From 7294d3c4b6da5277ca9ed8e3d1c11285e4efd569 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 00:02:25 -0600 Subject: [PATCH 01/12] Update status when running in daemonset mode Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 26 ++++-- internal/provider/kubernetes/controller.go | 28 +++++- internal/provider/kubernetes/predicates.go | 88 ++++++++++++++----- .../provider/kubernetes/predicates_test.go | 4 +- internal/provider/kubernetes/status.go | 4 +- 5 files changed, 112 insertions(+), 38 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index f891f8c40af..2beb6bc3dc3 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -7,6 +7,7 @@ package status import ( "fmt" + "sigs.k8s.io/controller-runtime/pkg/client" "time" appsv1 "k8s.io/api/apps/v1" @@ -31,7 +32,7 @@ func UpdateGatewayStatusAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) *g // UpdateGatewayStatusProgrammedCondition updates the status addresses for the provided gateway // based on the status IP/Hostname of svc and updates the Programmed condition based on the // service and deployment state. -func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, deployment *appsv1.Deployment, nodeAddresses ...string) { +func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, envoyObj client.Object, nodeAddresses ...string) { var addresses, hostnames []string // Update the status addresses field. if svc != nil { @@ -98,7 +99,7 @@ func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Ser } // Update the programmed condition. - updateGatewayProgrammedCondition(gw, deployment) + updateGatewayProgrammedCondition(gw, envoyObj) } func SetGatewayListenerStatusCondition(gateway *gwapiv1.Gateway, listenerStatusIdx int, @@ -138,7 +139,7 @@ const ( // updateGatewayProgrammedCondition computes the Gateway Programmed status condition. // Programmed condition surfaces true when the Envoy Deployment status is ready. -func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.Deployment) { +func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) { if len(gw.Status.Addresses) == 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonAddressNotAssigned), @@ -159,15 +160,22 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.De // If there are no available replicas for the Envoy Deployment, don't // mark the Gateway as ready yet. - - if deployment == nil || deployment.Status.AvailableReplicas == 0 { + dep, okDep := envoyObj.(*appsv1.Deployment) + if okDep && dep.Status.AvailableReplicas > 0 { + gw.Status.Conditions = MergeConditions(gw.Status.Conditions, + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, dep.Status.AvailableReplicas, dep.Status.Replicas), time.Now(), gw.Generation)) + return + } + daemon, okDaemon := envoyObj.(*appsv1.DaemonSet) + if okDaemon && daemon.Status.NumberAvailable > 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), - messageNoResources, time.Now(), gw.Generation)) + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, daemon.Status.NumberAvailable, daemon.Status.CurrentNumberScheduled), time.Now(), gw.Generation)) return } gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), - fmt.Sprintf(messageFmtProgrammed, deployment.Status.AvailableReplicas, deployment.Status.Replicas), time.Now(), gw.Generation)) + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), + messageNoResources, time.Now(), gw.Generation)) } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index dac8f1780a8..e19f63c119f 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1386,13 +1386,13 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } // Watch Deployment CRUDs and process affected Gateways. - dPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{ + deploymentPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{ predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { - return r.validateDeploymentForReconcile(deploy) + return r.validateObjecttForReconcile(deploy) }), } if r.namespaceLabel != nil { - dPredicates = append(dPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { + deploymentPredicates = append(deploymentPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { return r.hasMatchingNamespaceLabels(deploy) })) } @@ -1401,7 +1401,27 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, deploy *appsv1.Deployment) []reconcile.Request { return r.enqueueClass(ctx, deploy) }), - dPredicates...)); err != nil { + deploymentPredicates...)); err != nil { + return err + } + + // Watch Daemonset CRUDs and process affected Gateways. + daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{ + predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { + return r.validateObjecttForReconcile(daemonset) + }), + } + if r.namespaceLabel != nil { + daemonsetPredicates = append(daemonsetPredicates, predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { + return r.hasMatchingNamespaceLabels(daemonset) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &appsv1.DaemonSet{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, daemonset *appsv1.DaemonSet) []reconcile.Request { + return r.enqueueClass(ctx, daemonset) + }), + daemonsetPredicates...)); err != nil { return err } diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 9fb3fe86fd1..bef7a6cb589 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -8,6 +8,7 @@ package kubernetes import ( "context" "fmt" + "k8s.io/apimachinery/pkg/api/meta" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -439,21 +440,16 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) } -// validateDeploymentForReconcile tries finding the owning Gateway of the Deployment +// validateObjecttForReconcile tries finding the owning Gateway of the Deployment or Daemonset // if it exists, finds the Gateway's Service, and further updates the Gateway -// status Ready condition. No Deployments are pushed for reconciliation. -func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) bool { +// status Ready condition. No Deployments or Daemonsets are pushed for reconciliation. +func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bool { ctx := context.Background() - deployment, ok := obj.(*appsv1.Deployment) - if !ok { - r.log.Info("unexpected object type, bypassing reconciliation", "object", obj) - return false - } - labels := deployment.GetLabels() + labels := obj.GetLabels() - // Only deployments in the configured namespace should be reconciled. - if deployment.Namespace == r.namespace { - // Check if the deployment belongs to a Gateway, if so, update the Gateway status. + // Only objects in the configured namespace should be reconciled. + if obj.GetNamespace() == r.namespace { + // Check if the obj belongs to a Gateway, if so, update the Gateway status. gtw := r.findOwningGateway(ctx, labels) if gtw != nil { r.updateStatusForGateway(ctx, gtw) @@ -471,27 +467,77 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) return false } - // There is no need to reconcile the Deployment any further. + // There is no need to reconcile the object any further. return false } -// envoyDeploymentForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist. -func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*appsv1.Deployment, error) { +// envoyObjectForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist. +func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { + labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))) + + // Check for deployment var deployments appsv1.DeploymentList - labelSelector := labels.SelectorFromSet(labels.Set(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))))) if err := r.client.List(ctx, &deployments, &client.ListOptions{ LabelSelector: labelSelector, Namespace: r.namespace, }); err != nil { - if kerrors.IsNotFound(err) { + if !kerrors.IsNotFound(err) { + return nil, err + } + } + if len(deployments.Items) > 0 { + return &deployments.Items[0], nil + } + + // Check for daemonset + var daemonsets appsv1.DaemonSetList + if err := r.client.List(ctx, &daemonsets, &client.ListOptions{ + LabelSelector: labelSelector, + Namespace: r.namespace, + }); err != nil { + if !kerrors.IsNotFound(err) { + return nil, err + } + } + + if len(daemonsets.Items) > 0 { + return &daemonsets.Items[0], nil + } + return nil, nil +} + +func (r *gatewayAPIReconciler) envoyObjectForGateways(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { + + // Helper func to list and return the first object from results + listResource := func(list client.ObjectList) (client.Object, error) { + if err := r.client.List(ctx, list, &client.ListOptions{ + LabelSelector: labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))), + Namespace: r.namespace, + }); err != nil { + if !kerrors.IsNotFound(err) { + return nil, err + } + } + items, err := meta.ExtractList(list) + if err != nil || len(items) == 0 { return nil, nil } - return nil, err + return items[0].(client.Object), nil } - if len(deployments.Items) == 0 { - return nil, nil + + // Check for Deployment + deployments := &appsv1.DeploymentList{} + if obj, err := listResource(deployments); obj != nil || err != nil { + return obj, err } - return &deployments.Items[0], nil + + // Check for DaemonSet + daemonsets := &appsv1.DaemonSetList{} + if obj, err := listResource(daemonsets); obj != nil || err != nil { + return obj, err + } + + return nil, nil } // envoyServiceForGateway returns the Envoy service, returning nil if the service doesn't exist. diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 61a09ffb8ae..cbf183caab3 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -859,7 +859,7 @@ func TestValidateServiceForReconcile(t *testing.T) { } } -// TestValidateDeploymentForReconcile tests the validateDeploymentForReconcile +// TestValidateDeploymentForReconcile tests the validateObjecttForReconcile // predicate function. func TestValidateDeploymentForReconcile(t *testing.T) { sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080) @@ -938,7 +938,7 @@ func TestValidateDeploymentForReconcile(t *testing.T) { for _, tc := range testCases { r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() t.Run(tc.name, func(t *testing.T) { - res := r.validateDeploymentForReconcile(tc.deployment) + res := r.validateObjecttForReconcile(tc.deployment) require.Equal(t, tc.expect, res) }) } diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index c94ad2bc556..0bfd046cf86 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -476,7 +476,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * } // Get deployment - deploy, err := r.envoyDeploymentForGateway(ctx, gtw) + envoyObj, err := r.envoyObjectForGateway(ctx, gtw) if err != nil { r.log.Info("failed to get Deployment for gateway", "namespace", gtw.Namespace, "name", gtw.Name) @@ -491,7 +491,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * // update accepted condition status.UpdateGatewayStatusAcceptedCondition(gtw, true) // update address field and programmed condition - status.UpdateGatewayStatusProgrammedCondition(gtw, svc, deploy, r.store.listNodeAddresses()...) + status.UpdateGatewayStatusProgrammedCondition(gtw, svc, envoyObj, r.store.listNodeAddresses()...) key := utils.NamespacedName(gtw) From 0264b5fb92b53a397cc2ac217319ba81f46f5867 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 10:34:30 -0600 Subject: [PATCH 02/12] Use switch Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 32 ++++++++++++++------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index 2beb6bc3dc3..c442c12766b 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -158,23 +158,25 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec return } - // If there are no available replicas for the Envoy Deployment, don't - // mark the Gateway as ready yet. - dep, okDep := envoyObj.(*appsv1.Deployment) - if okDep && dep.Status.AvailableReplicas > 0 { - gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), - fmt.Sprintf(messageFmtProgrammed, dep.Status.AvailableReplicas, dep.Status.Replicas), time.Now(), gw.Generation)) - return - } - daemon, okDaemon := envoyObj.(*appsv1.DaemonSet) - if okDaemon && daemon.Status.NumberAvailable > 0 { - gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), - fmt.Sprintf(messageFmtProgrammed, daemon.Status.NumberAvailable, daemon.Status.CurrentNumberScheduled), time.Now(), gw.Generation)) - return + // Check for available Envoy replicas and if found mark the gateway as ready. + switch obj := envoyObj.(type) { + case *appsv1.Deployment: + if obj.Status.AvailableReplicas > 0 { + gw.Status.Conditions = MergeConditions(gw.Status.Conditions, + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, obj.Status.AvailableReplicas, obj.Status.Replicas), time.Now(), gw.Generation)) + return + } + case *appsv1.DaemonSet: + if obj.Status.NumberAvailable > 0 { + gw.Status.Conditions = MergeConditions(gw.Status.Conditions, + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, obj.Status.NumberAvailable, obj.Status.CurrentNumberScheduled), time.Now(), gw.Generation)) + return + } } + // If there are no available Envoy replicas, don't mark the Gateway as ready yet. gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), messageNoResources, time.Now(), gw.Generation)) From cccbf280e61b9818d791a2516991f9008fb796e8 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 11:12:32 -0600 Subject: [PATCH 03/12] cleanup and tests Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 9 ++- internal/provider/kubernetes/controller.go | 4 +- internal/provider/kubernetes/kubernetes.go | 2 +- .../provider/kubernetes/kubernetes_test.go | 2 +- internal/provider/kubernetes/predicates.go | 8 +- .../provider/kubernetes/predicates_test.go | 80 +++++++++++++------ internal/provider/kubernetes/status.go | 2 +- internal/provider/kubernetes/test/utils.go | 31 ++++++- 8 files changed, 100 insertions(+), 38 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index c442c12766b..c1d30566ba7 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -31,7 +31,7 @@ func UpdateGatewayStatusAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) *g // UpdateGatewayStatusProgrammedCondition updates the status addresses for the provided gateway // based on the status IP/Hostname of svc and updates the Programmed condition based on the -// service and deployment state. +// service and deployment or daemonset state. func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, envoyObj client.Object, nodeAddresses ...string) { var addresses, hostnames []string // Update the status addresses field. @@ -133,12 +133,12 @@ func computeGatewayAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) metav1. const ( messageAddressNotAssigned = "No addresses have been assigned to the Gateway" messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16" - messageNoResources = "Deployment replicas unavailable" + messageNoResources = "Envoy replicas unavailable" messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy Deployment replicas available" ) // updateGatewayProgrammedCondition computes the Gateway Programmed status condition. -// Programmed condition surfaces true when the Envoy Deployment status is ready. +// Programmed condition surfaces true when the Envoy Deployment or Daemonset status is ready. func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) { if len(gw.Status.Addresses) == 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, @@ -176,7 +176,8 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec } } - // If there are no available Envoy replicas, don't mark the Gateway as ready yet. + // If there are no available replicas for the Envoy Deployment or + // Envoy Daemonset, don't mark the Gateway as ready yet. gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), messageNoResources, time.Now(), gw.Generation)) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index e19f63c119f..652003b58ef 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1388,7 +1388,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch Deployment CRUDs and process affected Gateways. deploymentPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{ predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { - return r.validateObjecttForReconcile(deploy) + return r.validateObjectForReconcile(deploy) }), } if r.namespaceLabel != nil { @@ -1408,7 +1408,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch Daemonset CRUDs and process affected Gateways. daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{ predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { - return r.validateObjecttForReconcile(daemonset) + return r.validateObjectForReconcile(daemonset) }), } if r.namespaceLabel != nil { diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index b909eced608..ffef819ee07 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -107,7 +107,7 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) return nil, fmt.Errorf("unable to set up ready check: %w", err) } - // Emit elected & continue with deployment of infra resources + // Emit elected & continue with envoyObjects of infra resources go func() { <-mgr.Elected() close(svr.Elected) diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index 135de799948..7166956ab49 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -281,7 +281,7 @@ func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Pro deploy := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: gw.Namespace, - Name: gw.Name + "-deployment", + Name: gw.Name + "-envoyObjects", Labels: labels, }, Spec: appsv1.DeploymentSpec{ diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index bef7a6cb589..1c1bf2dca6d 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -440,10 +440,10 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) } -// validateObjecttForReconcile tries finding the owning Gateway of the Deployment or Daemonset +// validateObjectForReconcile tries finding the owning Gateway of the Deployment or Daemonset // if it exists, finds the Gateway's Service, and further updates the Gateway // status Ready condition. No Deployments or Daemonsets are pushed for reconciliation. -func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bool { +func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) bool { ctx := context.Background() labels := obj.GetLabels() @@ -471,11 +471,11 @@ func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bo return false } -// envoyObjectForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist. +// envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists. func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))) - // Check for deployment + // Check for envoyObjects var deployments appsv1.DeploymentList if err := r.client.List(ctx, &deployments, &client.ListOptions{ LabelSelector: labelSelector, diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index cbf183caab3..5525d212c0d 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -525,7 +525,7 @@ func TestValidateServiceForReconcile(t *testing.T) { expect bool }{ { - name: "gateway service but deployment does not exist", + name: "gateway service but deployment or daemonset does not exist", configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, @@ -547,7 +547,22 @@ func TestValidateServiceForReconcile(t *testing.T) { gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", }, nil), - // Note that in case when a deployment exists, the Service is just processed for Gateway status + // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status + // updates and not reconciled further. + expect: false, + }, + { + name: "gateway service daemonset also exist", + configs: []client.Object{ + test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), + sampleGateway, + test.GetGatewayDaemonset(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil), + }, + service: test.GetService(types.NamespacedName{Name: "service"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, nil), + // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status // updates and not reconciled further. expect: false, }, @@ -859,34 +874,39 @@ func TestValidateServiceForReconcile(t *testing.T) { } } -// TestValidateDeploymentForReconcile tests the validateObjecttForReconcile +// TestValidateObjectForReconcile tests the validateObjectForReconcile // predicate function. -func TestValidateDeploymentForReconcile(t *testing.T) { +func TestValidateObjectForReconcile(t *testing.T) { sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080) mergeGatewaysConfig := test.GetEnvoyProxy(types.NamespacedName{Namespace: "default", Name: "merge-gateways-config"}, true) testCases := []struct { - name string - configs []client.Object - deployment client.Object - expect bool + name string + configs []client.Object + envoyObjects []client.Object + expect bool }{ { - // No config should lead to a reconciliation of a Deployment object. The main - // purpose of the Deployment watcher is just for update Gateway object statuses. - name: "gateway deployment deployment also exist", + // No config should lead to a reconciliation of a Deployment or Daemonset object. The main + // purpose of the watcher is just for updating Gateway object statuses. + name: "gateway deployment or daemonset also exist", configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetService(types.NamespacedName{Name: "deployment"}, map[string]string{ + test.GetService(types.NamespacedName{Name: "envoyObjects"}, map[string]string{ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", }, nil), }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", - gatewayapi.OwningGatewayNamespaceLabel: "default", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }), test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }), + }, expect: false, }, { @@ -900,9 +920,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) { }), mergeGatewaysConfig, }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayClassLabel: "test-mg", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + }, expect: false, }, { @@ -919,9 +944,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) { test.GetGateway(types.NamespacedName{Name: "merged-gateway-2", Namespace: "default"}, "test-mg", 8082), test.GetGateway(types.NamespacedName{Name: "merged-gateway-3", Namespace: "default"}, "test-mg", 8083), }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayClassLabel: "test-mg", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + }, expect: false, }, } @@ -938,8 +968,10 @@ func TestValidateDeploymentForReconcile(t *testing.T) { for _, tc := range testCases { r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() t.Run(tc.name, func(t *testing.T) { - res := r.validateObjecttForReconcile(tc.deployment) - require.Equal(t, tc.expect, res) + for _, obj := range tc.envoyObjects { + res := r.validateObjectForReconcile(obj) + require.Equal(t, tc.expect, res) + } }) } } diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index 0bfd046cf86..c3d5553b0bf 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -475,7 +475,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * return } - // Get deployment + // Get envoyObjects envoyObj, err := r.envoyObjectForGateway(ctx, gtw) if err != nil { r.log.Info("failed to get Deployment for gateway", diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go index 6fe50fa75bd..7275565f638 100644 --- a/internal/provider/kubernetes/test/utils.go +++ b/internal/provider/kubernetes/test/utils.go @@ -12,6 +12,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" @@ -271,7 +272,7 @@ func GetUDPRoute(nsName types.NamespacedName, parent string, serviceName types.N } // GetGatewayDeployment returns a sample Deployment for a Gateway object. -func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) *appsv1.Deployment { +func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) client.Object { return &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: nsName.Namespace, @@ -298,6 +299,34 @@ func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) } } +// GetGatewayDaemonset returns a sample Daemonset for a Gateway object. +func GetGatewayDaemonset(nsName types.NamespacedName, labels map[string]string) client.Object { + return &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: nsName.Namespace, + Name: nsName.Name, + Labels: labels, + }, + Spec: appsv1.DaemonSetSpec{ + Selector: &metav1.LabelSelector{MatchLabels: labels}, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: labels, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{{ + Name: "dummy", + Image: "dummy", + Ports: []corev1.ContainerPort{{ + ContainerPort: 8080, + }}, + }}, + }, + }, + }, + } +} + // GetService returns a sample Service with labels and ports. func GetService(nsName types.NamespacedName, labels map[string]string, ports map[string]int32) *corev1.Service { service := &corev1.Service{ From 144e2183726328af4dd4b58ae47c0159874954fc Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 11:46:29 -0600 Subject: [PATCH 04/12] linting and more cleanup Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 2 +- internal/provider/kubernetes/predicates.go | 37 +--------------------- 2 files changed, 2 insertions(+), 37 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index c1d30566ba7..6610a4acc02 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -7,13 +7,13 @@ package status import ( "fmt" - "sigs.k8s.io/controller-runtime/pkg/client" "time" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 1c1bf2dca6d..4bcaee97be8 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -8,12 +8,12 @@ package kubernetes import ( "context" "fmt" - "k8s.io/apimachinery/pkg/api/meta" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" @@ -473,41 +473,6 @@ func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) boo // envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists. func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { - labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))) - - // Check for envoyObjects - var deployments appsv1.DeploymentList - if err := r.client.List(ctx, &deployments, &client.ListOptions{ - LabelSelector: labelSelector, - Namespace: r.namespace, - }); err != nil { - if !kerrors.IsNotFound(err) { - return nil, err - } - } - if len(deployments.Items) > 0 { - return &deployments.Items[0], nil - } - - // Check for daemonset - var daemonsets appsv1.DaemonSetList - if err := r.client.List(ctx, &daemonsets, &client.ListOptions{ - LabelSelector: labelSelector, - Namespace: r.namespace, - }); err != nil { - if !kerrors.IsNotFound(err) { - return nil, err - } - } - - if len(daemonsets.Items) > 0 { - return &daemonsets.Items[0], nil - } - return nil, nil -} - -func (r *gatewayAPIReconciler) envoyObjectForGateways(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { - // Helper func to list and return the first object from results listResource := func(list client.ObjectList) (client.Object, error) { if err := r.client.List(ctx, list, &client.ListOptions{ From bf50b77b95c4c8d79455bf0a0b7a6ddc89f09603 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 12:20:12 -0600 Subject: [PATCH 05/12] Fix name Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/provider/kubernetes/kubernetes_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index 7166956ab49..135de799948 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -281,7 +281,7 @@ func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Pro deploy := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: gw.Namespace, - Name: gw.Name + "-envoyObjects", + Name: gw.Name + "-deployment", Labels: labels, }, Spec: appsv1.DeploymentSpec{ From 6bd872c4bf3f1b5bcf105d2f1a2efa48aa214d16 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 12:38:40 -0600 Subject: [PATCH 06/12] fix nil case Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index 6610a4acc02..8e790ba11b4 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -161,14 +161,14 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec // Check for available Envoy replicas and if found mark the gateway as ready. switch obj := envoyObj.(type) { case *appsv1.Deployment: - if obj.Status.AvailableReplicas > 0 { + if obj != nil && obj.Status.AvailableReplicas > 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), fmt.Sprintf(messageFmtProgrammed, obj.Status.AvailableReplicas, obj.Status.Replicas), time.Now(), gw.Generation)) return } case *appsv1.DaemonSet: - if obj.Status.NumberAvailable > 0 { + if obj != nil && obj.Status.NumberAvailable > 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), fmt.Sprintf(messageFmtProgrammed, obj.Status.NumberAvailable, obj.Status.CurrentNumberScheduled), time.Now(), gw.Generation)) From efbef07d85085ac4e5034d6521f47a8533dcb9ca Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 19:47:14 -0600 Subject: [PATCH 07/12] Fix helm permissions and fully implement daemonset Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- charts/gateway-helm/templates/_rbac.tpl | 1 + .../kubernetes/ratelimit/resource.go | 30 ++--- .../kubernetes/ratelimit/resource_provider.go | 106 +++++++++++++++++- .../kubernetes/ratelimit_infra.go | 21 +++- .../kubernetes/ratelimit_infra_test.go | 42 ++++++- .../certjen-custom-scheduling.out.yaml | 1 + .../control-plane-with-pdb.out.yaml | 1 + .../helm/gateway-helm/default-config.out.yaml | 1 + .../deployment-custom-topology.out.yaml | 1 + .../deployment-images-config.out.yaml | 1 + .../deployment-priorityclass.out.yaml | 1 + .../envoy-gateway-config.out.yaml | 1 + .../global-images-config.out.yaml | 1 + .../gateway-helm/service-annotations.out.yaml | 1 + 14 files changed, 185 insertions(+), 24 deletions(-) diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index 27e90061b0c..52a5648818c 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -43,6 +43,7 @@ apiGroups: - apps resources: - deployments +- daemonsets verbs: - get - list diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 4785a700d40..669df866285 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -138,7 +138,7 @@ func rateLimitLabels() map[string]string { } // expectedRateLimitContainers returns expected rateLimit containers. -func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec, +func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec, namespace string, ) []corev1.Container { ports := []corev1.ContainerPort{ @@ -152,16 +152,16 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen containers := []corev1.Container{ { Name: InfraName, - Image: *rateLimitDeployment.Container.Image, + Image: *rateLimitContainerSpec.Image, ImagePullPolicy: corev1.PullIfNotPresent, Command: []string{ "/bin/ratelimit", }, - Env: expectedRateLimitContainerEnv(rateLimit, rateLimitDeployment, namespace), + Env: expectedRateLimitContainerEnv(rateLimit, rateLimitContainerSpec, namespace), Ports: ports, - Resources: *rateLimitDeployment.Container.Resources, - SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitDeployment), - VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitDeployment), + Resources: *rateLimitContainerSpec.Resources, + SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitContainerSpec), + VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitContainerSpec), TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePath: "/dev/termination-log", StartupProbe: &corev1.Probe{ @@ -197,7 +197,7 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen } // expectedContainerVolumeMounts returns expected rateLimit container volume mounts. -func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount { +func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount { var volumeMounts []corev1.VolumeMount // mount the cert @@ -223,11 +223,11 @@ func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeploym }) } - return resource.ExpectedContainerVolumeMounts(rateLimitDeployment.Container, volumeMounts) + return resource.ExpectedContainerVolumeMounts(rateLimitContainerSpec, volumeMounts) } // expectedDeploymentVolumes returns expected rateLimit deployment volumes. -func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.Volume { +func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *egv1a1.KubernetesPodSpec) []corev1.Volume { var volumes []corev1.Volume if rateLimit.Backend.Redis != nil && @@ -269,11 +269,11 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment }) } - return resource.ExpectedVolumes(rateLimitDeployment.Pod, volumes) + return resource.ExpectedVolumes(rateLimitPodSpec, volumes) } // expectedRateLimitContainerEnv returns expected rateLimit container envs. -func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec, +func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec, namespace string, ) []corev1.EnvVar { env := []corev1.EnvVar{ @@ -445,7 +445,7 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym env = append(env, tracingEnvs...) } - return resource.ExpectedContainerEnv(rateLimitDeployment.Container, env) + return resource.ExpectedContainerEnv(rateLimitContainerSpec, env) } // Validate the ratelimit tls secret validating. @@ -489,9 +489,9 @@ func checkTraceEndpointScheme(url string) string { return fmt.Sprintf("%s%s", httpScheme, url) } -func expectedRateLimitContainerSecurityContext(rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) *corev1.SecurityContext { - if rateLimitDeployment.Container.SecurityContext != nil { - return rateLimitDeployment.Container.SecurityContext +func expectedRateLimitContainerSecurityContext(rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext { + if rateLimitContainerSpec.SecurityContext != nil { + return rateLimitContainerSpec.SecurityContext } return defaultSecurityContext() } diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 50c5c8bf7f2..01b2ea09b6c 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -27,6 +27,7 @@ import ( // but also the key for the uid of their ownerReference. const ( ResourceKindService = "Service" + ResourceKindDaemonset = "Daemonset" ResourceKindDeployment = "Deployment" ResourceKindServiceAccount = "ServiceAccount" appsAPIVersion = "apps/v1" @@ -41,6 +42,7 @@ type ResourceRender struct { rateLimit *egv1a1.RateLimit rateLimitDeployment *egv1a1.KubernetesDeploymentSpec + rateLimitDaemonset *egv1a1.KubernetesDaemonSetSpec // ownerReferenceUID store the uid of its owner reference. ownerReferenceUID map[string]types.UID @@ -196,7 +198,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return nil, er } - containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace) + containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment.Container, r.Namespace) selector := resource.GetSelector(rateLimitLabels()) podLabels := rateLimitLabels() @@ -250,7 +252,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { RestartPolicy: corev1.RestartPolicyAlways, SchedulerName: "default-scheduler", SecurityContext: r.rateLimitDeployment.Pod.SecurityContext, - Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment), + Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment.Pod), Affinity: r.rateLimitDeployment.Pod.Affinity, Tolerations: r.rateLimitDeployment.Pod.Tolerations, ImagePullSecrets: r.rateLimitDeployment.Pod.ImagePullSecrets, @@ -294,12 +296,106 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { // DaemonSetSpec returns the `DaemonSet` sets spec. func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { - return nil, nil + return r.rateLimitDaemonset, nil } -// TODO: implement this method func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { - return nil, nil + // If daemonset config is nil,ignore Daemonset. + if daemonsetConfig, er := r.DaemonSetSpec(); daemonsetConfig == nil { + return nil, er + } + + containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDaemonset.Container, r.Namespace) + selector := resource.GetSelector(rateLimitLabels()) + + podLabels := rateLimitLabels() + if r.rateLimitDaemonset.Pod.Labels != nil { + maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels) + // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy + // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input + maps.Copy(podLabels, rateLimitLabels()) + } + + var podAnnotations map[string]string + if enablePrometheus(r.rateLimit) { + podAnnotations = map[string]string{ + "prometheus.io/path": "/metrics", + "prometheus.io/port": strconv.Itoa(PrometheusPort), + "prometheus.io/scrape": "true", + } + } + if r.rateLimitDaemonset.Pod.Annotations != nil { + if podAnnotations != nil { + maps.Copy(podAnnotations, r.rateLimitDaemonset.Pod.Annotations) + } else { + podAnnotations = r.rateLimitDaemonset.Pod.Annotations + } + } + + daemonset := &appsv1.DaemonSet{ + TypeMeta: metav1.TypeMeta{ + Kind: ResourceKindDaemonset, + APIVersion: appsAPIVersion, + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: r.Namespace, + Labels: rateLimitLabels(), + }, + Spec: appsv1.DaemonSetSpec{ + UpdateStrategy: *r.rateLimitDaemonset.Strategy, + Selector: selector, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: podLabels, + Annotations: podAnnotations, + }, + Spec: corev1.PodSpec{ + Containers: containers, + ServiceAccountName: InfraName, + AutomountServiceAccountToken: ptr.To(false), + TerminationGracePeriodSeconds: ptr.To[int64](300), + DNSPolicy: corev1.DNSClusterFirst, + RestartPolicy: corev1.RestartPolicyAlways, + SchedulerName: "default-scheduler", + SecurityContext: r.rateLimitDaemonset.Pod.SecurityContext, + Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDaemonset.Pod), + Affinity: r.rateLimitDaemonset.Pod.Affinity, + Tolerations: r.rateLimitDaemonset.Pod.Tolerations, + ImagePullSecrets: r.rateLimitDaemonset.Pod.ImagePullSecrets, + NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector, + }, + }, + RevisionHistoryLimit: ptr.To[int32](10), + }, + } + + // set name + if r.rateLimitDaemonset.Name != nil { + daemonset.ObjectMeta.Name = *r.rateLimitDaemonset.Name + } else { + daemonset.ObjectMeta.Name = r.Name() + } + + if r.ownerReferenceUID != nil { + if uid, ok := r.ownerReferenceUID[ResourceKindDaemonset]; ok { + daemonset.OwnerReferences = []metav1.OwnerReference{ + { + Kind: ResourceKindDaemonset, + APIVersion: appsAPIVersion, + Name: "envoy-gateway", + UID: uid, + }, + } + } + } + + // apply merge patch to deployment + var err error + if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil { + return nil, err + } + + return daemonset, nil } // HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. diff --git a/internal/infrastructure/kubernetes/ratelimit_infra.go b/internal/infrastructure/kubernetes/ratelimit_infra.go index 514f86a1d9d..1b5bfd4ccb7 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra.go @@ -10,7 +10,9 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" ) @@ -34,11 +36,26 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error { } ownerReferenceUID[ratelimit.ResourceKindService] = serviceUID - deploymentUID, err := i.Client.GetUID(ctx, key, &appsv1.Deployment{}) + var uid types.UID + for _, obj := range []client.Object{&appsv1.Deployment{}, &appsv1.DaemonSet{}} { + uid, err = i.Client.GetUID(ctx, key, obj) + if err != nil { + if errors.IsNotFound(err) { + continue + } + return err + } + switch obj.(type) { + case *appsv1.Deployment: + ownerReferenceUID[ratelimit.ResourceKindDeployment] = uid + case *appsv1.DaemonSet: + ownerReferenceUID[ratelimit.ResourceKindDaemonset] = uid + } + break + } if err != nil { return err } - ownerReferenceUID[ratelimit.ResourceKindDeployment] = deploymentUID serviceAccountUID, err := i.Client.GetUID(ctx, key, &corev1.ServiceAccount{}) if err != nil { diff --git a/internal/infrastructure/kubernetes/ratelimit_infra_test.go b/internal/infrastructure/kubernetes/ratelimit_infra_test.go index 1b4976ac361..e49992194d4 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra_test.go @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -67,6 +68,20 @@ func createEnvoyGatewayDeployment(t *testing.T, client client.Client, ns string) require.NoError(t, err) } +func createEnvoyGatewayDaemonset(t *testing.T, client client.Client, ns string) { + err := client.Create(context.Background(), &appsv1.DaemonSet{ + TypeMeta: metav1.TypeMeta{ + Kind: "Daemonset", + APIVersion: "apps/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "envoy-gateway", + Namespace: ns, + }, + }) + require.NoError(t, err) +} + func createEnvoyGatewayServiceAccount(t *testing.T, client client.Client, ns string) { err := client.Create(context.Background(), &corev1.ServiceAccount{ TypeMeta: metav1.TypeMeta{ @@ -96,6 +111,15 @@ func TestCreateRateLimitInfra(t *testing.T) { }, expect: true, }, + { + name: "daemonset", + ownerReferences: []string{ + ratelimit.ResourceKindService, + ratelimit.ResourceKindDaemonset, + ratelimit.ResourceKindServiceAccount, + }, + expect: true, + }, { name: "default infra but missing service owner reference", ownerReferences: []string{ @@ -138,6 +162,8 @@ func TestCreateRateLimitInfra(t *testing.T) { createEnvoyGatewayService(t, kube.Client.Client, kube.Namespace) case ratelimit.ResourceKindDeployment: createEnvoyGatewayDeployment(t, kube.Client.Client, kube.Namespace) + case ratelimit.ResourceKindDaemonset: + createEnvoyGatewayDaemonset(t, kube.Client.Client, kube.Namespace) case ratelimit.ResourceKindServiceAccount: createEnvoyGatewayServiceAccount(t, kube.Client.Client, kube.Namespace) } @@ -160,14 +186,26 @@ func TestCreateRateLimitInfra(t *testing.T) { } require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(sa), sa)) + // Check for either a Deployment or DaemonSet deploy := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.Namespace, Name: ratelimit.InfraName, }, } - require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy)) - + daemonset := &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: kube.Namespace, + Name: ratelimit.InfraName, + }, + } + err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy) + if kerrors.IsNotFound(err) { + err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(daemonset), daemonset) + require.NoError(t, err) + } else { + require.NoError(t, err) + } svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.Namespace, diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 096e1eb5561..8a1513469de 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 4c9a3d6cfdf..a71e46fe7bd 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -120,6 +120,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index c830348f012..140d271c6e7 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index fd468b505f0..586b64b5584 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index aa5a36ff23d..10f849e1d77 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index d3648d443d9..4f735c42095 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index aa91dacecc8..04159958265 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -107,6 +107,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index e18eecd7bc7..f280fc9f218 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -109,6 +109,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 97f39cd0bea..ec50a16e30d 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list From 290a551023980beb1cc3f785a1209cdadd72bb2a Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 21:56:16 -0600 Subject: [PATCH 08/12] testdata and more fixes Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- api/v1alpha1/envoygateway_helpers.go | 13 +- api/v1alpha1/envoygateway_types.go | 7 + api/v1alpha1/zz_generated.deepcopy.go | 5 + .../kubernetes/ratelimit/resource_provider.go | 2 +- .../ratelimit/resource_provider_test.go | 520 ++++++++++++++++++ .../ratelimit/testdata/daemonsets/custom.yaml | 151 +++++ .../testdata/daemonsets/default-env.yaml | 151 +++++ .../testdata/daemonsets/default.yaml | 156 ++++++ .../daemonsets/disable-prometheus.yaml | 138 +++++ .../daemonsets/enable-tracing-custom.yaml | 171 ++++++ .../testdata/daemonsets/enable-tracing.yaml | 171 ++++++ .../testdata/daemonsets/extension-env.yaml | 155 ++++++ .../daemonsets/merge-annotations.yaml | 158 ++++++ .../testdata/daemonsets/merge-labels.yaml | 158 ++++++ .../testdata/daemonsets/override-env.yaml | 151 +++++ .../testdata/daemonsets/patch-daemonset.yaml | 157 ++++++ .../daemonsets/redis-tls-settings.yaml | 166 ++++++ .../testdata/daemonsets/tolerations.yaml | 171 ++++++ .../testdata/daemonsets/volumes.yaml | 171 ++++++ .../daemonsets/with-node-selector.yaml | 159 ++++++ site/content/en/latest/api/extension_types.md | 2 + site/content/zh/latest/api/extension_types.md | 2 + 22 files changed, 2932 insertions(+), 3 deletions(-) create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index fed2f6fa075..2650ccaa78e 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -228,11 +228,20 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern r.Kubernetes.LeaderElection = DefaultLeaderElection() } - if r.Kubernetes.RateLimitDeployment == nil { + // if RateLimitDeployment and RateLimitDaemonset are both nil, use RateLimitDeployment + if r.Kubernetes.RateLimitDeployment == nil && r.Kubernetes.RateLimitDaemonset == nil { r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage) } - r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage) + // if use RateLimitDeployment, set default values + if r.Kubernetes.RateLimitDeployment != nil { + r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage) + } + + // if use RateLimitDaemonset, set default values + if r.Kubernetes.RateLimitDaemonset != nil { + r.Kubernetes.RateLimitDaemonset.defaultKubernetesDaemonSetSpec(DefaultRateLimitImage) + } if r.Kubernetes.ShutdownManager == nil { r.Kubernetes.ShutdownManager = &ShutdownManager{Image: ptr.To(DefaultShutdownManagerImage)} diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index 6cf8e334182..ab76c9c443e 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -202,6 +202,13 @@ type EnvoyGatewayKubernetesProvider struct { // +optional RateLimitDeployment *KubernetesDeploymentSpec `json:"rateLimitDeployment,omitempty"` + // RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource. + // If unspecified, default settings for the managed Envoy ratelimit daemonset resource + // are applied. + // + // +optional + RateLimitDaemonset *KubernetesDaemonSetSpec `json:"rateLimitDaemonset,omitempty"` + // Watch holds configuration of which input resources should be watched and reconciled. // +optional Watch *KubernetesWatchMode `json:"watch,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a72706c33bb..c6dd99f41d4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1516,6 +1516,11 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet *out = new(KubernetesDeploymentSpec) (*in).DeepCopyInto(*out) } + if in.RateLimitDaemonset != nil { + in, out := &in.RateLimitDaemonset, &out.RateLimitDaemonset + *out = new(KubernetesDaemonSetSpec) + (*in).DeepCopyInto(*out) + } if in.Watch != nil { in, out := &in.Watch, &out.Watch *out = new(KubernetesWatchMode) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 01b2ea09b6c..ea0da488db8 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -53,6 +53,7 @@ func NewResourceRender(ns string, gateway *egv1a1.EnvoyGateway, ownerReferenceUI return &ResourceRender{ Namespace: ns, rateLimit: gateway.RateLimit, + rateLimitDaemonset: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, rateLimitDeployment: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment, ownerReferenceUID: ownerReferenceUID, } @@ -365,7 +366,6 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector, }, }, - RevisionHistoryLimit: ptr.To[int32](10), }, } diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index c7aa23f7943..71d1cfc2f81 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -37,6 +37,7 @@ const ( var ownerReferenceUID = map[string]types.UID{ ResourceKindService: "test-owner-reference-uid-for-service", + ResourceKindDaemonset: "test-owner-reference-uid-for-deployment", ResourceKindDeployment: "test-owner-reference-uid-for-deployment", ResourceKindServiceAccount: "test-owner-reference-uid-for-service-account", } @@ -765,6 +766,525 @@ func loadDeployment(caseName string) (*appsv1.Deployment, error) { return deployment, nil } +func TestDaemonset(t *testing.T) { + cfg, err := config.New() + // Set default DaemonsetSpec or else daemonset will be used + cfg.EnvoyGateway.Provider.Kubernetes.RateLimitDaemonset = egv1a1.DefaultKubernetesDaemonSet(egv1a1.DefaultRateLimitImage) + require.NoError(t, err) + rateLimit := &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + } + cases := []struct { + caseName string + rateLimit *egv1a1.RateLimit + daemonSetSpec *egv1a1.KubernetesDaemonSetSpec + }{ + { + caseName: "default", + rateLimit: rateLimit, + daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, + }, + { + caseName: "disable-prometheus", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + Telemetry: &egv1a1.RateLimitTelemetry{ + Metrics: &egv1a1.RateLimitMetrics{ + Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{ + Disable: true, + }, + }, + }, + }, + daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, + }, + { + caseName: "patch-daemonset", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{\"spec\":{\"template\":{\"spec\":{\"hostNetwork\":true,\"dnsPolicy\":\"ClusterFirstWithHostNet\"}}}}"), + }, + }, + }, + }, + { + caseName: "custom", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "extension-env", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: []corev1.EnvVar{ + { + Name: "env_a", + Value: "env_a_value", + }, + { + Name: "env_b", + Value: "env_b_value", + }, + }, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "default-env", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: nil, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "override-env", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: []corev1.EnvVar{ + { + Name: UseStatsdEnvVar, + Value: "true", + }, + }, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "redis-tls-settings", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + TLS: &egv1a1.RedisTLSSettings{ + CertificateRef: &gwapiv1.SecretObjectReference{ + Name: "ratelimit-cert", + }, + }, + }, + }, + }, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: []corev1.EnvVar{ + { + Name: RedisAuthEnvVar, + Value: "redis_auth_password", + }, + { + Name: UseStatsdEnvVar, + Value: "true", + }, + }, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "tolerations", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + TLS: &egv1a1.RedisTLSSettings{ + CertificateRef: &gwapiv1.SecretObjectReference{ + Name: "ratelimit-cert", + }, + }, + }, + }, + }, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + Tolerations: []corev1.Toleration{ + { + Key: "node-type", + Operator: corev1.TolerationOpExists, + Effect: corev1.TaintEffectNoSchedule, + Value: "router", + }, + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: []corev1.EnvVar{ + { + Name: RedisAuthEnvVar, + Value: "redis_auth_password", + }, + { + Name: UseStatsdEnvVar, + Value: "true", + }, + }, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + }, + }, + }, + { + caseName: "volumes", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + TLS: &egv1a1.RedisTLSSettings{ + CertificateRef: &gwapiv1.SecretObjectReference{ + Name: "ratelimit-cert-origin", + }, + }, + }, + }, + }, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/scrape": "true", + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + Tolerations: []corev1.Toleration{ + { + Key: "node-type", + Operator: corev1.TolerationOpExists, + Effect: corev1.TaintEffectNoSchedule, + Value: "router", + }, + }, + Volumes: []corev1.Volume{ + { + Name: "certs", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "custom-cert", + DefaultMode: ptr.To[int32](420), + }, + }, + }, + }, + }, + Container: &egv1a1.KubernetesContainerSpec{ + Env: []corev1.EnvVar{ + { + Name: RedisAuthEnvVar, + Value: "redis_auth_password", + }, + { + Name: UseStatsdEnvVar, + Value: "true", + }, + }, + Image: ptr.To("custom-image"), + Resources: &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("400m"), + corev1.ResourceMemory: resource.MustParse("2Gi"), + }, + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("1Gi"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + VolumeMounts: []corev1.VolumeMount{}, + }, + }, + }, + { + caseName: "with-node-selector", + rateLimit: rateLimit, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + NodeSelector: map[string]string{ + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, + { + caseName: "enable-tracing", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + Telemetry: &egv1a1.RateLimitTelemetry{ + Tracing: &egv1a1.RateLimitTracing{ + Provider: &egv1a1.RateLimitTracingProvider{ + URL: "http://trace-collector.envoy-gateway-system.svc.cluster.local:4318", + }, + }, + }, + }, + daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, + }, + { + caseName: "enable-tracing-custom", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + Telemetry: &egv1a1.RateLimitTelemetry{ + Tracing: &egv1a1.RateLimitTracing{ + SamplingRate: ptr.To[uint32](55), + Provider: &egv1a1.RateLimitTracingProvider{ + URL: "trace-collector.envoy-gateway-system.svc.cluster.local:4317", + }, + }, + }, + }, + daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, + }, + { + caseName: "merge-labels", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "app.kubernetes.io/name": InfraName, + "app.kubernetes.io/component": "ratelimit", + "app.kubernetes.io/managed-by": "envoy-gateway", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, + { + caseName: "merge-annotations", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/path": "/metrics", + "prometheus.io/port": strconv.Itoa(PrometheusPort), + "prometheus.io/scrape": "true", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, + } + for _, tc := range cases { + t.Run(tc.caseName, func(t *testing.T) { + cfg.EnvoyGateway.RateLimit = tc.rateLimit + + cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{ + RateLimitDaemonset: tc.daemonSetSpec, + }, + } + r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID) + dp, err := r.DaemonSet() + require.NoError(t, err) + + if *overrideTestData { + daemonsetYAML, err := yaml.Marshal(dp) + require.NoError(t, err) + // nolint:gosec + err = os.WriteFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", tc.caseName), daemonsetYAML, 0o644) + require.NoError(t, err) + return + } + + expected, err := loadDaemonset(tc.caseName) + require.NoError(t, err) + + assert.Equal(t, expected, dp) + }) + } +} + +func loadDaemonset(caseName string) (*appsv1.DaemonSet, error) { + daemonsetYaml, err := os.ReadFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", caseName)) + if err != nil { + return nil, err + } + daemonset := &appsv1.DaemonSet{} + _ = yaml.Unmarshal(daemonsetYaml, daemonset) + return daemonset, nil +} + func TestGetServiceURL(t *testing.T) { got := GetServiceURL("envoy-gateway-system", "example-cluster.local") assert.Equal(t, "grpc://envoy-ratelimit.envoy-gateway-system.svc.example-cluster.local:8081", got) diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml new file mode 100644 index 00000000000..eb3d1dc13d8 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml @@ -0,0 +1,151 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml new file mode 100644 index 00000000000..eb3d1dc13d8 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml @@ -0,0 +1,151 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml new file mode 100644 index 00000000000..d3182b68dd5 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml new file mode 100644 index 00000000000..e902600edbe --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml @@ -0,0 +1,138 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml new file mode 100644 index 00000000000..78242fdc716 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: TRACING_ENABLED + value: "true" + - name: TRACING_SERVICE_NAME + value: envoy-ratelimit + - name: TRACING_SERVICE_NAMESPACE + value: envoy-gateway-system + - name: TRACING_SERVICE_INSTANCE_ID + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: TRACING_SAMPLING_RATE + value: "0.6" + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317 + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml new file mode 100644 index 00000000000..31a4ecfdad9 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: TRACING_ENABLED + value: "true" + - name: TRACING_SERVICE_NAME + value: envoy-ratelimit + - name: TRACING_SERVICE_NAMESPACE + value: envoy-gateway-system + - name: TRACING_SERVICE_INSTANCE_ID + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: TRACING_SAMPLING_RATE + value: "1.0" + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318 + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml new file mode 100644 index 00000000000..9ec98bc74f3 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml @@ -0,0 +1,155 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: env_a + value: env_a_value + - name: env_b + value: env_b_value + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml new file mode 100644 index 00000000000..2f34b46f27e --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + key1: value1 + key2: value2 + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml new file mode 100644 index 00000000000..efd6a1382c1 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + key1: value1 + key2: value2 + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml new file mode 100644 index 00000000000..1de6f2237f9 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml @@ -0,0 +1,151 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "true" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml new file mode 100644 index 00000000000..8527fb93226 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml @@ -0,0 +1,157 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml new file mode 100644 index 00000000000..a16c8a713a7 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml @@ -0,0 +1,166 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "true" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: REDIS_TLS + value: "true" + - name: REDIS_TLS_CLIENT_CERT + value: /redis-certs/tls.crt + - name: REDIS_TLS_CLIENT_KEY + value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: REDIS_AUTH + value: redis_auth_password + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: redis-certs + secret: + defaultMode: 420 + secretName: ratelimit-cert + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml new file mode 100644 index 00000000000..21d5051e084 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "true" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: REDIS_TLS + value: "true" + - name: REDIS_TLS_CLIENT_CERT + value: /redis-certs/tls.crt + - name: REDIS_TLS_CLIENT_KEY + value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: REDIS_AUTH + value: redis_auth_password + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: redis-certs + secret: + defaultMode: 420 + secretName: ratelimit-cert + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml new file mode 100644 index 00000000000..93f8d545754 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "true" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: REDIS_TLS + value: "true" + - name: REDIS_TLS_CLIENT_CERT + value: /redis-certs/tls.crt + - name: REDIS_TLS_CLIENT_KEY + value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + - name: REDIS_AUTH + value: redis_auth_password + image: custom-image + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + securityContext: + privileged: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: redis-certs + secret: + defaultMode: 420 + secretName: ratelimit-cert-origin + - name: certs + secret: + defaultMode: 420 + secretName: custom-cert + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml new file mode 100644 index 00000000000..89d061b8da4 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml @@ -0,0 +1,159 @@ +apiVersion: apps/v1 +kind: Daemonset +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Daemonset + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + key1: value1 + key2: value2 + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config + updateStrategy: + type: RollingUpdate +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 76adfb15735..640feb97101 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1147,6 +1147,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | +| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. | | `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | | `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | @@ -2432,6 +2433,7 @@ _Appears in:_ KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) | Field | Type | Required | Description | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 76adfb15735..640feb97101 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1147,6 +1147,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | +| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. | | `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | | `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | @@ -2432,6 +2433,7 @@ _Appears in:_ KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) | Field | Type | Required | Description | From 69150309aac98dd69d76dcc20ffcd84f7a249ea8 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 22:21:36 -0600 Subject: [PATCH 09/12] comments Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 2 +- .../infrastructure/kubernetes/ratelimit/resource_provider.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index 8e790ba11b4..740e3089178 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -134,7 +134,7 @@ const ( messageAddressNotAssigned = "No addresses have been assigned to the Gateway" messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16" messageNoResources = "Envoy replicas unavailable" - messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy Deployment replicas available" + messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy replicas available" ) // updateGatewayProgrammedCondition computes the Gateway Programmed status condition. diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index ea0da488db8..77f66893604 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -313,7 +313,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { if r.rateLimitDaemonset.Pod.Labels != nil { maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels) // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy - // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input + // It's applied again with the rateLimitLabels that are used as daemonset selector to ensure those are not overwritten by user input maps.Copy(podLabels, rateLimitLabels()) } @@ -389,7 +389,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { } } - // apply merge patch to deployment + // apply merge patch to daemonset var err error if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil { return nil, err From 2c8c8c421be0905492bf08c42cacb4018d0c3937 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sun, 13 Oct 2024 00:09:27 -0600 Subject: [PATCH 10/12] Remove ratelimit daemonset Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- .../kubernetes/ratelimit/resource_provider.go | 102 +--- .../ratelimit/resource_provider_test.go | 520 ------------------ .../ratelimit/testdata/daemonsets/custom.yaml | 151 ----- .../testdata/daemonsets/default-env.yaml | 151 ----- .../testdata/daemonsets/default.yaml | 156 ------ .../daemonsets/disable-prometheus.yaml | 138 ----- .../daemonsets/enable-tracing-custom.yaml | 171 ------ .../testdata/daemonsets/enable-tracing.yaml | 171 ------ .../testdata/daemonsets/extension-env.yaml | 155 ------ .../daemonsets/merge-annotations.yaml | 158 ------ .../testdata/daemonsets/merge-labels.yaml | 158 ------ .../testdata/daemonsets/override-env.yaml | 151 ----- .../testdata/daemonsets/patch-daemonset.yaml | 157 ------ .../daemonsets/redis-tls-settings.yaml | 166 ------ .../testdata/daemonsets/tolerations.yaml | 171 ------ .../testdata/daemonsets/volumes.yaml | 171 ------ .../daemonsets/with-node-selector.yaml | 159 ------ .../kubernetes/ratelimit_infra.go | 21 +- .../kubernetes/ratelimit_infra_test.go | 42 +- 19 files changed, 7 insertions(+), 3062 deletions(-) delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 77f66893604..bcc9d580cfc 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -27,7 +27,6 @@ import ( // but also the key for the uid of their ownerReference. const ( ResourceKindService = "Service" - ResourceKindDaemonset = "Daemonset" ResourceKindDeployment = "Deployment" ResourceKindServiceAccount = "ServiceAccount" appsAPIVersion = "apps/v1" @@ -42,7 +41,6 @@ type ResourceRender struct { rateLimit *egv1a1.RateLimit rateLimitDeployment *egv1a1.KubernetesDeploymentSpec - rateLimitDaemonset *egv1a1.KubernetesDaemonSetSpec // ownerReferenceUID store the uid of its owner reference. ownerReferenceUID map[string]types.UID @@ -53,7 +51,6 @@ func NewResourceRender(ns string, gateway *egv1a1.EnvoyGateway, ownerReferenceUI return &ResourceRender{ Namespace: ns, rateLimit: gateway.RateLimit, - rateLimitDaemonset: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, rateLimitDeployment: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment, ownerReferenceUID: ownerReferenceUID, } @@ -297,105 +294,12 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { // DaemonSetSpec returns the `DaemonSet` sets spec. func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { - return r.rateLimitDaemonset, nil + return nil, nil } +// TODO: implement this method func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { - // If daemonset config is nil,ignore Daemonset. - if daemonsetConfig, er := r.DaemonSetSpec(); daemonsetConfig == nil { - return nil, er - } - - containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDaemonset.Container, r.Namespace) - selector := resource.GetSelector(rateLimitLabels()) - - podLabels := rateLimitLabels() - if r.rateLimitDaemonset.Pod.Labels != nil { - maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels) - // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy - // It's applied again with the rateLimitLabels that are used as daemonset selector to ensure those are not overwritten by user input - maps.Copy(podLabels, rateLimitLabels()) - } - - var podAnnotations map[string]string - if enablePrometheus(r.rateLimit) { - podAnnotations = map[string]string{ - "prometheus.io/path": "/metrics", - "prometheus.io/port": strconv.Itoa(PrometheusPort), - "prometheus.io/scrape": "true", - } - } - if r.rateLimitDaemonset.Pod.Annotations != nil { - if podAnnotations != nil { - maps.Copy(podAnnotations, r.rateLimitDaemonset.Pod.Annotations) - } else { - podAnnotations = r.rateLimitDaemonset.Pod.Annotations - } - } - - daemonset := &appsv1.DaemonSet{ - TypeMeta: metav1.TypeMeta{ - Kind: ResourceKindDaemonset, - APIVersion: appsAPIVersion, - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: r.Namespace, - Labels: rateLimitLabels(), - }, - Spec: appsv1.DaemonSetSpec{ - UpdateStrategy: *r.rateLimitDaemonset.Strategy, - Selector: selector, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: podLabels, - Annotations: podAnnotations, - }, - Spec: corev1.PodSpec{ - Containers: containers, - ServiceAccountName: InfraName, - AutomountServiceAccountToken: ptr.To(false), - TerminationGracePeriodSeconds: ptr.To[int64](300), - DNSPolicy: corev1.DNSClusterFirst, - RestartPolicy: corev1.RestartPolicyAlways, - SchedulerName: "default-scheduler", - SecurityContext: r.rateLimitDaemonset.Pod.SecurityContext, - Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDaemonset.Pod), - Affinity: r.rateLimitDaemonset.Pod.Affinity, - Tolerations: r.rateLimitDaemonset.Pod.Tolerations, - ImagePullSecrets: r.rateLimitDaemonset.Pod.ImagePullSecrets, - NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector, - }, - }, - }, - } - - // set name - if r.rateLimitDaemonset.Name != nil { - daemonset.ObjectMeta.Name = *r.rateLimitDaemonset.Name - } else { - daemonset.ObjectMeta.Name = r.Name() - } - - if r.ownerReferenceUID != nil { - if uid, ok := r.ownerReferenceUID[ResourceKindDaemonset]; ok { - daemonset.OwnerReferences = []metav1.OwnerReference{ - { - Kind: ResourceKindDaemonset, - APIVersion: appsAPIVersion, - Name: "envoy-gateway", - UID: uid, - }, - } - } - } - - // apply merge patch to daemonset - var err error - if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil { - return nil, err - } - - return daemonset, nil + return nil, nil } // HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index 71d1cfc2f81..c7aa23f7943 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -37,7 +37,6 @@ const ( var ownerReferenceUID = map[string]types.UID{ ResourceKindService: "test-owner-reference-uid-for-service", - ResourceKindDaemonset: "test-owner-reference-uid-for-deployment", ResourceKindDeployment: "test-owner-reference-uid-for-deployment", ResourceKindServiceAccount: "test-owner-reference-uid-for-service-account", } @@ -766,525 +765,6 @@ func loadDeployment(caseName string) (*appsv1.Deployment, error) { return deployment, nil } -func TestDaemonset(t *testing.T) { - cfg, err := config.New() - // Set default DaemonsetSpec or else daemonset will be used - cfg.EnvoyGateway.Provider.Kubernetes.RateLimitDaemonset = egv1a1.DefaultKubernetesDaemonSet(egv1a1.DefaultRateLimitImage) - require.NoError(t, err) - rateLimit := &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - } - cases := []struct { - caseName string - rateLimit *egv1a1.RateLimit - daemonSetSpec *egv1a1.KubernetesDaemonSetSpec - }{ - { - caseName: "default", - rateLimit: rateLimit, - daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, - }, - { - caseName: "disable-prometheus", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - Telemetry: &egv1a1.RateLimitTelemetry{ - Metrics: &egv1a1.RateLimitMetrics{ - Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{ - Disable: true, - }, - }, - }, - }, - daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, - }, - { - caseName: "patch-daemonset", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Patch: &egv1a1.KubernetesPatchSpec{ - Type: ptr.To(egv1a1.StrategicMerge), - Value: apiextensionsv1.JSON{ - Raw: []byte("{\"spec\":{\"template\":{\"spec\":{\"hostNetwork\":true,\"dnsPolicy\":\"ClusterFirstWithHostNet\"}}}}"), - }, - }, - }, - }, - { - caseName: "custom", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "extension-env", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: []corev1.EnvVar{ - { - Name: "env_a", - Value: "env_a_value", - }, - { - Name: "env_b", - Value: "env_b_value", - }, - }, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "default-env", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: nil, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "override-env", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: []corev1.EnvVar{ - { - Name: UseStatsdEnvVar, - Value: "true", - }, - }, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "redis-tls-settings", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - TLS: &egv1a1.RedisTLSSettings{ - CertificateRef: &gwapiv1.SecretObjectReference{ - Name: "ratelimit-cert", - }, - }, - }, - }, - }, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: []corev1.EnvVar{ - { - Name: RedisAuthEnvVar, - Value: "redis_auth_password", - }, - { - Name: UseStatsdEnvVar, - Value: "true", - }, - }, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "tolerations", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - TLS: &egv1a1.RedisTLSSettings{ - CertificateRef: &gwapiv1.SecretObjectReference{ - Name: "ratelimit-cert", - }, - }, - }, - }, - }, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - Tolerations: []corev1.Toleration{ - { - Key: "node-type", - Operator: corev1.TolerationOpExists, - Effect: corev1.TaintEffectNoSchedule, - Value: "router", - }, - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: []corev1.EnvVar{ - { - Name: RedisAuthEnvVar, - Value: "redis_auth_password", - }, - { - Name: UseStatsdEnvVar, - Value: "true", - }, - }, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - }, - }, - }, - { - caseName: "volumes", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - TLS: &egv1a1.RedisTLSSettings{ - CertificateRef: &gwapiv1.SecretObjectReference{ - Name: "ratelimit-cert-origin", - }, - }, - }, - }, - }, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(), - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/scrape": "true", - }, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: ptr.To[int64](1000), - }, - Tolerations: []corev1.Toleration{ - { - Key: "node-type", - Operator: corev1.TolerationOpExists, - Effect: corev1.TaintEffectNoSchedule, - Value: "router", - }, - }, - Volumes: []corev1.Volume{ - { - Name: "certs", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "custom-cert", - DefaultMode: ptr.To[int32](420), - }, - }, - }, - }, - }, - Container: &egv1a1.KubernetesContainerSpec{ - Env: []corev1.EnvVar{ - { - Name: RedisAuthEnvVar, - Value: "redis_auth_password", - }, - { - Name: UseStatsdEnvVar, - Value: "true", - }, - }, - Image: ptr.To("custom-image"), - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("400m"), - corev1.ResourceMemory: resource.MustParse("2Gi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("200m"), - corev1.ResourceMemory: resource.MustParse("1Gi"), - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: ptr.To(true), - }, - VolumeMounts: []corev1.VolumeMount{}, - }, - }, - }, - { - caseName: "with-node-selector", - rateLimit: rateLimit, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Pod: &egv1a1.KubernetesPodSpec{ - NodeSelector: map[string]string{ - "key1": "value1", - "key2": "value2", - }, - }, - }, - }, - { - caseName: "enable-tracing", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - Telemetry: &egv1a1.RateLimitTelemetry{ - Tracing: &egv1a1.RateLimitTracing{ - Provider: &egv1a1.RateLimitTracingProvider{ - URL: "http://trace-collector.envoy-gateway-system.svc.cluster.local:4318", - }, - }, - }, - }, - daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, - }, - { - caseName: "enable-tracing-custom", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - Telemetry: &egv1a1.RateLimitTelemetry{ - Tracing: &egv1a1.RateLimitTracing{ - SamplingRate: ptr.To[uint32](55), - Provider: &egv1a1.RateLimitTracingProvider{ - URL: "trace-collector.envoy-gateway-system.svc.cluster.local:4317", - }, - }, - }, - }, - daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset, - }, - { - caseName: "merge-labels", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - }, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Pod: &egv1a1.KubernetesPodSpec{ - Labels: map[string]string{ - "app.kubernetes.io/name": InfraName, - "app.kubernetes.io/component": "ratelimit", - "app.kubernetes.io/managed-by": "envoy-gateway", - "key1": "value1", - "key2": "value2", - }, - }, - }, - }, - { - caseName: "merge-annotations", - rateLimit: &egv1a1.RateLimit{ - Backend: egv1a1.RateLimitDatabaseBackend{ - Type: egv1a1.RedisBackendType, - Redis: &egv1a1.RateLimitRedisSettings{ - URL: "redis.redis.svc:6379", - }, - }, - }, - daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{ - Pod: &egv1a1.KubernetesPodSpec{ - Annotations: map[string]string{ - "prometheus.io/path": "/metrics", - "prometheus.io/port": strconv.Itoa(PrometheusPort), - "prometheus.io/scrape": "true", - "key1": "value1", - "key2": "value2", - }, - }, - }, - }, - } - for _, tc := range cases { - t.Run(tc.caseName, func(t *testing.T) { - cfg.EnvoyGateway.RateLimit = tc.rateLimit - - cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{ - Type: egv1a1.ProviderTypeKubernetes, - Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{ - RateLimitDaemonset: tc.daemonSetSpec, - }, - } - r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID) - dp, err := r.DaemonSet() - require.NoError(t, err) - - if *overrideTestData { - daemonsetYAML, err := yaml.Marshal(dp) - require.NoError(t, err) - // nolint:gosec - err = os.WriteFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", tc.caseName), daemonsetYAML, 0o644) - require.NoError(t, err) - return - } - - expected, err := loadDaemonset(tc.caseName) - require.NoError(t, err) - - assert.Equal(t, expected, dp) - }) - } -} - -func loadDaemonset(caseName string) (*appsv1.DaemonSet, error) { - daemonsetYaml, err := os.ReadFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", caseName)) - if err != nil { - return nil, err - } - daemonset := &appsv1.DaemonSet{} - _ = yaml.Unmarshal(daemonsetYaml, daemonset) - return daemonset, nil -} - func TestGetServiceURL(t *testing.T) { got := GetServiceURL("envoy-gateway-system", "example-cluster.local") assert.Equal(t, "grpc://envoy-ratelimit.envoy-gateway-system.svc.example-cluster.local:8081", got) diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml deleted file mode 100644 index eb3d1dc13d8..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml +++ /dev/null @@ -1,151 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml deleted file mode 100644 index eb3d1dc13d8..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml +++ /dev/null @@ -1,151 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml deleted file mode 100644 index d3182b68dd5..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml +++ /dev/null @@ -1,156 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml deleted file mode 100644 index e902600edbe..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml deleted file mode 100644 index 78242fdc716..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: TRACING_ENABLED - value: "true" - - name: TRACING_SERVICE_NAME - value: envoy-ratelimit - - name: TRACING_SERVICE_NAMESPACE - value: envoy-gateway-system - - name: TRACING_SERVICE_INSTANCE_ID - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: TRACING_SAMPLING_RATE - value: "0.6" - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317 - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml deleted file mode 100644 index 31a4ecfdad9..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: TRACING_ENABLED - value: "true" - - name: TRACING_SERVICE_NAME - value: envoy-ratelimit - - name: TRACING_SERVICE_NAMESPACE - value: envoy-gateway-system - - name: TRACING_SERVICE_INSTANCE_ID - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: TRACING_SAMPLING_RATE - value: "1.0" - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318 - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml deleted file mode 100644 index 9ec98bc74f3..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml +++ /dev/null @@ -1,155 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: env_a - value: env_a_value - - name: env_b - value: env_b_value - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml deleted file mode 100644 index 2f34b46f27e..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml +++ /dev/null @@ -1,158 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - key1: value1 - key2: value2 - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml deleted file mode 100644 index efd6a1382c1..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml +++ /dev/null @@ -1,158 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - key1: value1 - key2: value2 - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml deleted file mode 100644 index 1de6f2237f9..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml +++ /dev/null @@ -1,151 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "true" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml deleted file mode 100644 index 8527fb93226..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml deleted file mode 100644 index a16c8a713a7..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml +++ /dev/null @@ -1,166 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "true" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: REDIS_TLS - value: "true" - - name: REDIS_TLS_CLIENT_CERT - value: /redis-certs/tls.crt - - name: REDIS_TLS_CLIENT_KEY - value: /redis-certs/tls.key - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: REDIS_AUTH - value: redis_auth_password - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: redis-certs - secret: - defaultMode: 420 - secretName: ratelimit-cert - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml deleted file mode 100644 index 21d5051e084..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "true" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: REDIS_TLS - value: "true" - - name: REDIS_TLS_CLIENT_CERT - value: /redis-certs/tls.crt - - name: REDIS_TLS_CLIENT_KEY - value: /redis-certs/tls.key - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: REDIS_AUTH - value: redis_auth_password - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - tolerations: - - effect: NoSchedule - key: node-type - operator: Exists - value: router - volumes: - - name: redis-certs - secret: - defaultMode: 420 - secretName: ratelimit-cert - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml deleted file mode 100644 index 93f8d545754..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "true" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: REDIS_TLS - value: "true" - - name: REDIS_TLS_CLIENT_CERT - value: /redis-certs/tls.crt - - name: REDIS_TLS_CLIENT_KEY - value: /redis-certs/tls.key - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - - name: REDIS_AUTH - value: redis_auth_password - image: custom-image - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - securityContext: - privileged: true - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsUser: 1000 - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - tolerations: - - effect: NoSchedule - key: node-type - operator: Exists - value: router - volumes: - - name: redis-certs - secret: - defaultMode: 420 - secretName: ratelimit-cert-origin - - name: certs - secret: - defaultMode: 420 - secretName: custom-cert - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml deleted file mode 100644 index 89d061b8da4..00000000000 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: apps/v1 -kind: Daemonset -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - name: envoy-ratelimit - namespace: envoy-gateway-system - ownerReferences: - - apiVersion: apps/v1 - kind: Daemonset - name: envoy-gateway - uid: test-owner-reference-uid-for-deployment -spec: - selector: - matchLabels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "19001" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - app.kubernetes.io/component: ratelimit - app.kubernetes.io/managed-by: envoy-gateway - app.kubernetes.io/name: envoy-ratelimit - spec: - automountServiceAccountToken: false - containers: - - command: - - /bin/ratelimit - env: - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: LOG_LEVEL - value: info - - name: USE_STATSD - value: "false" - - name: CONFIG_TYPE - value: GRPC_XDS_SOTW - - name: CONFIG_GRPC_XDS_SERVER_URL - value: envoy-gateway:18001 - - name: CONFIG_GRPC_XDS_NODE_ID - value: envoy-ratelimit - - name: GRPC_SERVER_USE_TLS - value: "true" - - name: GRPC_SERVER_TLS_CERT - value: /certs/tls.crt - - name: GRPC_SERVER_TLS_KEY - value: /certs/tls.key - - name: GRPC_SERVER_TLS_CA_CERT - value: /certs/ca.crt - - name: CONFIG_GRPC_XDS_SERVER_USE_TLS - value: "true" - - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: /certs/tls.crt - - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: /certs/tls.key - - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: /certs/ca.crt - - name: FORCE_START_WITHOUT_INITIAL_CONFIG - value: "true" - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis.redis.svc:6379 - - name: USE_PROMETHEUS - value: "true" - - name: PROMETHEUS_ADDR - value: :19001 - - name: PROMETHEUS_MAPPER_YAML - value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master - imagePullPolicy: IfNotPresent - name: envoy-ratelimit - ports: - - containerPort: 8081 - name: grpc - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true - - mountPath: /etc/statsd-exporter - name: statsd-exporter-config - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - key1: value1 - key2: value2 - restartPolicy: Always - schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit - terminationGracePeriodSeconds: 300 - volumes: - - name: certs - secret: - defaultMode: 420 - secretName: envoy-rate-limit - - configMap: - defaultMode: 420 - name: statsd-exporter-config - optional: true - name: statsd-exporter-config - updateStrategy: - type: RollingUpdate -status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 diff --git a/internal/infrastructure/kubernetes/ratelimit_infra.go b/internal/infrastructure/kubernetes/ratelimit_infra.go index 1b5bfd4ccb7..514f86a1d9d 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra.go @@ -10,9 +10,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" ) @@ -36,26 +34,11 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error { } ownerReferenceUID[ratelimit.ResourceKindService] = serviceUID - var uid types.UID - for _, obj := range []client.Object{&appsv1.Deployment{}, &appsv1.DaemonSet{}} { - uid, err = i.Client.GetUID(ctx, key, obj) - if err != nil { - if errors.IsNotFound(err) { - continue - } - return err - } - switch obj.(type) { - case *appsv1.Deployment: - ownerReferenceUID[ratelimit.ResourceKindDeployment] = uid - case *appsv1.DaemonSet: - ownerReferenceUID[ratelimit.ResourceKindDaemonset] = uid - } - break - } + deploymentUID, err := i.Client.GetUID(ctx, key, &appsv1.Deployment{}) if err != nil { return err } + ownerReferenceUID[ratelimit.ResourceKindDeployment] = deploymentUID serviceAccountUID, err := i.Client.GetUID(ctx, key, &corev1.ServiceAccount{}) if err != nil { diff --git a/internal/infrastructure/kubernetes/ratelimit_infra_test.go b/internal/infrastructure/kubernetes/ratelimit_infra_test.go index e49992194d4..1b4976ac361 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra_test.go @@ -12,7 +12,6 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -68,20 +67,6 @@ func createEnvoyGatewayDeployment(t *testing.T, client client.Client, ns string) require.NoError(t, err) } -func createEnvoyGatewayDaemonset(t *testing.T, client client.Client, ns string) { - err := client.Create(context.Background(), &appsv1.DaemonSet{ - TypeMeta: metav1.TypeMeta{ - Kind: "Daemonset", - APIVersion: "apps/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "envoy-gateway", - Namespace: ns, - }, - }) - require.NoError(t, err) -} - func createEnvoyGatewayServiceAccount(t *testing.T, client client.Client, ns string) { err := client.Create(context.Background(), &corev1.ServiceAccount{ TypeMeta: metav1.TypeMeta{ @@ -111,15 +96,6 @@ func TestCreateRateLimitInfra(t *testing.T) { }, expect: true, }, - { - name: "daemonset", - ownerReferences: []string{ - ratelimit.ResourceKindService, - ratelimit.ResourceKindDaemonset, - ratelimit.ResourceKindServiceAccount, - }, - expect: true, - }, { name: "default infra but missing service owner reference", ownerReferences: []string{ @@ -162,8 +138,6 @@ func TestCreateRateLimitInfra(t *testing.T) { createEnvoyGatewayService(t, kube.Client.Client, kube.Namespace) case ratelimit.ResourceKindDeployment: createEnvoyGatewayDeployment(t, kube.Client.Client, kube.Namespace) - case ratelimit.ResourceKindDaemonset: - createEnvoyGatewayDaemonset(t, kube.Client.Client, kube.Namespace) case ratelimit.ResourceKindServiceAccount: createEnvoyGatewayServiceAccount(t, kube.Client.Client, kube.Namespace) } @@ -186,26 +160,14 @@ func TestCreateRateLimitInfra(t *testing.T) { } require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(sa), sa)) - // Check for either a Deployment or DaemonSet deploy := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.Namespace, Name: ratelimit.InfraName, }, } - daemonset := &appsv1.DaemonSet{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: kube.Namespace, - Name: ratelimit.InfraName, - }, - } - err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy) - if kerrors.IsNotFound(err) { - err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(daemonset), daemonset) - require.NoError(t, err) - } else { - require.NoError(t, err) - } + require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy)) + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.Namespace, From 36100da48d1011c947733b27af7671c68b55b0d7 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sun, 13 Oct 2024 00:18:31 -0600 Subject: [PATCH 11/12] remove ratelimit changes Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- api/v1alpha1/envoygateway_helpers.go | 13 ++------ api/v1alpha1/envoygateway_types.go | 7 ----- api/v1alpha1/zz_generated.deepcopy.go | 5 ---- .../kubernetes/ratelimit/resource.go | 30 +++++++++---------- .../kubernetes/ratelimit/resource_provider.go | 4 +-- site/content/en/latest/api/extension_types.md | 2 -- site/content/zh/latest/api/extension_types.md | 2 -- 7 files changed, 19 insertions(+), 44 deletions(-) diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index 2650ccaa78e..fed2f6fa075 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -228,20 +228,11 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern r.Kubernetes.LeaderElection = DefaultLeaderElection() } - // if RateLimitDeployment and RateLimitDaemonset are both nil, use RateLimitDeployment - if r.Kubernetes.RateLimitDeployment == nil && r.Kubernetes.RateLimitDaemonset == nil { + if r.Kubernetes.RateLimitDeployment == nil { r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage) } - // if use RateLimitDeployment, set default values - if r.Kubernetes.RateLimitDeployment != nil { - r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage) - } - - // if use RateLimitDaemonset, set default values - if r.Kubernetes.RateLimitDaemonset != nil { - r.Kubernetes.RateLimitDaemonset.defaultKubernetesDaemonSetSpec(DefaultRateLimitImage) - } + r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage) if r.Kubernetes.ShutdownManager == nil { r.Kubernetes.ShutdownManager = &ShutdownManager{Image: ptr.To(DefaultShutdownManagerImage)} diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index ab76c9c443e..6cf8e334182 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -202,13 +202,6 @@ type EnvoyGatewayKubernetesProvider struct { // +optional RateLimitDeployment *KubernetesDeploymentSpec `json:"rateLimitDeployment,omitempty"` - // RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource. - // If unspecified, default settings for the managed Envoy ratelimit daemonset resource - // are applied. - // - // +optional - RateLimitDaemonset *KubernetesDaemonSetSpec `json:"rateLimitDaemonset,omitempty"` - // Watch holds configuration of which input resources should be watched and reconciled. // +optional Watch *KubernetesWatchMode `json:"watch,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index c6dd99f41d4..a72706c33bb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1516,11 +1516,6 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet *out = new(KubernetesDeploymentSpec) (*in).DeepCopyInto(*out) } - if in.RateLimitDaemonset != nil { - in, out := &in.RateLimitDaemonset, &out.RateLimitDaemonset - *out = new(KubernetesDaemonSetSpec) - (*in).DeepCopyInto(*out) - } if in.Watch != nil { in, out := &in.Watch, &out.Watch *out = new(KubernetesWatchMode) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 669df866285..4785a700d40 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -138,7 +138,7 @@ func rateLimitLabels() map[string]string { } // expectedRateLimitContainers returns expected rateLimit containers. -func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec, +func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec, namespace string, ) []corev1.Container { ports := []corev1.ContainerPort{ @@ -152,16 +152,16 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainer containers := []corev1.Container{ { Name: InfraName, - Image: *rateLimitContainerSpec.Image, + Image: *rateLimitDeployment.Container.Image, ImagePullPolicy: corev1.PullIfNotPresent, Command: []string{ "/bin/ratelimit", }, - Env: expectedRateLimitContainerEnv(rateLimit, rateLimitContainerSpec, namespace), + Env: expectedRateLimitContainerEnv(rateLimit, rateLimitDeployment, namespace), Ports: ports, - Resources: *rateLimitContainerSpec.Resources, - SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitContainerSpec), - VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitContainerSpec), + Resources: *rateLimitDeployment.Container.Resources, + SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitDeployment), + VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitDeployment), TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePath: "/dev/termination-log", StartupProbe: &corev1.Probe{ @@ -197,7 +197,7 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainer } // expectedContainerVolumeMounts returns expected rateLimit container volume mounts. -func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount { +func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount { var volumeMounts []corev1.VolumeMount // mount the cert @@ -223,11 +223,11 @@ func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContain }) } - return resource.ExpectedContainerVolumeMounts(rateLimitContainerSpec, volumeMounts) + return resource.ExpectedContainerVolumeMounts(rateLimitDeployment.Container, volumeMounts) } // expectedDeploymentVolumes returns expected rateLimit deployment volumes. -func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *egv1a1.KubernetesPodSpec) []corev1.Volume { +func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.Volume { var volumes []corev1.Volume if rateLimit.Backend.Redis != nil && @@ -269,11 +269,11 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *eg }) } - return resource.ExpectedVolumes(rateLimitPodSpec, volumes) + return resource.ExpectedVolumes(rateLimitDeployment.Pod, volumes) } // expectedRateLimitContainerEnv returns expected rateLimit container envs. -func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec, +func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec, namespace string, ) []corev1.EnvVar { env := []corev1.EnvVar{ @@ -445,7 +445,7 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContain env = append(env, tracingEnvs...) } - return resource.ExpectedContainerEnv(rateLimitContainerSpec, env) + return resource.ExpectedContainerEnv(rateLimitDeployment.Container, env) } // Validate the ratelimit tls secret validating. @@ -489,9 +489,9 @@ func checkTraceEndpointScheme(url string) string { return fmt.Sprintf("%s%s", httpScheme, url) } -func expectedRateLimitContainerSecurityContext(rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext { - if rateLimitContainerSpec.SecurityContext != nil { - return rateLimitContainerSpec.SecurityContext +func expectedRateLimitContainerSecurityContext(rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) *corev1.SecurityContext { + if rateLimitDeployment.Container.SecurityContext != nil { + return rateLimitDeployment.Container.SecurityContext } return defaultSecurityContext() } diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index bcc9d580cfc..50c5c8bf7f2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -196,7 +196,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return nil, er } - containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment.Container, r.Namespace) + containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace) selector := resource.GetSelector(rateLimitLabels()) podLabels := rateLimitLabels() @@ -250,7 +250,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { RestartPolicy: corev1.RestartPolicyAlways, SchedulerName: "default-scheduler", SecurityContext: r.rateLimitDeployment.Pod.SecurityContext, - Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment.Pod), + Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment), Affinity: r.rateLimitDeployment.Pod.Affinity, Tolerations: r.rateLimitDeployment.Pod.Tolerations, ImagePullSecrets: r.rateLimitDeployment.Pod.ImagePullSecrets, diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 640feb97101..76adfb15735 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1147,7 +1147,6 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | -| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. | | `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | | `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | @@ -2433,7 +2432,6 @@ _Appears in:_ KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ -- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) | Field | Type | Required | Description | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 640feb97101..76adfb15735 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1147,7 +1147,6 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | -| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. | | `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | | `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | @@ -2433,7 +2432,6 @@ _Appears in:_ KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ -- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) | Field | Type | Required | Description | From 29425bcf8d6dc43060fe3e40cb219af8ea7a2e4b Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:28:31 -0600 Subject: [PATCH 12/12] DaemonSet naming syntax Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- internal/gatewayapi/status/gateway.go | 4 ++-- internal/provider/kubernetes/controller.go | 2 +- internal/provider/kubernetes/predicates.go | 6 +++--- internal/provider/kubernetes/predicates_test.go | 10 +++++----- internal/provider/kubernetes/test/utils.go | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index 740e3089178..8bf822479d0 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -138,7 +138,7 @@ const ( ) // updateGatewayProgrammedCondition computes the Gateway Programmed status condition. -// Programmed condition surfaces true when the Envoy Deployment or Daemonset status is ready. +// Programmed condition surfaces true when the Envoy Deployment or DaemonSet status is ready. func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) { if len(gw.Status.Addresses) == 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, @@ -177,7 +177,7 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec } // If there are no available replicas for the Envoy Deployment or - // Envoy Daemonset, don't mark the Gateway as ready yet. + // Envoy DaemonSet, don't mark the Gateway as ready yet. gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), messageNoResources, time.Now(), gw.Generation)) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 652003b58ef..915e6e5acd8 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1405,7 +1405,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch Daemonset CRUDs and process affected Gateways. + // Watch DaemonSet CRUDs and process affected Gateways. daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{ predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { return r.validateObjectForReconcile(daemonset) diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 4bcaee97be8..9c4d582b58b 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -440,9 +440,9 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) } -// validateObjectForReconcile tries finding the owning Gateway of the Deployment or Daemonset +// validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet // if it exists, finds the Gateway's Service, and further updates the Gateway -// status Ready condition. No Deployments or Daemonsets are pushed for reconciliation. +// status Ready condition. No Deployments or DaemonSets are pushed for reconciliation. func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) bool { ctx := context.Background() labels := obj.GetLabels() @@ -471,7 +471,7 @@ func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) boo return false } -// envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists. +// envoyObjectForGateway returns the Envoy Deployment or DaemonSet, returning nil if neither exists. func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { // Helper func to list and return the first object from results listResource := func(list client.ObjectList) (client.Object, error) { diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 5525d212c0d..ef8182ffdb9 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -556,7 +556,7 @@ func TestValidateServiceForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetGatewayDaemonset(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil), + test.GetGatewayDaemonSet(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil), }, service: test.GetService(types.NamespacedName{Name: "service"}, map[string]string{ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", @@ -887,7 +887,7 @@ func TestValidateObjectForReconcile(t *testing.T) { expect bool }{ { - // No config should lead to a reconciliation of a Deployment or Daemonset object. The main + // No config should lead to a reconciliation of a Deployment or DaemonSet object. The main // purpose of the watcher is just for updating Gateway object statuses. name: "gateway deployment or daemonset also exist", configs: []client.Object{ @@ -902,7 +902,7 @@ func TestValidateObjectForReconcile(t *testing.T) { test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", - }), test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + }), test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", }), @@ -924,7 +924,7 @@ func TestValidateObjectForReconcile(t *testing.T) { test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ gatewayapi.OwningGatewayClassLabel: "test-mg", }), - test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ gatewayapi.OwningGatewayClassLabel: "test-mg", }), }, @@ -948,7 +948,7 @@ func TestValidateObjectForReconcile(t *testing.T) { test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ gatewayapi.OwningGatewayClassLabel: "test-mg", }), - test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{ + test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ gatewayapi.OwningGatewayClassLabel: "test-mg", }), }, diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go index 7275565f638..77bc50c5e6f 100644 --- a/internal/provider/kubernetes/test/utils.go +++ b/internal/provider/kubernetes/test/utils.go @@ -299,8 +299,8 @@ func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) } } -// GetGatewayDaemonset returns a sample Daemonset for a Gateway object. -func GetGatewayDaemonset(nsName types.NamespacedName, labels map[string]string) client.Object { +// GetGatewayDaemonSet returns a sample DaemonSet for a Gateway object. +func GetGatewayDaemonSet(nsName types.NamespacedName, labels map[string]string) client.Object { return &appsv1.DaemonSet{ ObjectMeta: metav1.ObjectMeta{ Namespace: nsName.Namespace,