd621f0a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 31 Jan 2023 15:54:14 +0100 Subject: [PATCH 1/7] feat(ci): add matrix testing for different kubernetes versions --- .github/workflows/main-pr.yaml | 13 +++++++++++++ scripts/test-env.sh | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main-pr.yaml b/.github/workflows/main-pr.yaml index eea0812c5..4c4acc580 100644 --- a/.github/workflows/main-pr.yaml +++ b/.github/workflows/main-pr.yaml @@ -58,6 +58,17 @@ jobs: integration-test: runs-on: ubuntu-latest + strategy: + matrix: + kubernetes-version: + - "1.19.16" + - "1.20.15" + - "1.21.14" + - "1.22.15" + - "1.23.13" + - "1.24.7" + - "1.25.3" + - "1.26.0" steps: - name: Checkout uses: actions/checkout@v3 @@ -70,6 +81,8 @@ jobs: version: v3.11.0 - name: setup testing environment (kind-cluster) + env: + KUBERNETES_VERSION: ${{ matrix.kubernetes-version }} run: ./scripts/test-env.sh - name: run integration tests (integration) diff --git a/scripts/test-env.sh b/scripts/test-env.sh index 11aafb790..32c651a78 100755 --- a/scripts/test-env.sh +++ b/scripts/test-env.sh @@ -31,6 +31,7 @@ set -euo pipefail SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" cd "${SCRIPT_DIR}/.." KIND_VERSION="${KIND_VERSION:-v0.17.0}" +KUBERNETES_VERSION="${KUBERNETES_VERSION:-1.26.0}" # ------------------------------------------------------------------------------ # Setup Tools - Docker @@ -67,7 +68,7 @@ kind version 1>/dev/null if ! command -v ktf 1>/dev/null then mkdir -p "${HOME}"/.local/bin - curl --proto '=https' -sSf https://kong.github.io/kubernetes-testing-framework/install.sh | bash + GOBIN="${HOME}"/.local/bin go install github.com/kong/kubernetes-testing-framework/cmd/ktf@latest export PATH="${HOME}/.local/bin:$PATH" fi @@ -78,7 +79,7 @@ ktf 1>/dev/null # Create Testing Environment # ------------------------------------------------------------------------------ -ktf environments create --name "${TEST_ENV_NAME}" --addon metallb --addon kuma --kubernetes-version 1.25.3 +ktf environments create --name "${TEST_ENV_NAME}" --addon metallb --addon kuma --kubernetes-version ${KUBERNETES_VERSION} kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.1" | kubectl apply -f - From ea2a0639dcac2814da2ffb431d27c0fa0fec5a55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20Charri=C3=A8re?= Date: Wed, 1 Feb 2023 10:55:35 +0100 Subject: [PATCH 2/7] feat(deployment) replace static secret with projected volume (#722) * feat(deployment) replace static secret with projected volume The static service account secret has been superseeded by a projected volume becoming the standar way to authenticate against the K8s API since v1.21. With this change we keep the token mounted only on the ingress controller container and gain the security improvements that the TokenRequests API brings. Signed-off-by: Matias Charriere --- charts/kong/CHANGELOG.md | 2 ++ charts/kong/templates/deployment.yaml | 19 +++++++++++++++++++ charts/kong/templates/secret-sa-token.yaml | 2 +- charts/kong/values.yaml | 1 + 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index f7daba778..6615510b5 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -6,6 +6,8 @@ * Enable users to specify their own labels and annotations to generated PodSecurityPolicy [#721](https://github.com/Kong/charts/pull/721) +* Replaced static secret with projected volume in deployment. + [#722](https://github.com/Kong/charts/pull/722) ## 2.15.3 diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/templates/deployment.yaml index e162da18d..35dd16bac 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/templates/deployment.yaml @@ -298,6 +298,24 @@ spec: {{- include "kong.userDefinedVolumes" . | nindent 8 -}} {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - name: {{ template "kong.serviceAccountTokenName" . }} + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- else }} secret: secretName: {{ template "kong.serviceAccountTokenName" . }} items: @@ -307,5 +325,6 @@ spec: path: ca.crt - key: namespace path: namespace + {{- end }} {{- end }} {{- end }} diff --git a/charts/kong/templates/secret-sa-token.yaml b/charts/kong/templates/secret-sa-token.yaml index be968f1ab..6781e5878 100644 --- a/charts/kong/templates/secret-sa-token.yaml +++ b/charts/kong/templates/secret-sa-token.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} +{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20" .Capabilities.KubeVersion.Version) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 38a441951..21af570ed 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -819,6 +819,7 @@ podSecurityPolicy: - 'configMap' - 'secret' - 'emptyDir' + - 'projected' allowPrivilegeEscalation: false hostNetwork: false hostIPC: false From 2edf22d989508dc53ffbcb144879b9262a96538d Mon Sep 17 00:00:00 2001 From: Tao Yi Date: Wed, 1 Feb 2023 19:12:29 +0800 Subject: [PATCH 3/7] feat(template) only allow strings in environment variables (#728) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: only allow strings in env * add quotes to PG_PORT in test values * update test scripts to use --set-string * Update charts/kong/CHANGELOG.md --------- Co-authored-by: Patryk Małek --- charts/kong/CHANGELOG.md | 11 +++++++++++ charts/kong/ci/test5-values.yaml | 2 +- .../quickstart-enterprise-licensed-aio.yaml | 2 +- charts/kong/templates/_helpers.tpl | 5 ++--- charts/kong/values.yaml | 2 +- scripts/test-run.sh | 4 ++-- scripts/test-upgrade.sh | 4 ++-- 7 files changed, 20 insertions(+), 10 deletions(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 6615510b5..fdd377fdd 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -2,6 +2,17 @@ ## Unreleased +### Breaking Changes + +* `.Values.env.*` (to set environment variables of Kong proxy container) and + `.Values.ingressController.env.*` (to set environment variables of ingress + controller container) only allow strings. Specifying values with other types + (bool, int) will raise error in rendering the template. + If you want to set an environment variable to a numerical value or keywords + for boolean values (like `true`,`yes`,`off`) via helm command, please use + `--set-string` flag. + [#728](https://github.com/Kong/charts/pull/728) + ### Improvements * Enable users to specify their own labels and annotations to generated PodSecurityPolicy diff --git a/charts/kong/ci/test5-values.yaml b/charts/kong/ci/test5-values.yaml index 6366433cd..f5ea409b2 100644 --- a/charts/kong/ci/test5-values.yaml +++ b/charts/kong/ci/test5-values.yaml @@ -17,7 +17,7 @@ postgresql: password: kong service: ports: - postgresql: 5432 + postgresql: "5432" env: anonymous_reports: "off" database: "postgres" diff --git a/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 6496eb659..324a29416 100644 --- a/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -151,7 +151,7 @@ ingressController: enabled: true env: kong_admin_filter_tag: ingress_controller_default - kong_admin_tls_skip_verify: true + kong_admin_tls_skip_verify: "true" kong_admin_token: valueFrom: secretKeyRef: diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 14bc1a524..f482c7057 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -370,7 +370,7 @@ The name of the service used for the ingress controller's validation webhook */}} {{- $autoEnv := dict -}} -{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} +{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" "true" -}} {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}} {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} @@ -974,8 +974,7 @@ Environment variables are sorted alphabetically value: {{ $val | quote }} {{- end }} {{- else }} -- name: {{ . }} - value: {{ $val | quote }} +{{ fail (printf "Invalid type: required string or map[string]interface {}, actual %s" $valueType)}} {{- end }} {{- end -}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 21af570ed..2c1dd6296 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -493,7 +493,7 @@ ingressController: # The controller disables TLS verification by default because Kong # generates self-signed certificates by default. Set this to false once you # have installed CA-signed certificates. - kong_admin_tls_skip_verify: true + kong_admin_tls_skip_verify: "true" # If using Kong Enterprise with RBAC enabled, uncomment the section below # and specify the secret/key containing your admin token. # kong_admin_token: diff --git a/scripts/test-run.sh b/scripts/test-run.sh index 7092787c9..d64ffcfed 100755 --- a/scripts/test-run.sh +++ b/scripts/test-run.sh @@ -68,14 +68,14 @@ then helm install --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set deployment.test.enabled=true \ --set ingressController.env.feature_gates="GatewayAlpha=true" \ - --set ingressController.env.anonymous_reports="false" \ + --set-string ingressController.env.anonymous_reports="false" \ charts/kong/ else echo "INFO: installing chart as release ${RELEASE_NAME} with controller tag ${TAG} to namespace ${RELEASE_NAMESPACE}" helm install --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set ingressController.image.tag="${TAG}" \ --set ingressController.env.feature_gates="GatewayAlpha=true" \ - --set ingressController.env.anonymous_reports="false" \ + --set-string ingressController.env.anonymous_reports="false" \ --set deployment.test.enabled=true \ charts/kong/ fi diff --git a/scripts/test-upgrade.sh b/scripts/test-upgrade.sh index 52f3e97b5..313479004 100755 --- a/scripts/test-upgrade.sh +++ b/scripts/test-upgrade.sh @@ -33,7 +33,7 @@ KUBERNETES_VERSION="$($KUBECTL version -o json | jq -r '.serverVersion.gitVersio echo "INFO: installing chart as release ${RELEASE_NAME} to namespace ${RELEASE_NAMESPACE}" helm install --create-namespace --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ - --set ingressController.env.anonymous_reports="false" \ + --set-string ingressController.env.anonymous_reports="false" \ --set deployment.test.enabled=true \ charts/kong/ @@ -52,7 +52,7 @@ echo "INFO: upgrading the helm chart to image tag ${TAG}" helm upgrade --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set ingressController.image.tag="${TAG}" \ --set deployment.test.enabled=true \ - --set ingressController.env.anonymous_reports="false" \ + --set-string ingressController.env.anonymous_reports="false" \ --set ingressController.image.effectiveSemver="${EFFECTIVE_TAG}" \ charts/kong/ From 08a15e867c0ec61c8424a8edec2d416a73733929 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Wed, 1 Feb 2023 17:30:38 +0100 Subject: [PATCH 4/7] chore(crds) Update CRDs to v2.8.1 Signed-off-by: Gerald Pape --- charts/kong/CHANGELOG.md | 12 +- .../crds/custom-resource-definitions.yaml | 209 +++++++++++------- 2 files changed, 144 insertions(+), 77 deletions(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index fdd377fdd..e86501932 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -4,12 +4,12 @@ ### Breaking Changes -* `.Values.env.*` (to set environment variables of Kong proxy container) and +* `.Values.env.*` (to set environment variables of Kong proxy container) and `.Values.ingressController.env.*` (to set environment variables of ingress controller container) only allow strings. Specifying values with other types (bool, int) will raise error in rendering the template. If you want to set an environment variable to a numerical value or keywords - for boolean values (like `true`,`yes`,`off`) via helm command, please use + for boolean values (like `true`,`yes`,`off`) via helm command, please use `--set-string` flag. [#728](https://github.com/Kong/charts/pull/728) @@ -20,6 +20,12 @@ * Replaced static secret with projected volume in deployment. [#722](https://github.com/Kong/charts/pull/722) +### Updates + +* Update custom resource definitions to latest v2.8.1 from + kong/kubernetes-ingress-controller + [#730](https://github.com/Kong/charts/pull/730) + ## 2.15.3 ### Fixed @@ -68,7 +74,7 @@ but doing so is not required. ### Improvements * Default Kong and KIC versions bumped to 3.1 and 2.8. -* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). +* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so. [#682](https://github.com/Kong/charts/pull/682) * Supported `autoscaling/v2` API diff --git a/charts/kong/crds/custom-resource-definitions.yaml b/charts/kong/crds/custom-resource-definitions.yaml index 09debc72a..869c82096 100644 --- a/charts/kong/crds/custom-resource-definitions.yaml +++ b/charts/kong/crds/custom-resource-definitions.yaml @@ -1,9 +1,9 @@ -# generated using: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/crd?ref=main +# generated using: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.8.1 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: ingressclassparameterses.configuration.konghq.com spec: @@ -19,7 +19,7 @@ spec: schema: openAPIV3Schema: description: IngressClassParameters is the Schema for the IngressClassParameters - API + API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,6 +34,7 @@ spec: metadata: type: object spec: + description: Spec is the IngressClassParameters specification. properties: enableLegacyRegexDetection: default: false @@ -44,7 +45,7 @@ spec: type: boolean serviceUpstream: default: false - description: Offload load-balancing to kube-proxy or sidecar + description: Offload load-balancing to kube-proxy or sidecar. type: boolean type: object type: object @@ -55,7 +56,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: kongclusterplugins.configuration.konghq.com spec: @@ -93,7 +94,7 @@ spec: name: v1 schema: openAPIV3Schema: - description: KongClusterPlugin is the Schema for the kongclusterplugins API + description: KongClusterPlugin is the Schema for the kongclusterplugins API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -101,24 +102,33 @@ spec: internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string config: - description: Config contains the plugin configuration. + description: Config contains the plugin configuration. It's a list of + keys and values required to configure the plugin. Please read the documentation + of the plugin being configured to set values in here. For any plugin + in Kong, anything that goes in the `config` JSON key in the Admin API + request, goes into this property. Only one of `config` or `configFrom` + may be used in a KongClusterPlugin, not both at once. type: object x-kubernetes-preserve-unknown-fields: true configFrom: description: ConfigFrom references a secret containing the plugin configuration. + This should be used when the plugin configuration contains sensitive + information, such as AWS credentials in the Lambda plugin or the client + secret in the OIDC plugin. Only one of `config` or `configFrom` may + be used in a KongClusterPlugin, not both at once. properties: secretKeyRef: - description: NamespacedSecretValueFromSource represents the source - of a secret value specifying the secret namespace + description: Specifies a name, a namespace, and a key of a secret + to refer to. properties: key: - description: the key containing the value + description: The key containing the value. type: string name: - description: the secret containing the key + description: The secret containing the key. type: string namespace: - description: The namespace containing the secret + description: The namespace containing the secret. type: string required: - key @@ -127,10 +137,10 @@ spec: type: object type: object consumerRef: - description: ConsumerRef is a reference to a particular consumer + description: ConsumerRef is a reference to a particular consumer. type: string disabled: - description: Disabled set if the plugin is disabled or not + description: Disabled set if the plugin is disabled or not. type: boolean kind: description: 'Kind is a string value representing the REST resource this @@ -140,7 +150,13 @@ spec: metadata: type: object ordering: - description: Ordering overrides the normal plugin execution order + description: 'Ordering overrides the normal plugin execution order. It''s + only available on Kong Enterprise. `` is a request processing + phase (for example, `access` or `body_filter`) and `` is the + name of the plugin that will run before or after the KongPlugin. For + example, a KongPlugin with `plugin: rate-limiting` and `before.access: + ["key-auth"]` will create a rate limiting plugin that limits requests + _before_ they are authenticated.' properties: after: additionalProperties: @@ -161,7 +177,7 @@ spec: type: object plugin: description: PluginName is the name of the plugin to which to apply the - config + config. type: string protocols: description: Protocols configures plugin to run on requests received on @@ -197,7 +213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: kongconsumers.configuration.konghq.com spec: @@ -225,7 +241,7 @@ spec: name: v1 schema: openAPIV3Schema: - description: KongConsumer is the Schema for the kongconsumers API + description: KongConsumer is the Schema for the kongconsumers API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -239,8 +255,8 @@ spec: type: string type: array custom_id: - description: CustomID existing unique ID for the consumer - useful for - mapping Kong with users in your existing database + description: CustomID is a Kong cluster-unique existing ID for the consumer + - useful for mapping Kong with users in your existing database. type: string kind: description: 'Kind is a string value representing the REST resource this @@ -250,7 +266,7 @@ spec: metadata: type: object username: - description: Username unique username of the consumer. + description: Username is a Kong cluster-unique username of the consumer. type: string type: object served: true @@ -262,7 +278,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: kongingresses.configuration.konghq.com spec: @@ -281,7 +297,7 @@ spec: - name: v1 schema: openAPIV3Schema: - description: KongIngress is the Schema for the kongingresses API + description: KongIngress is the Schema for the kongingresses API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -298,19 +314,23 @@ spec: proxy: description: Proxy defines additional connection options for the routes to be configured in the Kong Gateway, e.g. `connection_timeout`, `retries`, - e.t.c. + etc. properties: connect_timeout: - description: The timeout in milliseconds for establishing a connection - to the upstream server. + description: "The timeout in milliseconds for\testablishing a connection + to the upstream server. Deprecated: use Service's \"konghq.com/connect-timeout\" + annotation instead." minimum: 0 type: integer path: - description: The path to be used in requests to the upstream server.(optional) + description: '(optional) The path to be used in requests to the upstream + server. Deprecated: use Service''s "konghq.com/path" annotation + instead.' pattern: ^/.*$ type: string protocol: - description: The protocol used to communicate with the upstream. + description: 'The protocol used to communicate with the upstream. + Deprecated: use Service''s "konghq.com/protocol" annotation instead.' enum: - http - https @@ -321,17 +341,20 @@ spec: - udp type: string read_timeout: - description: The timeout in milliseconds between two successive read - operations for transmitting a request to the upstream server. + description: 'The timeout in milliseconds between two successive read + operations for transmitting a request to the upstream server. Deprecated: + use Service''s "konghq.com/read-timeout" annotation instead.' minimum: 0 type: integer retries: - description: The number of retries to execute upon failure to proxy. + description: 'The number of retries to execute upon failure to proxy. + Deprecated: use Service''s "konghq.com/retries" annotation instead.' minimum: 0 type: integer write_timeout: - description: The timeout in milliseconds between two successive write - operations for transmitting a request to the upstream server. + description: 'The timeout in milliseconds between two successive write + operations for transmitting a request to the upstream server. Deprecated: + use Service''s "konghq.com/write-timeout" annotation instead.' minimum: 0 type: integer type: object @@ -345,35 +368,44 @@ spec: items: type: string type: array - description: Headers contains one or more lists of values indexed + description: 'Headers contains one or more lists of values indexed by header name that will cause this Route to match if present in the request. The Host header cannot be used with this attribute. + Deprecated: use Ingress'' "konghq.com/headers" annotation instead.' type: object https_redirect_status_code: - description: HTTPSRedirectStatusCode is the status code Kong responds - with when all properties of a Route match except the protocol. + description: 'HTTPSRedirectStatusCode is the status code Kong responds + with when all properties of a Route match except the protocol. Deprecated: + use Ingress'' "ingress.kubernetes.io/force-ssl-redirect" or "konghq.com/https-redirect-status-code" + annotations instead.' type: integer methods: - description: Methods is a list of HTTP methods that match this Route. + description: 'Methods is a list of HTTP methods that match this Route. + Deprecated: use Ingress'' "konghq.com/override-protocols" annotation + instead.' items: type: string type: array path_handling: - description: PathHandling controls how the Service path, Route path + description: 'PathHandling controls how the Service path, Route path and requested path are combined when sending a request to the upstream. + Deprecated: use Ingress'' "konghq.com/path-handling" annotation + instead.' enum: - v0 - v1 type: string preserve_host: - description: PreserveHost sets When matching a Route via one of the + description: 'PreserveHost sets When matching a Route via one of the hosts domain names, use the request Host header in the upstream request headers. If set to false, the upstream Host header will - be that of the Service’s host. + be that of the Service’s host. Deprecated: use Ingress'' "konghq.com/preserve-host" + annotation instead.' type: boolean protocols: - description: Protocols is an array of the protocols this Route should - allow. + description: 'Protocols is an array of the protocols this Route should + allow. Deprecated: use Ingress'' "konghq.com/protocols" annotation + instead.' items: enum: - http @@ -386,27 +418,32 @@ spec: type: string type: array regex_priority: - description: RegexPriority is a number used to choose which route + description: 'RegexPriority is a number used to choose which route resolves a given request when several routes match it using regexes - simultaneously. + simultaneously. Deprecated: use Ingress'' "konghq.com/regex-priority" + annotation instead.' type: integer request_buffering: - description: RequestBuffering sets whether to enable request body - buffering or not. + description: 'RequestBuffering sets whether to enable request body + buffering or not. Deprecated: use Ingress'' "konghq.com/request-buffering" + annotation instead.' type: boolean response_buffering: - description: ResponseBuffering sets whether to enable response body - buffering or not. + description: 'ResponseBuffering sets whether to enable response body + buffering or not. Deprecated: use Ingress'' "konghq.com/response-buffering" + annotation instead.' type: boolean snis: - description: SNIs is a list of SNIs that match this Route when using - stream routing. + description: 'SNIs is a list of SNIs that match this Route when using + stream routing. Deprecated: use Ingress'' "konghq.com/snis" annotation + instead.' items: type: string type: array strip_path: - description: StripPath sets When matching a Route via one of the paths - strip the matching prefix from the upstream request URL. + description: 'StripPath sets When matching a Route via one of the + paths strip the matching prefix from the upstream request URL. Deprecated: + use Ingress'' "konghq.com/strip-path" annotation instead.' type: boolean type: object upstream: @@ -589,7 +626,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: kongplugins.configuration.konghq.com spec: @@ -627,7 +664,7 @@ spec: name: v1 schema: openAPIV3Schema: - description: KongPlugin is the Schema for the kongplugins API + description: KongPlugin is the Schema for the kongplugins API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -635,21 +672,30 @@ spec: internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string config: - description: Config contains the plugin configuration. + description: Config contains the plugin configuration. It's a list of + keys and values required to configure the plugin. Please read the documentation + of the plugin being configured to set values in here. For any plugin + in Kong, anything that goes in the `config` JSON key in the Admin API + request, goes into this property. Only one of `config` or `configFrom` + may be used in a KongPlugin, not both at once. type: object x-kubernetes-preserve-unknown-fields: true configFrom: description: ConfigFrom references a secret containing the plugin configuration. + This should be used when the plugin configuration contains sensitive + information, such as AWS credentials in the Lambda plugin or the client + secret in the OIDC plugin. Only one of `config` or `configFrom` may + be used in a KongPlugin, not both at once. properties: secretKeyRef: - description: SecretValueFromSource represents the source of a secret - value + description: Specifies a name and a key of a secret to refer to. The + namespace is implicitly set to the one of referring object. properties: key: - description: the key containing the value + description: The key containing the value. type: string name: - description: the secret containing the key + description: The secret containing the key. type: string required: - key @@ -657,10 +703,10 @@ spec: type: object type: object consumerRef: - description: ConsumerRef is a reference to a particular consumer + description: ConsumerRef is a reference to a particular consumer. type: string disabled: - description: Disabled set if the plugin is disabled or not + description: Disabled set if the plugin is disabled or not. type: boolean kind: description: 'Kind is a string value representing the REST resource this @@ -670,7 +716,13 @@ spec: metadata: type: object ordering: - description: Ordering overrides the normal plugin execution order + description: 'Ordering overrides the normal plugin execution order. It''s + only available on Kong Enterprise. `` is a request processing + phase (for example, `access` or `body_filter`) and `` is the + name of the plugin that will run before or after the KongPlugin. For + example, a KongPlugin with `plugin: rate-limiting` and `before.access: + ["key-auth"]` will create a rate limiting plugin that limits requests + _before_ they are authenticated.' properties: after: additionalProperties: @@ -691,7 +743,7 @@ spec: type: object plugin: description: PluginName is the name of the plugin to which to apply the - config + config. type: string protocols: description: Protocols configures plugin to run on requests received on @@ -727,7 +779,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: tcpingresses.configuration.konghq.com spec: @@ -753,7 +805,7 @@ spec: name: v1beta1 schema: openAPIV3Schema: - description: TCPIngress is the Schema for the tcpingresses API + description: TCPIngress is the Schema for the tcpingresses API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -768,7 +820,7 @@ spec: metadata: type: object spec: - description: TCPIngressSpec defines the desired state of TCPIngress + description: Spec is the TCPIngress specification. properties: rules: description: A list of rules used to configure the Ingress. @@ -783,6 +835,7 @@ spec: properties: serviceName: description: Specifies the name of the referenced service. + minLength: 1 type: string servicePort: description: Specifies the port of the referenced service. @@ -796,9 +849,12 @@ spec: type: object host: description: Host is the fully qualified domain name of a network - host, as defined by RFC 3986. If a Host is specified, the - protocol must be TLS over TCP. A plain-text TCP request cannot - be routed based on Host. It can only be routed based on Port. + host, as defined by RFC 3986. If a Host is not specified, + then port-based TCP routing is performed. Kong doesn't care + about the content of the TCP stream in this case. If a Host + is specified, the protocol must be TLS over TCP. A plain-text + TCP request cannot be routed based on Host. It can only be + routed based on Port. type: string port: description: Port is the port on which to accept TCP or TLS @@ -811,6 +867,7 @@ spec: type: integer required: - backend + - port type: object type: array tls: @@ -838,7 +895,7 @@ spec: type: array type: object status: - description: TCPIngressStatus defines the observed state of TCPIngress + description: TCPIngressStatus defines the observed state of TCPIngress. properties: loadBalancer: description: LoadBalancer contains the current status of the load-balancer. @@ -909,7 +966,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: udpingresses.configuration.konghq.com spec: @@ -935,7 +992,7 @@ spec: name: v1beta1 schema: openAPIV3Schema: - description: UDPIngress is the Schema for the udpingresses API + description: UDPIngress is the Schema for the udpingresses API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -950,7 +1007,7 @@ spec: metadata: type: object spec: - description: UDPIngressSpec defines the desired state of UDPIngress + description: Spec is the UDPIngress specification. properties: rules: description: A list of rules used to configure the Ingress. @@ -965,6 +1022,7 @@ spec: properties: serviceName: description: Specifies the name of the referenced service. + minLength: 1 type: string servicePort: description: Specifies the port of the referenced service. @@ -980,6 +1038,9 @@ spec: description: Port indicates the port for the Kong proxy to accept incoming traffic on, which will then be routed to the service Backend. + format: int32 + maximum: 65535 + minimum: 1 type: integer required: - backend @@ -988,7 +1049,7 @@ spec: type: array type: object status: - description: UDPIngressStatus defines the observed state of UDPIngress + description: UDPIngressStatus defines the observed state of UDPIngress. properties: loadBalancer: description: LoadBalancer contains the current status of the load-balancer. From b3f3b21f0c053809bce64fc48c2fffabccc3b9ff Mon Sep 17 00:00:00 2001 From: Shantanu Matharoo Date: Thu, 2 Feb 2023 04:47:49 +0530 Subject: [PATCH 5/7] chore(doc) fix typo in README.md (#732) --- charts/kong/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kong/README.md b/charts/kong/README.md index e7b00dd6e..4ab7512fc 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -565,7 +565,7 @@ namespaces. Limiting access requires several changes to configuration: - Set `ingressController.watchNamespaces` to a list of namespaces you want to watch. The chart will automatically generate roles for each namespace and assign them to the controller's service account. -- Optionally set `ingressContrller.installCRDs=false` if your user role (the +- Optionally set `ingressController.installCRDs=false` if your user role (the role you use when running `helm install`, not the controller service account's role) does not have access to get CRDs. By default, the chart attempts to look up the controller CRDs for [a legacy behavior From c528d424a2aae809a2b2291409aab2c4837613c7 Mon Sep 17 00:00:00 2001 From: Travis Raines <571832+rainest@users.noreply.github.com> Date: Wed, 1 Feb 2023 18:12:44 -0800 Subject: [PATCH 6/7] Reject boolean log envvars (#733) * Revert "feat(template) only allow strings in environment variables (#728)" This reverts commit 2edf22d989508dc53ffbcb144879b9262a96538d. * feat(env) handle log edge case Emit a template failure if a log environment variable is set to a raw 'off' value without quotes, which YAML coerces to a boolean 'false'. This avoids an edge case where attempting to disable a log without a string '"off"' instructs Kong to instead attempt to log to a file named 'false', which causes a failure. --- charts/kong/CHANGELOG.md | 16 ++-------------- charts/kong/ci/test5-values.yaml | 2 +- .../quickstart-enterprise-licensed-aio.yaml | 2 +- charts/kong/templates/_helpers.tpl | 10 ++++++++-- charts/kong/values.yaml | 2 +- scripts/test-run.sh | 4 ++-- scripts/test-upgrade.sh | 4 ++-- 7 files changed, 17 insertions(+), 23 deletions(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index e86501932..7ecdadba5 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -2,26 +2,14 @@ ## Unreleased -### Breaking Changes - -* `.Values.env.*` (to set environment variables of Kong proxy container) and - `.Values.ingressController.env.*` (to set environment variables of ingress - controller container) only allow strings. Specifying values with other types - (bool, int) will raise error in rendering the template. - If you want to set an environment variable to a numerical value or keywords - for boolean values (like `true`,`yes`,`off`) via helm command, please use - `--set-string` flag. - [#728](https://github.com/Kong/charts/pull/728) - ### Improvements * Enable users to specify their own labels and annotations to generated PodSecurityPolicy [#721](https://github.com/Kong/charts/pull/721) * Replaced static secret with projected volume in deployment. [#722](https://github.com/Kong/charts/pull/722) - -### Updates - +* Reject invalid log config values. + [#733](https://github.com/Kong/charts/pull/733) * Update custom resource definitions to latest v2.8.1 from kong/kubernetes-ingress-controller [#730](https://github.com/Kong/charts/pull/730) diff --git a/charts/kong/ci/test5-values.yaml b/charts/kong/ci/test5-values.yaml index f5ea409b2..6366433cd 100644 --- a/charts/kong/ci/test5-values.yaml +++ b/charts/kong/ci/test5-values.yaml @@ -17,7 +17,7 @@ postgresql: password: kong service: ports: - postgresql: "5432" + postgresql: 5432 env: anonymous_reports: "off" database: "postgres" diff --git a/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 324a29416..6496eb659 100644 --- a/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/charts/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -151,7 +151,7 @@ ingressController: enabled: true env: kong_admin_filter_tag: ingress_controller_default - kong_admin_tls_skip_verify: "true" + kong_admin_tls_skip_verify: true kong_admin_token: valueFrom: secretKeyRef: diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index f482c7057..d15bb1d0a 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -370,7 +370,7 @@ The name of the service used for the ingress controller's validation webhook */}} {{- $autoEnv := dict -}} -{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" "true" -}} +{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}} {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} @@ -927,6 +927,11 @@ the template that it itself is using form the above sections. {{- $userEnv := dict -}} {{- range $key, $val := .Values.env }} + {{- if (contains "_log" $key) -}} + {{- if (eq (typeOf $val) "bool") -}} + {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}} + {{- end -}} + {{- end -}} {{- $upper := upper $key -}} {{- $var := printf "KONG_%s" $upper -}} {{- $_ := set $userEnv $var $val -}} @@ -974,7 +979,8 @@ Environment variables are sorted alphabetically value: {{ $val | quote }} {{- end }} {{- else }} -{{ fail (printf "Invalid type: required string or map[string]interface {}, actual %s" $valueType)}} +- name: {{ . }} + value: {{ $val | quote }} {{- end }} {{- end -}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 2c1dd6296..21af570ed 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -493,7 +493,7 @@ ingressController: # The controller disables TLS verification by default because Kong # generates self-signed certificates by default. Set this to false once you # have installed CA-signed certificates. - kong_admin_tls_skip_verify: "true" + kong_admin_tls_skip_verify: true # If using Kong Enterprise with RBAC enabled, uncomment the section below # and specify the secret/key containing your admin token. # kong_admin_token: diff --git a/scripts/test-run.sh b/scripts/test-run.sh index d64ffcfed..7092787c9 100755 --- a/scripts/test-run.sh +++ b/scripts/test-run.sh @@ -68,14 +68,14 @@ then helm install --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set deployment.test.enabled=true \ --set ingressController.env.feature_gates="GatewayAlpha=true" \ - --set-string ingressController.env.anonymous_reports="false" \ + --set ingressController.env.anonymous_reports="false" \ charts/kong/ else echo "INFO: installing chart as release ${RELEASE_NAME} with controller tag ${TAG} to namespace ${RELEASE_NAMESPACE}" helm install --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set ingressController.image.tag="${TAG}" \ --set ingressController.env.feature_gates="GatewayAlpha=true" \ - --set-string ingressController.env.anonymous_reports="false" \ + --set ingressController.env.anonymous_reports="false" \ --set deployment.test.enabled=true \ charts/kong/ fi diff --git a/scripts/test-upgrade.sh b/scripts/test-upgrade.sh index 313479004..52f3e97b5 100755 --- a/scripts/test-upgrade.sh +++ b/scripts/test-upgrade.sh @@ -33,7 +33,7 @@ KUBERNETES_VERSION="$($KUBECTL version -o json | jq -r '.serverVersion.gitVersio echo "INFO: installing chart as release ${RELEASE_NAME} to namespace ${RELEASE_NAMESPACE}" helm install --create-namespace --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ - --set-string ingressController.env.anonymous_reports="false" \ + --set ingressController.env.anonymous_reports="false" \ --set deployment.test.enabled=true \ charts/kong/ @@ -52,7 +52,7 @@ echo "INFO: upgrading the helm chart to image tag ${TAG}" helm upgrade --namespace "${RELEASE_NAMESPACE}" "${RELEASE_NAME}" \ --set ingressController.image.tag="${TAG}" \ --set deployment.test.enabled=true \ - --set-string ingressController.env.anonymous_reports="false" \ + --set ingressController.env.anonymous_reports="false" \ --set ingressController.image.effectiveSemver="${EFFECTIVE_TAG}" \ charts/kong/ From 69f95341baa0be1f013a4a88611648d7f696cdd2 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Thu, 2 Feb 2023 20:16:51 +0100 Subject: [PATCH 7/7] fix(migration) respect SAT mount setting (#729) Correctly set the value of .Values.deployment.serviceAccount.automountServiceAccountToken in migrations Jobs. This was already the case for the Deployment from which the template code has been copied. Signed-off-by: Gerald Pape --- charts/kong/CHANGELOG.md | 3 +++ charts/kong/templates/migrations-post-upgrade.yaml | 4 +++- charts/kong/templates/migrations-pre-upgrade.yaml | 4 +++- charts/kong/templates/migrations.yaml | 4 +++- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 7ecdadba5..15ef94d25 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -13,6 +13,9 @@ * Update custom resource definitions to latest v2.8.1 from kong/kubernetes-ingress-controller [#730](https://github.com/Kong/charts/pull/730) +* Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in + migrations Jobs. This was already the case for the Deployment. + [#729](https://github.com/Kong/charts/pull/729) ## 2.15.3 diff --git a/charts/kong/templates/migrations-post-upgrade.yaml b/charts/kong/templates/migrations-post-upgrade.yaml index 8dd2b9057..04fd569ae 100644 --- a/charts/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/templates/migrations-post-upgrade.yaml @@ -33,10 +33,12 @@ spec: spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false - {{- end }} + {{ end }} {{- if .Values.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }} diff --git a/charts/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/templates/migrations-pre-upgrade.yaml index 485a9706a..f8fe4a1ff 100644 --- a/charts/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/templates/migrations-pre-upgrade.yaml @@ -33,10 +33,12 @@ spec: spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false - {{- end }} + {{ end }} {{- if .Values.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }} diff --git a/charts/kong/templates/migrations.yaml b/charts/kong/templates/migrations.yaml index 2c93196fe..5b918abc8 100644 --- a/charts/kong/templates/migrations.yaml +++ b/charts/kong/templates/migrations.yaml @@ -41,10 +41,12 @@ spec: spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false - {{- end }} + {{ end }} {{- if .Values.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }}