From 7294d3c4b6da5277ca9ed8e3d1c11285e4efd569 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 00:02:25 -0600
Subject: [PATCH 01/12] Update status when running in daemonset mode
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 26 ++++--
internal/provider/kubernetes/controller.go | 28 +++++-
internal/provider/kubernetes/predicates.go | 88 ++++++++++++++-----
.../provider/kubernetes/predicates_test.go | 4 +-
internal/provider/kubernetes/status.go | 4 +-
5 files changed, 112 insertions(+), 38 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index f891f8c40af..2beb6bc3dc3 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -7,6 +7,7 @@ package status
import (
"fmt"
+ "sigs.k8s.io/controller-runtime/pkg/client"
"time"
appsv1 "k8s.io/api/apps/v1"
@@ -31,7 +32,7 @@ func UpdateGatewayStatusAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) *g
// UpdateGatewayStatusProgrammedCondition updates the status addresses for the provided gateway
// based on the status IP/Hostname of svc and updates the Programmed condition based on the
// service and deployment state.
-func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, deployment *appsv1.Deployment, nodeAddresses ...string) {
+func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, envoyObj client.Object, nodeAddresses ...string) {
var addresses, hostnames []string
// Update the status addresses field.
if svc != nil {
@@ -98,7 +99,7 @@ func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Ser
}
// Update the programmed condition.
- updateGatewayProgrammedCondition(gw, deployment)
+ updateGatewayProgrammedCondition(gw, envoyObj)
}
func SetGatewayListenerStatusCondition(gateway *gwapiv1.Gateway, listenerStatusIdx int,
@@ -138,7 +139,7 @@ const (
// updateGatewayProgrammedCondition computes the Gateway Programmed status condition.
// Programmed condition surfaces true when the Envoy Deployment status is ready.
-func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.Deployment) {
+func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) {
if len(gw.Status.Addresses) == 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonAddressNotAssigned),
@@ -159,15 +160,22 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.De
// If there are no available replicas for the Envoy Deployment, don't
// mark the Gateway as ready yet.
-
- if deployment == nil || deployment.Status.AvailableReplicas == 0 {
+ dep, okDep := envoyObj.(*appsv1.Deployment)
+ if okDep && dep.Status.AvailableReplicas > 0 {
+ gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
+ newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
+ fmt.Sprintf(messageFmtProgrammed, dep.Status.AvailableReplicas, dep.Status.Replicas), time.Now(), gw.Generation))
+ return
+ }
+ daemon, okDaemon := envoyObj.(*appsv1.DaemonSet)
+ if okDaemon && daemon.Status.NumberAvailable > 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
- newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources),
- messageNoResources, time.Now(), gw.Generation))
+ newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
+ fmt.Sprintf(messageFmtProgrammed, daemon.Status.NumberAvailable, daemon.Status.CurrentNumberScheduled), time.Now(), gw.Generation))
return
}
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
- newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
- fmt.Sprintf(messageFmtProgrammed, deployment.Status.AvailableReplicas, deployment.Status.Replicas), time.Now(), gw.Generation))
+ newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources),
+ messageNoResources, time.Now(), gw.Generation))
}
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
index dac8f1780a8..e19f63c119f 100644
--- a/internal/provider/kubernetes/controller.go
+++ b/internal/provider/kubernetes/controller.go
@@ -1386,13 +1386,13 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
}
// Watch Deployment CRUDs and process affected Gateways.
- dPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{
+ deploymentPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{
predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool {
- return r.validateDeploymentForReconcile(deploy)
+ return r.validateObjecttForReconcile(deploy)
}),
}
if r.namespaceLabel != nil {
- dPredicates = append(dPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool {
+ deploymentPredicates = append(deploymentPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool {
return r.hasMatchingNamespaceLabels(deploy)
}))
}
@@ -1401,7 +1401,27 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, deploy *appsv1.Deployment) []reconcile.Request {
return r.enqueueClass(ctx, deploy)
}),
- dPredicates...)); err != nil {
+ deploymentPredicates...)); err != nil {
+ return err
+ }
+
+ // Watch Daemonset CRUDs and process affected Gateways.
+ daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{
+ predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool {
+ return r.validateObjecttForReconcile(daemonset)
+ }),
+ }
+ if r.namespaceLabel != nil {
+ daemonsetPredicates = append(daemonsetPredicates, predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool {
+ return r.hasMatchingNamespaceLabels(daemonset)
+ }))
+ }
+ if err := c.Watch(
+ source.Kind(mgr.GetCache(), &appsv1.DaemonSet{},
+ handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, daemonset *appsv1.DaemonSet) []reconcile.Request {
+ return r.enqueueClass(ctx, daemonset)
+ }),
+ daemonsetPredicates...)); err != nil {
return err
}
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index 9fb3fe86fd1..bef7a6cb589 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -8,6 +8,7 @@ package kubernetes
import (
"context"
"fmt"
+ "k8s.io/apimachinery/pkg/api/meta"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
@@ -439,21 +440,16 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje
return r.isEnvoyExtensionPolicyReferencingBackend(&nsName)
}
-// validateDeploymentForReconcile tries finding the owning Gateway of the Deployment
+// validateObjecttForReconcile tries finding the owning Gateway of the Deployment or Daemonset
// if it exists, finds the Gateway's Service, and further updates the Gateway
-// status Ready condition. No Deployments are pushed for reconciliation.
-func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) bool {
+// status Ready condition. No Deployments or Daemonsets are pushed for reconciliation.
+func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bool {
ctx := context.Background()
- deployment, ok := obj.(*appsv1.Deployment)
- if !ok {
- r.log.Info("unexpected object type, bypassing reconciliation", "object", obj)
- return false
- }
- labels := deployment.GetLabels()
+ labels := obj.GetLabels()
- // Only deployments in the configured namespace should be reconciled.
- if deployment.Namespace == r.namespace {
- // Check if the deployment belongs to a Gateway, if so, update the Gateway status.
+ // Only objects in the configured namespace should be reconciled.
+ if obj.GetNamespace() == r.namespace {
+ // Check if the obj belongs to a Gateway, if so, update the Gateway status.
gtw := r.findOwningGateway(ctx, labels)
if gtw != nil {
r.updateStatusForGateway(ctx, gtw)
@@ -471,27 +467,77 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object)
return false
}
- // There is no need to reconcile the Deployment any further.
+ // There is no need to reconcile the object any further.
return false
}
-// envoyDeploymentForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist.
-func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*appsv1.Deployment, error) {
+// envoyObjectForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist.
+func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
+ labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))))
+
+ // Check for deployment
var deployments appsv1.DeploymentList
- labelSelector := labels.SelectorFromSet(labels.Set(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))))
if err := r.client.List(ctx, &deployments, &client.ListOptions{
LabelSelector: labelSelector,
Namespace: r.namespace,
}); err != nil {
- if kerrors.IsNotFound(err) {
+ if !kerrors.IsNotFound(err) {
+ return nil, err
+ }
+ }
+ if len(deployments.Items) > 0 {
+ return &deployments.Items[0], nil
+ }
+
+ // Check for daemonset
+ var daemonsets appsv1.DaemonSetList
+ if err := r.client.List(ctx, &daemonsets, &client.ListOptions{
+ LabelSelector: labelSelector,
+ Namespace: r.namespace,
+ }); err != nil {
+ if !kerrors.IsNotFound(err) {
+ return nil, err
+ }
+ }
+
+ if len(daemonsets.Items) > 0 {
+ return &daemonsets.Items[0], nil
+ }
+ return nil, nil
+}
+
+func (r *gatewayAPIReconciler) envoyObjectForGateways(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
+
+ // Helper func to list and return the first object from results
+ listResource := func(list client.ObjectList) (client.Object, error) {
+ if err := r.client.List(ctx, list, &client.ListOptions{
+ LabelSelector: labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))),
+ Namespace: r.namespace,
+ }); err != nil {
+ if !kerrors.IsNotFound(err) {
+ return nil, err
+ }
+ }
+ items, err := meta.ExtractList(list)
+ if err != nil || len(items) == 0 {
return nil, nil
}
- return nil, err
+ return items[0].(client.Object), nil
}
- if len(deployments.Items) == 0 {
- return nil, nil
+
+ // Check for Deployment
+ deployments := &appsv1.DeploymentList{}
+ if obj, err := listResource(deployments); obj != nil || err != nil {
+ return obj, err
}
- return &deployments.Items[0], nil
+
+ // Check for DaemonSet
+ daemonsets := &appsv1.DaemonSetList{}
+ if obj, err := listResource(daemonsets); obj != nil || err != nil {
+ return obj, err
+ }
+
+ return nil, nil
}
// envoyServiceForGateway returns the Envoy service, returning nil if the service doesn't exist.
diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go
index 61a09ffb8ae..cbf183caab3 100644
--- a/internal/provider/kubernetes/predicates_test.go
+++ b/internal/provider/kubernetes/predicates_test.go
@@ -859,7 +859,7 @@ func TestValidateServiceForReconcile(t *testing.T) {
}
}
-// TestValidateDeploymentForReconcile tests the validateDeploymentForReconcile
+// TestValidateDeploymentForReconcile tests the validateObjecttForReconcile
// predicate function.
func TestValidateDeploymentForReconcile(t *testing.T) {
sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080)
@@ -938,7 +938,7 @@ func TestValidateDeploymentForReconcile(t *testing.T) {
for _, tc := range testCases {
r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build()
t.Run(tc.name, func(t *testing.T) {
- res := r.validateDeploymentForReconcile(tc.deployment)
+ res := r.validateObjecttForReconcile(tc.deployment)
require.Equal(t, tc.expect, res)
})
}
diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go
index c94ad2bc556..0bfd046cf86 100644
--- a/internal/provider/kubernetes/status.go
+++ b/internal/provider/kubernetes/status.go
@@ -476,7 +476,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *
}
// Get deployment
- deploy, err := r.envoyDeploymentForGateway(ctx, gtw)
+ envoyObj, err := r.envoyObjectForGateway(ctx, gtw)
if err != nil {
r.log.Info("failed to get Deployment for gateway",
"namespace", gtw.Namespace, "name", gtw.Name)
@@ -491,7 +491,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *
// update accepted condition
status.UpdateGatewayStatusAcceptedCondition(gtw, true)
// update address field and programmed condition
- status.UpdateGatewayStatusProgrammedCondition(gtw, svc, deploy, r.store.listNodeAddresses()...)
+ status.UpdateGatewayStatusProgrammedCondition(gtw, svc, envoyObj, r.store.listNodeAddresses()...)
key := utils.NamespacedName(gtw)
From 0264b5fb92b53a397cc2ac217319ba81f46f5867 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 10:34:30 -0600
Subject: [PATCH 02/12] Use switch
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 32 ++++++++++++++-------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index 2beb6bc3dc3..c442c12766b 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -158,23 +158,25 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec
return
}
- // If there are no available replicas for the Envoy Deployment, don't
- // mark the Gateway as ready yet.
- dep, okDep := envoyObj.(*appsv1.Deployment)
- if okDep && dep.Status.AvailableReplicas > 0 {
- gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
- newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
- fmt.Sprintf(messageFmtProgrammed, dep.Status.AvailableReplicas, dep.Status.Replicas), time.Now(), gw.Generation))
- return
- }
- daemon, okDaemon := envoyObj.(*appsv1.DaemonSet)
- if okDaemon && daemon.Status.NumberAvailable > 0 {
- gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
- newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
- fmt.Sprintf(messageFmtProgrammed, daemon.Status.NumberAvailable, daemon.Status.CurrentNumberScheduled), time.Now(), gw.Generation))
- return
+ // Check for available Envoy replicas and if found mark the gateway as ready.
+ switch obj := envoyObj.(type) {
+ case *appsv1.Deployment:
+ if obj.Status.AvailableReplicas > 0 {
+ gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
+ newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
+ fmt.Sprintf(messageFmtProgrammed, obj.Status.AvailableReplicas, obj.Status.Replicas), time.Now(), gw.Generation))
+ return
+ }
+ case *appsv1.DaemonSet:
+ if obj.Status.NumberAvailable > 0 {
+ gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
+ newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
+ fmt.Sprintf(messageFmtProgrammed, obj.Status.NumberAvailable, obj.Status.CurrentNumberScheduled), time.Now(), gw.Generation))
+ return
+ }
}
+ // If there are no available Envoy replicas, don't mark the Gateway as ready yet.
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources),
messageNoResources, time.Now(), gw.Generation))
From cccbf280e61b9818d791a2516991f9008fb796e8 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 11:12:32 -0600
Subject: [PATCH 03/12] cleanup and tests
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 9 ++-
internal/provider/kubernetes/controller.go | 4 +-
internal/provider/kubernetes/kubernetes.go | 2 +-
.../provider/kubernetes/kubernetes_test.go | 2 +-
internal/provider/kubernetes/predicates.go | 8 +-
.../provider/kubernetes/predicates_test.go | 80 +++++++++++++------
internal/provider/kubernetes/status.go | 2 +-
internal/provider/kubernetes/test/utils.go | 31 ++++++-
8 files changed, 100 insertions(+), 38 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index c442c12766b..c1d30566ba7 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -31,7 +31,7 @@ func UpdateGatewayStatusAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) *g
// UpdateGatewayStatusProgrammedCondition updates the status addresses for the provided gateway
// based on the status IP/Hostname of svc and updates the Programmed condition based on the
-// service and deployment state.
+// service and deployment or daemonset state.
func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, envoyObj client.Object, nodeAddresses ...string) {
var addresses, hostnames []string
// Update the status addresses field.
@@ -133,12 +133,12 @@ func computeGatewayAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) metav1.
const (
messageAddressNotAssigned = "No addresses have been assigned to the Gateway"
messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16"
- messageNoResources = "Deployment replicas unavailable"
+ messageNoResources = "Envoy replicas unavailable"
messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy Deployment replicas available"
)
// updateGatewayProgrammedCondition computes the Gateway Programmed status condition.
-// Programmed condition surfaces true when the Envoy Deployment status is ready.
+// Programmed condition surfaces true when the Envoy Deployment or Daemonset status is ready.
func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) {
if len(gw.Status.Addresses) == 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
@@ -176,7 +176,8 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec
}
}
- // If there are no available Envoy replicas, don't mark the Gateway as ready yet.
+ // If there are no available replicas for the Envoy Deployment or
+ // Envoy Daemonset, don't mark the Gateway as ready yet.
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources),
messageNoResources, time.Now(), gw.Generation))
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
index e19f63c119f..652003b58ef 100644
--- a/internal/provider/kubernetes/controller.go
+++ b/internal/provider/kubernetes/controller.go
@@ -1388,7 +1388,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
// Watch Deployment CRUDs and process affected Gateways.
deploymentPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{
predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool {
- return r.validateObjecttForReconcile(deploy)
+ return r.validateObjectForReconcile(deploy)
}),
}
if r.namespaceLabel != nil {
@@ -1408,7 +1408,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
// Watch Daemonset CRUDs and process affected Gateways.
daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{
predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool {
- return r.validateObjecttForReconcile(daemonset)
+ return r.validateObjectForReconcile(daemonset)
}),
}
if r.namespaceLabel != nil {
diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go
index b909eced608..ffef819ee07 100644
--- a/internal/provider/kubernetes/kubernetes.go
+++ b/internal/provider/kubernetes/kubernetes.go
@@ -107,7 +107,7 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources)
return nil, fmt.Errorf("unable to set up ready check: %w", err)
}
- // Emit elected & continue with deployment of infra resources
+ // Emit elected & continue with envoyObjects of infra resources
go func() {
<-mgr.Elected()
close(svr.Elected)
diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go
index 135de799948..7166956ab49 100644
--- a/internal/provider/kubernetes/kubernetes_test.go
+++ b/internal/provider/kubernetes/kubernetes_test.go
@@ -281,7 +281,7 @@ func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Pro
deploy := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: gw.Namespace,
- Name: gw.Name + "-deployment",
+ Name: gw.Name + "-envoyObjects",
Labels: labels,
},
Spec: appsv1.DeploymentSpec{
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index bef7a6cb589..1c1bf2dca6d 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -440,10 +440,10 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje
return r.isEnvoyExtensionPolicyReferencingBackend(&nsName)
}
-// validateObjecttForReconcile tries finding the owning Gateway of the Deployment or Daemonset
+// validateObjectForReconcile tries finding the owning Gateway of the Deployment or Daemonset
// if it exists, finds the Gateway's Service, and further updates the Gateway
// status Ready condition. No Deployments or Daemonsets are pushed for reconciliation.
-func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bool {
+func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) bool {
ctx := context.Background()
labels := obj.GetLabels()
@@ -471,11 +471,11 @@ func (r *gatewayAPIReconciler) validateObjecttForReconcile(obj client.Object) bo
return false
}
-// envoyObjectForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist.
+// envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists.
func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))))
- // Check for deployment
+ // Check for envoyObjects
var deployments appsv1.DeploymentList
if err := r.client.List(ctx, &deployments, &client.ListOptions{
LabelSelector: labelSelector,
diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go
index cbf183caab3..5525d212c0d 100644
--- a/internal/provider/kubernetes/predicates_test.go
+++ b/internal/provider/kubernetes/predicates_test.go
@@ -525,7 +525,7 @@ func TestValidateServiceForReconcile(t *testing.T) {
expect bool
}{
{
- name: "gateway service but deployment does not exist",
+ name: "gateway service but deployment or daemonset does not exist",
configs: []client.Object{
test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil),
sampleGateway,
@@ -547,7 +547,22 @@ func TestValidateServiceForReconcile(t *testing.T) {
gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
gatewayapi.OwningGatewayNamespaceLabel: "default",
}, nil),
- // Note that in case when a deployment exists, the Service is just processed for Gateway status
+ // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status
+ // updates and not reconciled further.
+ expect: false,
+ },
+ {
+ name: "gateway service daemonset also exist",
+ configs: []client.Object{
+ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil),
+ sampleGateway,
+ test.GetGatewayDaemonset(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil),
+ },
+ service: test.GetService(types.NamespacedName{Name: "service"}, map[string]string{
+ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
+ gatewayapi.OwningGatewayNamespaceLabel: "default",
+ }, nil),
+ // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status
// updates and not reconciled further.
expect: false,
},
@@ -859,34 +874,39 @@ func TestValidateServiceForReconcile(t *testing.T) {
}
}
-// TestValidateDeploymentForReconcile tests the validateObjecttForReconcile
+// TestValidateObjectForReconcile tests the validateObjectForReconcile
// predicate function.
-func TestValidateDeploymentForReconcile(t *testing.T) {
+func TestValidateObjectForReconcile(t *testing.T) {
sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080)
mergeGatewaysConfig := test.GetEnvoyProxy(types.NamespacedName{Namespace: "default", Name: "merge-gateways-config"}, true)
testCases := []struct {
- name string
- configs []client.Object
- deployment client.Object
- expect bool
+ name string
+ configs []client.Object
+ envoyObjects []client.Object
+ expect bool
}{
{
- // No config should lead to a reconciliation of a Deployment object. The main
- // purpose of the Deployment watcher is just for update Gateway object statuses.
- name: "gateway deployment deployment also exist",
+ // No config should lead to a reconciliation of a Deployment or Daemonset object. The main
+ // purpose of the watcher is just for updating Gateway object statuses.
+ name: "gateway deployment or daemonset also exist",
configs: []client.Object{
test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil),
sampleGateway,
- test.GetService(types.NamespacedName{Name: "deployment"}, map[string]string{
+ test.GetService(types.NamespacedName{Name: "envoyObjects"}, map[string]string{
gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
gatewayapi.OwningGatewayNamespaceLabel: "default",
}, nil),
},
- deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
- gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
- gatewayapi.OwningGatewayNamespaceLabel: "default",
- }),
+ envoyObjects: []client.Object{
+ test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
+ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
+ gatewayapi.OwningGatewayNamespaceLabel: "default",
+ }), test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
+ gatewayapi.OwningGatewayNamespaceLabel: "default",
+ }),
+ },
expect: false,
},
{
@@ -900,9 +920,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) {
}),
mergeGatewaysConfig,
},
- deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
- gatewayapi.OwningGatewayClassLabel: "test-mg",
- }),
+ envoyObjects: []client.Object{
+ test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
+ gatewayapi.OwningGatewayClassLabel: "test-mg",
+ }),
+ test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ gatewayapi.OwningGatewayClassLabel: "test-mg",
+ }),
+ },
expect: false,
},
{
@@ -919,9 +944,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) {
test.GetGateway(types.NamespacedName{Name: "merged-gateway-2", Namespace: "default"}, "test-mg", 8082),
test.GetGateway(types.NamespacedName{Name: "merged-gateway-3", Namespace: "default"}, "test-mg", 8083),
},
- deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
- gatewayapi.OwningGatewayClassLabel: "test-mg",
- }),
+ envoyObjects: []client.Object{
+ test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
+ gatewayapi.OwningGatewayClassLabel: "test-mg",
+ }),
+ test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ gatewayapi.OwningGatewayClassLabel: "test-mg",
+ }),
+ },
expect: false,
},
}
@@ -938,8 +968,10 @@ func TestValidateDeploymentForReconcile(t *testing.T) {
for _, tc := range testCases {
r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build()
t.Run(tc.name, func(t *testing.T) {
- res := r.validateObjecttForReconcile(tc.deployment)
- require.Equal(t, tc.expect, res)
+ for _, obj := range tc.envoyObjects {
+ res := r.validateObjectForReconcile(obj)
+ require.Equal(t, tc.expect, res)
+ }
})
}
}
diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go
index 0bfd046cf86..c3d5553b0bf 100644
--- a/internal/provider/kubernetes/status.go
+++ b/internal/provider/kubernetes/status.go
@@ -475,7 +475,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *
return
}
- // Get deployment
+ // Get envoyObjects
envoyObj, err := r.envoyObjectForGateway(ctx, gtw)
if err != nil {
r.log.Info("failed to get Deployment for gateway",
diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go
index 6fe50fa75bd..7275565f638 100644
--- a/internal/provider/kubernetes/test/utils.go
+++ b/internal/provider/kubernetes/test/utils.go
@@ -12,6 +12,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/utils/ptr"
+ "sigs.k8s.io/controller-runtime/pkg/client"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
@@ -271,7 +272,7 @@ func GetUDPRoute(nsName types.NamespacedName, parent string, serviceName types.N
}
// GetGatewayDeployment returns a sample Deployment for a Gateway object.
-func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) *appsv1.Deployment {
+func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) client.Object {
return &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: nsName.Namespace,
@@ -298,6 +299,34 @@ func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string)
}
}
+// GetGatewayDaemonset returns a sample Daemonset for a Gateway object.
+func GetGatewayDaemonset(nsName types.NamespacedName, labels map[string]string) client.Object {
+ return &appsv1.DaemonSet{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: nsName.Namespace,
+ Name: nsName.Name,
+ Labels: labels,
+ },
+ Spec: appsv1.DaemonSetSpec{
+ Selector: &metav1.LabelSelector{MatchLabels: labels},
+ Template: corev1.PodTemplateSpec{
+ ObjectMeta: metav1.ObjectMeta{
+ Labels: labels,
+ },
+ Spec: corev1.PodSpec{
+ Containers: []corev1.Container{{
+ Name: "dummy",
+ Image: "dummy",
+ Ports: []corev1.ContainerPort{{
+ ContainerPort: 8080,
+ }},
+ }},
+ },
+ },
+ },
+ }
+}
+
// GetService returns a sample Service with labels and ports.
func GetService(nsName types.NamespacedName, labels map[string]string, ports map[string]int32) *corev1.Service {
service := &corev1.Service{
From 144e2183726328af4dd4b58ae47c0159874954fc Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 11:46:29 -0600
Subject: [PATCH 04/12] linting and more cleanup
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 2 +-
internal/provider/kubernetes/predicates.go | 37 +---------------------
2 files changed, 2 insertions(+), 37 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index c1d30566ba7..6610a4acc02 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -7,13 +7,13 @@ package status
import (
"fmt"
- "sigs.k8s.io/controller-runtime/pkg/client"
"time"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
+ "sigs.k8s.io/controller-runtime/pkg/client"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index 1c1bf2dca6d..4bcaee97be8 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -8,12 +8,12 @@ package kubernetes
import (
"context"
"fmt"
- "k8s.io/apimachinery/pkg/api/meta"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
discoveryv1 "k8s.io/api/discovery/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels"
@@ -473,41 +473,6 @@ func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) boo
// envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists.
func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
- labelSelector := labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))))
-
- // Check for envoyObjects
- var deployments appsv1.DeploymentList
- if err := r.client.List(ctx, &deployments, &client.ListOptions{
- LabelSelector: labelSelector,
- Namespace: r.namespace,
- }); err != nil {
- if !kerrors.IsNotFound(err) {
- return nil, err
- }
- }
- if len(deployments.Items) > 0 {
- return &deployments.Items[0], nil
- }
-
- // Check for daemonset
- var daemonsets appsv1.DaemonSetList
- if err := r.client.List(ctx, &daemonsets, &client.ListOptions{
- LabelSelector: labelSelector,
- Namespace: r.namespace,
- }); err != nil {
- if !kerrors.IsNotFound(err) {
- return nil, err
- }
- }
-
- if len(daemonsets.Items) > 0 {
- return &daemonsets.Items[0], nil
- }
- return nil, nil
-}
-
-func (r *gatewayAPIReconciler) envoyObjectForGateways(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
-
// Helper func to list and return the first object from results
listResource := func(list client.ObjectList) (client.Object, error) {
if err := r.client.List(ctx, list, &client.ListOptions{
From bf50b77b95c4c8d79455bf0a0b7a6ddc89f09603 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 12:20:12 -0600
Subject: [PATCH 05/12] Fix name
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/provider/kubernetes/kubernetes_test.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go
index 7166956ab49..135de799948 100644
--- a/internal/provider/kubernetes/kubernetes_test.go
+++ b/internal/provider/kubernetes/kubernetes_test.go
@@ -281,7 +281,7 @@ func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Pro
deploy := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: gw.Namespace,
- Name: gw.Name + "-envoyObjects",
+ Name: gw.Name + "-deployment",
Labels: labels,
},
Spec: appsv1.DeploymentSpec{
From 6bd872c4bf3f1b5bcf105d2f1a2efa48aa214d16 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 12:38:40 -0600
Subject: [PATCH 06/12] fix nil case
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index 6610a4acc02..8e790ba11b4 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -161,14 +161,14 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec
// Check for available Envoy replicas and if found mark the gateway as ready.
switch obj := envoyObj.(type) {
case *appsv1.Deployment:
- if obj.Status.AvailableReplicas > 0 {
+ if obj != nil && obj.Status.AvailableReplicas > 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
fmt.Sprintf(messageFmtProgrammed, obj.Status.AvailableReplicas, obj.Status.Replicas), time.Now(), gw.Generation))
return
}
case *appsv1.DaemonSet:
- if obj.Status.NumberAvailable > 0 {
+ if obj != nil && obj.Status.NumberAvailable > 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed),
fmt.Sprintf(messageFmtProgrammed, obj.Status.NumberAvailable, obj.Status.CurrentNumberScheduled), time.Now(), gw.Generation))
From efbef07d85085ac4e5034d6521f47a8533dcb9ca Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 19:47:14 -0600
Subject: [PATCH 07/12] Fix helm permissions and fully implement daemonset
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
charts/gateway-helm/templates/_rbac.tpl | 1 +
.../kubernetes/ratelimit/resource.go | 30 ++---
.../kubernetes/ratelimit/resource_provider.go | 106 +++++++++++++++++-
.../kubernetes/ratelimit_infra.go | 21 +++-
.../kubernetes/ratelimit_infra_test.go | 42 ++++++-
.../certjen-custom-scheduling.out.yaml | 1 +
.../control-plane-with-pdb.out.yaml | 1 +
.../helm/gateway-helm/default-config.out.yaml | 1 +
.../deployment-custom-topology.out.yaml | 1 +
.../deployment-images-config.out.yaml | 1 +
.../deployment-priorityclass.out.yaml | 1 +
.../envoy-gateway-config.out.yaml | 1 +
.../global-images-config.out.yaml | 1 +
.../gateway-helm/service-annotations.out.yaml | 1 +
14 files changed, 185 insertions(+), 24 deletions(-)
diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl
index 27e90061b0c..52a5648818c 100644
--- a/charts/gateway-helm/templates/_rbac.tpl
+++ b/charts/gateway-helm/templates/_rbac.tpl
@@ -43,6 +43,7 @@ apiGroups:
- apps
resources:
- deployments
+- daemonsets
verbs:
- get
- list
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go
index 4785a700d40..669df866285 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource.go
@@ -138,7 +138,7 @@ func rateLimitLabels() map[string]string {
}
// expectedRateLimitContainers returns expected rateLimit containers.
-func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec,
+func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec,
namespace string,
) []corev1.Container {
ports := []corev1.ContainerPort{
@@ -152,16 +152,16 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen
containers := []corev1.Container{
{
Name: InfraName,
- Image: *rateLimitDeployment.Container.Image,
+ Image: *rateLimitContainerSpec.Image,
ImagePullPolicy: corev1.PullIfNotPresent,
Command: []string{
"/bin/ratelimit",
},
- Env: expectedRateLimitContainerEnv(rateLimit, rateLimitDeployment, namespace),
+ Env: expectedRateLimitContainerEnv(rateLimit, rateLimitContainerSpec, namespace),
Ports: ports,
- Resources: *rateLimitDeployment.Container.Resources,
- SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitDeployment),
- VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitDeployment),
+ Resources: *rateLimitContainerSpec.Resources,
+ SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitContainerSpec),
+ VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitContainerSpec),
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
TerminationMessagePath: "/dev/termination-log",
StartupProbe: &corev1.Probe{
@@ -197,7 +197,7 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen
}
// expectedContainerVolumeMounts returns expected rateLimit container volume mounts.
-func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount {
+func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount {
var volumeMounts []corev1.VolumeMount
// mount the cert
@@ -223,11 +223,11 @@ func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeploym
})
}
- return resource.ExpectedContainerVolumeMounts(rateLimitDeployment.Container, volumeMounts)
+ return resource.ExpectedContainerVolumeMounts(rateLimitContainerSpec, volumeMounts)
}
// expectedDeploymentVolumes returns expected rateLimit deployment volumes.
-func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.Volume {
+func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *egv1a1.KubernetesPodSpec) []corev1.Volume {
var volumes []corev1.Volume
if rateLimit.Backend.Redis != nil &&
@@ -269,11 +269,11 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment
})
}
- return resource.ExpectedVolumes(rateLimitDeployment.Pod, volumes)
+ return resource.ExpectedVolumes(rateLimitPodSpec, volumes)
}
// expectedRateLimitContainerEnv returns expected rateLimit container envs.
-func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec,
+func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec,
namespace string,
) []corev1.EnvVar {
env := []corev1.EnvVar{
@@ -445,7 +445,7 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym
env = append(env, tracingEnvs...)
}
- return resource.ExpectedContainerEnv(rateLimitDeployment.Container, env)
+ return resource.ExpectedContainerEnv(rateLimitContainerSpec, env)
}
// Validate the ratelimit tls secret validating.
@@ -489,9 +489,9 @@ func checkTraceEndpointScheme(url string) string {
return fmt.Sprintf("%s%s", httpScheme, url)
}
-func expectedRateLimitContainerSecurityContext(rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) *corev1.SecurityContext {
- if rateLimitDeployment.Container.SecurityContext != nil {
- return rateLimitDeployment.Container.SecurityContext
+func expectedRateLimitContainerSecurityContext(rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext {
+ if rateLimitContainerSpec.SecurityContext != nil {
+ return rateLimitContainerSpec.SecurityContext
}
return defaultSecurityContext()
}
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index 50c5c8bf7f2..01b2ea09b6c 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -27,6 +27,7 @@ import (
// but also the key for the uid of their ownerReference.
const (
ResourceKindService = "Service"
+ ResourceKindDaemonset = "Daemonset"
ResourceKindDeployment = "Deployment"
ResourceKindServiceAccount = "ServiceAccount"
appsAPIVersion = "apps/v1"
@@ -41,6 +42,7 @@ type ResourceRender struct {
rateLimit *egv1a1.RateLimit
rateLimitDeployment *egv1a1.KubernetesDeploymentSpec
+ rateLimitDaemonset *egv1a1.KubernetesDaemonSetSpec
// ownerReferenceUID store the uid of its owner reference.
ownerReferenceUID map[string]types.UID
@@ -196,7 +198,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
return nil, er
}
- containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace)
+ containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment.Container, r.Namespace)
selector := resource.GetSelector(rateLimitLabels())
podLabels := rateLimitLabels()
@@ -250,7 +252,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
RestartPolicy: corev1.RestartPolicyAlways,
SchedulerName: "default-scheduler",
SecurityContext: r.rateLimitDeployment.Pod.SecurityContext,
- Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment),
+ Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment.Pod),
Affinity: r.rateLimitDeployment.Pod.Affinity,
Tolerations: r.rateLimitDeployment.Pod.Tolerations,
ImagePullSecrets: r.rateLimitDeployment.Pod.ImagePullSecrets,
@@ -294,12 +296,106 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
// DaemonSetSpec returns the `DaemonSet` sets spec.
func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) {
- return nil, nil
+ return r.rateLimitDaemonset, nil
}
-// TODO: implement this method
func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) {
- return nil, nil
+ // If daemonset config is nil,ignore Daemonset.
+ if daemonsetConfig, er := r.DaemonSetSpec(); daemonsetConfig == nil {
+ return nil, er
+ }
+
+ containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDaemonset.Container, r.Namespace)
+ selector := resource.GetSelector(rateLimitLabels())
+
+ podLabels := rateLimitLabels()
+ if r.rateLimitDaemonset.Pod.Labels != nil {
+ maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels)
+ // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy
+ // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input
+ maps.Copy(podLabels, rateLimitLabels())
+ }
+
+ var podAnnotations map[string]string
+ if enablePrometheus(r.rateLimit) {
+ podAnnotations = map[string]string{
+ "prometheus.io/path": "/metrics",
+ "prometheus.io/port": strconv.Itoa(PrometheusPort),
+ "prometheus.io/scrape": "true",
+ }
+ }
+ if r.rateLimitDaemonset.Pod.Annotations != nil {
+ if podAnnotations != nil {
+ maps.Copy(podAnnotations, r.rateLimitDaemonset.Pod.Annotations)
+ } else {
+ podAnnotations = r.rateLimitDaemonset.Pod.Annotations
+ }
+ }
+
+ daemonset := &appsv1.DaemonSet{
+ TypeMeta: metav1.TypeMeta{
+ Kind: ResourceKindDaemonset,
+ APIVersion: appsAPIVersion,
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: r.Namespace,
+ Labels: rateLimitLabels(),
+ },
+ Spec: appsv1.DaemonSetSpec{
+ UpdateStrategy: *r.rateLimitDaemonset.Strategy,
+ Selector: selector,
+ Template: corev1.PodTemplateSpec{
+ ObjectMeta: metav1.ObjectMeta{
+ Labels: podLabels,
+ Annotations: podAnnotations,
+ },
+ Spec: corev1.PodSpec{
+ Containers: containers,
+ ServiceAccountName: InfraName,
+ AutomountServiceAccountToken: ptr.To(false),
+ TerminationGracePeriodSeconds: ptr.To[int64](300),
+ DNSPolicy: corev1.DNSClusterFirst,
+ RestartPolicy: corev1.RestartPolicyAlways,
+ SchedulerName: "default-scheduler",
+ SecurityContext: r.rateLimitDaemonset.Pod.SecurityContext,
+ Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDaemonset.Pod),
+ Affinity: r.rateLimitDaemonset.Pod.Affinity,
+ Tolerations: r.rateLimitDaemonset.Pod.Tolerations,
+ ImagePullSecrets: r.rateLimitDaemonset.Pod.ImagePullSecrets,
+ NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector,
+ },
+ },
+ RevisionHistoryLimit: ptr.To[int32](10),
+ },
+ }
+
+ // set name
+ if r.rateLimitDaemonset.Name != nil {
+ daemonset.ObjectMeta.Name = *r.rateLimitDaemonset.Name
+ } else {
+ daemonset.ObjectMeta.Name = r.Name()
+ }
+
+ if r.ownerReferenceUID != nil {
+ if uid, ok := r.ownerReferenceUID[ResourceKindDaemonset]; ok {
+ daemonset.OwnerReferences = []metav1.OwnerReference{
+ {
+ Kind: ResourceKindDaemonset,
+ APIVersion: appsAPIVersion,
+ Name: "envoy-gateway",
+ UID: uid,
+ },
+ }
+ }
+ }
+
+ // apply merge patch to deployment
+ var err error
+ if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil {
+ return nil, err
+ }
+
+ return daemonset, nil
}
// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec.
diff --git a/internal/infrastructure/kubernetes/ratelimit_infra.go b/internal/infrastructure/kubernetes/ratelimit_infra.go
index 514f86a1d9d..1b5bfd4ccb7 100644
--- a/internal/infrastructure/kubernetes/ratelimit_infra.go
+++ b/internal/infrastructure/kubernetes/ratelimit_infra.go
@@ -10,7 +10,9 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/controller-runtime/pkg/client"
"github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit"
)
@@ -34,11 +36,26 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error {
}
ownerReferenceUID[ratelimit.ResourceKindService] = serviceUID
- deploymentUID, err := i.Client.GetUID(ctx, key, &appsv1.Deployment{})
+ var uid types.UID
+ for _, obj := range []client.Object{&appsv1.Deployment{}, &appsv1.DaemonSet{}} {
+ uid, err = i.Client.GetUID(ctx, key, obj)
+ if err != nil {
+ if errors.IsNotFound(err) {
+ continue
+ }
+ return err
+ }
+ switch obj.(type) {
+ case *appsv1.Deployment:
+ ownerReferenceUID[ratelimit.ResourceKindDeployment] = uid
+ case *appsv1.DaemonSet:
+ ownerReferenceUID[ratelimit.ResourceKindDaemonset] = uid
+ }
+ break
+ }
if err != nil {
return err
}
- ownerReferenceUID[ratelimit.ResourceKindDeployment] = deploymentUID
serviceAccountUID, err := i.Client.GetUID(ctx, key, &corev1.ServiceAccount{})
if err != nil {
diff --git a/internal/infrastructure/kubernetes/ratelimit_infra_test.go b/internal/infrastructure/kubernetes/ratelimit_infra_test.go
index 1b4976ac361..e49992194d4 100644
--- a/internal/infrastructure/kubernetes/ratelimit_infra_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit_infra_test.go
@@ -12,6 +12,7 @@ import (
"github.com/stretchr/testify/require"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -67,6 +68,20 @@ func createEnvoyGatewayDeployment(t *testing.T, client client.Client, ns string)
require.NoError(t, err)
}
+func createEnvoyGatewayDaemonset(t *testing.T, client client.Client, ns string) {
+ err := client.Create(context.Background(), &appsv1.DaemonSet{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "Daemonset",
+ APIVersion: "apps/v1",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "envoy-gateway",
+ Namespace: ns,
+ },
+ })
+ require.NoError(t, err)
+}
+
func createEnvoyGatewayServiceAccount(t *testing.T, client client.Client, ns string) {
err := client.Create(context.Background(), &corev1.ServiceAccount{
TypeMeta: metav1.TypeMeta{
@@ -96,6 +111,15 @@ func TestCreateRateLimitInfra(t *testing.T) {
},
expect: true,
},
+ {
+ name: "daemonset",
+ ownerReferences: []string{
+ ratelimit.ResourceKindService,
+ ratelimit.ResourceKindDaemonset,
+ ratelimit.ResourceKindServiceAccount,
+ },
+ expect: true,
+ },
{
name: "default infra but missing service owner reference",
ownerReferences: []string{
@@ -138,6 +162,8 @@ func TestCreateRateLimitInfra(t *testing.T) {
createEnvoyGatewayService(t, kube.Client.Client, kube.Namespace)
case ratelimit.ResourceKindDeployment:
createEnvoyGatewayDeployment(t, kube.Client.Client, kube.Namespace)
+ case ratelimit.ResourceKindDaemonset:
+ createEnvoyGatewayDaemonset(t, kube.Client.Client, kube.Namespace)
case ratelimit.ResourceKindServiceAccount:
createEnvoyGatewayServiceAccount(t, kube.Client.Client, kube.Namespace)
}
@@ -160,14 +186,26 @@ func TestCreateRateLimitInfra(t *testing.T) {
}
require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(sa), sa))
+ // Check for either a Deployment or DaemonSet
deploy := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: kube.Namespace,
Name: ratelimit.InfraName,
},
}
- require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy))
-
+ daemonset := &appsv1.DaemonSet{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: kube.Namespace,
+ Name: ratelimit.InfraName,
+ },
+ }
+ err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy)
+ if kerrors.IsNotFound(err) {
+ err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(daemonset), daemonset)
+ require.NoError(t, err)
+ } else {
+ require.NoError(t, err)
+ }
svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Namespace: kube.Namespace,
diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml
index 096e1eb5561..8a1513469de 100644
--- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml
+++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml
index 4c9a3d6cfdf..a71e46fe7bd 100644
--- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml
+++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml
@@ -120,6 +120,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml
index c830348f012..140d271c6e7 100644
--- a/test/helm/gateway-helm/default-config.out.yaml
+++ b/test/helm/gateway-helm/default-config.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml
index fd468b505f0..586b64b5584 100644
--- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml
+++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml
index aa5a36ff23d..10f849e1d77 100644
--- a/test/helm/gateway-helm/deployment-images-config.out.yaml
+++ b/test/helm/gateway-helm/deployment-images-config.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml
index d3648d443d9..4f735c42095 100644
--- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml
+++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml
index aa91dacecc8..04159958265 100644
--- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml
+++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml
@@ -107,6 +107,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml
index e18eecd7bc7..f280fc9f218 100644
--- a/test/helm/gateway-helm/global-images-config.out.yaml
+++ b/test/helm/gateway-helm/global-images-config.out.yaml
@@ -109,6 +109,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml
index 97f39cd0bea..ec50a16e30d 100644
--- a/test/helm/gateway-helm/service-annotations.out.yaml
+++ b/test/helm/gateway-helm/service-annotations.out.yaml
@@ -105,6 +105,7 @@ rules:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- get
- list
From 290a551023980beb1cc3f785a1209cdadd72bb2a Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 21:56:16 -0600
Subject: [PATCH 08/12] testdata and more fixes
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
api/v1alpha1/envoygateway_helpers.go | 13 +-
api/v1alpha1/envoygateway_types.go | 7 +
api/v1alpha1/zz_generated.deepcopy.go | 5 +
.../kubernetes/ratelimit/resource_provider.go | 2 +-
.../ratelimit/resource_provider_test.go | 520 ++++++++++++++++++
.../ratelimit/testdata/daemonsets/custom.yaml | 151 +++++
.../testdata/daemonsets/default-env.yaml | 151 +++++
.../testdata/daemonsets/default.yaml | 156 ++++++
.../daemonsets/disable-prometheus.yaml | 138 +++++
.../daemonsets/enable-tracing-custom.yaml | 171 ++++++
.../testdata/daemonsets/enable-tracing.yaml | 171 ++++++
.../testdata/daemonsets/extension-env.yaml | 155 ++++++
.../daemonsets/merge-annotations.yaml | 158 ++++++
.../testdata/daemonsets/merge-labels.yaml | 158 ++++++
.../testdata/daemonsets/override-env.yaml | 151 +++++
.../testdata/daemonsets/patch-daemonset.yaml | 157 ++++++
.../daemonsets/redis-tls-settings.yaml | 166 ++++++
.../testdata/daemonsets/tolerations.yaml | 171 ++++++
.../testdata/daemonsets/volumes.yaml | 171 ++++++
.../daemonsets/with-node-selector.yaml | 159 ++++++
site/content/en/latest/api/extension_types.md | 2 +
site/content/zh/latest/api/extension_types.md | 2 +
22 files changed, 2932 insertions(+), 3 deletions(-)
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go
index fed2f6fa075..2650ccaa78e 100644
--- a/api/v1alpha1/envoygateway_helpers.go
+++ b/api/v1alpha1/envoygateway_helpers.go
@@ -228,11 +228,20 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
r.Kubernetes.LeaderElection = DefaultLeaderElection()
}
- if r.Kubernetes.RateLimitDeployment == nil {
+ // if RateLimitDeployment and RateLimitDaemonset are both nil, use RateLimitDeployment
+ if r.Kubernetes.RateLimitDeployment == nil && r.Kubernetes.RateLimitDaemonset == nil {
r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage)
}
- r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage)
+ // if use RateLimitDeployment, set default values
+ if r.Kubernetes.RateLimitDeployment != nil {
+ r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage)
+ }
+
+ // if use RateLimitDaemonset, set default values
+ if r.Kubernetes.RateLimitDaemonset != nil {
+ r.Kubernetes.RateLimitDaemonset.defaultKubernetesDaemonSetSpec(DefaultRateLimitImage)
+ }
if r.Kubernetes.ShutdownManager == nil {
r.Kubernetes.ShutdownManager = &ShutdownManager{Image: ptr.To(DefaultShutdownManagerImage)}
diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
index 6cf8e334182..ab76c9c443e 100644
--- a/api/v1alpha1/envoygateway_types.go
+++ b/api/v1alpha1/envoygateway_types.go
@@ -202,6 +202,13 @@ type EnvoyGatewayKubernetesProvider struct {
// +optional
RateLimitDeployment *KubernetesDeploymentSpec `json:"rateLimitDeployment,omitempty"`
+ // RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
+ // If unspecified, default settings for the managed Envoy ratelimit daemonset resource
+ // are applied.
+ //
+ // +optional
+ RateLimitDaemonset *KubernetesDaemonSetSpec `json:"rateLimitDaemonset,omitempty"`
+
// Watch holds configuration of which input resources should be watched and reconciled.
// +optional
Watch *KubernetesWatchMode `json:"watch,omitempty"`
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index a72706c33bb..c6dd99f41d4 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1516,6 +1516,11 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet
*out = new(KubernetesDeploymentSpec)
(*in).DeepCopyInto(*out)
}
+ if in.RateLimitDaemonset != nil {
+ in, out := &in.RateLimitDaemonset, &out.RateLimitDaemonset
+ *out = new(KubernetesDaemonSetSpec)
+ (*in).DeepCopyInto(*out)
+ }
if in.Watch != nil {
in, out := &in.Watch, &out.Watch
*out = new(KubernetesWatchMode)
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index 01b2ea09b6c..ea0da488db8 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -53,6 +53,7 @@ func NewResourceRender(ns string, gateway *egv1a1.EnvoyGateway, ownerReferenceUI
return &ResourceRender{
Namespace: ns,
rateLimit: gateway.RateLimit,
+ rateLimitDaemonset: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
rateLimitDeployment: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment,
ownerReferenceUID: ownerReferenceUID,
}
@@ -365,7 +366,6 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) {
NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector,
},
},
- RevisionHistoryLimit: ptr.To[int32](10),
},
}
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
index c7aa23f7943..71d1cfc2f81 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
@@ -37,6 +37,7 @@ const (
var ownerReferenceUID = map[string]types.UID{
ResourceKindService: "test-owner-reference-uid-for-service",
+ ResourceKindDaemonset: "test-owner-reference-uid-for-deployment",
ResourceKindDeployment: "test-owner-reference-uid-for-deployment",
ResourceKindServiceAccount: "test-owner-reference-uid-for-service-account",
}
@@ -765,6 +766,525 @@ func loadDeployment(caseName string) (*appsv1.Deployment, error) {
return deployment, nil
}
+func TestDaemonset(t *testing.T) {
+ cfg, err := config.New()
+ // Set default DaemonsetSpec or else daemonset will be used
+ cfg.EnvoyGateway.Provider.Kubernetes.RateLimitDaemonset = egv1a1.DefaultKubernetesDaemonSet(egv1a1.DefaultRateLimitImage)
+ require.NoError(t, err)
+ rateLimit := &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ }
+ cases := []struct {
+ caseName string
+ rateLimit *egv1a1.RateLimit
+ daemonSetSpec *egv1a1.KubernetesDaemonSetSpec
+ }{
+ {
+ caseName: "default",
+ rateLimit: rateLimit,
+ daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
+ },
+ {
+ caseName: "disable-prometheus",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ Telemetry: &egv1a1.RateLimitTelemetry{
+ Metrics: &egv1a1.RateLimitMetrics{
+ Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{
+ Disable: true,
+ },
+ },
+ },
+ },
+ daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
+ },
+ {
+ caseName: "patch-daemonset",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Patch: &egv1a1.KubernetesPatchSpec{
+ Type: ptr.To(egv1a1.StrategicMerge),
+ Value: apiextensionsv1.JSON{
+ Raw: []byte("{\"spec\":{\"template\":{\"spec\":{\"hostNetwork\":true,\"dnsPolicy\":\"ClusterFirstWithHostNet\"}}}}"),
+ },
+ },
+ },
+ },
+ {
+ caseName: "custom",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "extension-env",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: []corev1.EnvVar{
+ {
+ Name: "env_a",
+ Value: "env_a_value",
+ },
+ {
+ Name: "env_b",
+ Value: "env_b_value",
+ },
+ },
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "default-env",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: nil,
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "override-env",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: []corev1.EnvVar{
+ {
+ Name: UseStatsdEnvVar,
+ Value: "true",
+ },
+ },
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "redis-tls-settings",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ TLS: &egv1a1.RedisTLSSettings{
+ CertificateRef: &gwapiv1.SecretObjectReference{
+ Name: "ratelimit-cert",
+ },
+ },
+ },
+ },
+ },
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: []corev1.EnvVar{
+ {
+ Name: RedisAuthEnvVar,
+ Value: "redis_auth_password",
+ },
+ {
+ Name: UseStatsdEnvVar,
+ Value: "true",
+ },
+ },
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "tolerations",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ TLS: &egv1a1.RedisTLSSettings{
+ CertificateRef: &gwapiv1.SecretObjectReference{
+ Name: "ratelimit-cert",
+ },
+ },
+ },
+ },
+ },
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ Tolerations: []corev1.Toleration{
+ {
+ Key: "node-type",
+ Operator: corev1.TolerationOpExists,
+ Effect: corev1.TaintEffectNoSchedule,
+ Value: "router",
+ },
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: []corev1.EnvVar{
+ {
+ Name: RedisAuthEnvVar,
+ Value: "redis_auth_password",
+ },
+ {
+ Name: UseStatsdEnvVar,
+ Value: "true",
+ },
+ },
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ },
+ },
+ },
+ {
+ caseName: "volumes",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ TLS: &egv1a1.RedisTLSSettings{
+ CertificateRef: &gwapiv1.SecretObjectReference{
+ Name: "ratelimit-cert-origin",
+ },
+ },
+ },
+ },
+ },
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/scrape": "true",
+ },
+ SecurityContext: &corev1.PodSecurityContext{
+ RunAsUser: ptr.To[int64](1000),
+ },
+ Tolerations: []corev1.Toleration{
+ {
+ Key: "node-type",
+ Operator: corev1.TolerationOpExists,
+ Effect: corev1.TaintEffectNoSchedule,
+ Value: "router",
+ },
+ },
+ Volumes: []corev1.Volume{
+ {
+ Name: "certs",
+ VolumeSource: corev1.VolumeSource{
+ Secret: &corev1.SecretVolumeSource{
+ SecretName: "custom-cert",
+ DefaultMode: ptr.To[int32](420),
+ },
+ },
+ },
+ },
+ },
+ Container: &egv1a1.KubernetesContainerSpec{
+ Env: []corev1.EnvVar{
+ {
+ Name: RedisAuthEnvVar,
+ Value: "redis_auth_password",
+ },
+ {
+ Name: UseStatsdEnvVar,
+ Value: "true",
+ },
+ },
+ Image: ptr.To("custom-image"),
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ corev1.ResourceMemory: resource.MustParse("2Gi"),
+ },
+ Requests: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("200m"),
+ corev1.ResourceMemory: resource.MustParse("1Gi"),
+ },
+ },
+ SecurityContext: &corev1.SecurityContext{
+ Privileged: ptr.To(true),
+ },
+ VolumeMounts: []corev1.VolumeMount{},
+ },
+ },
+ },
+ {
+ caseName: "with-node-selector",
+ rateLimit: rateLimit,
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Pod: &egv1a1.KubernetesPodSpec{
+ NodeSelector: map[string]string{
+ "key1": "value1",
+ "key2": "value2",
+ },
+ },
+ },
+ },
+ {
+ caseName: "enable-tracing",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ Telemetry: &egv1a1.RateLimitTelemetry{
+ Tracing: &egv1a1.RateLimitTracing{
+ Provider: &egv1a1.RateLimitTracingProvider{
+ URL: "http://trace-collector.envoy-gateway-system.svc.cluster.local:4318",
+ },
+ },
+ },
+ },
+ daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
+ },
+ {
+ caseName: "enable-tracing-custom",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ Telemetry: &egv1a1.RateLimitTelemetry{
+ Tracing: &egv1a1.RateLimitTracing{
+ SamplingRate: ptr.To[uint32](55),
+ Provider: &egv1a1.RateLimitTracingProvider{
+ URL: "trace-collector.envoy-gateway-system.svc.cluster.local:4317",
+ },
+ },
+ },
+ },
+ daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
+ },
+ {
+ caseName: "merge-labels",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ },
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Pod: &egv1a1.KubernetesPodSpec{
+ Labels: map[string]string{
+ "app.kubernetes.io/name": InfraName,
+ "app.kubernetes.io/component": "ratelimit",
+ "app.kubernetes.io/managed-by": "envoy-gateway",
+ "key1": "value1",
+ "key2": "value2",
+ },
+ },
+ },
+ },
+ {
+ caseName: "merge-annotations",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ },
+ daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
+ Pod: &egv1a1.KubernetesPodSpec{
+ Annotations: map[string]string{
+ "prometheus.io/path": "/metrics",
+ "prometheus.io/port": strconv.Itoa(PrometheusPort),
+ "prometheus.io/scrape": "true",
+ "key1": "value1",
+ "key2": "value2",
+ },
+ },
+ },
+ },
+ }
+ for _, tc := range cases {
+ t.Run(tc.caseName, func(t *testing.T) {
+ cfg.EnvoyGateway.RateLimit = tc.rateLimit
+
+ cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{
+ Type: egv1a1.ProviderTypeKubernetes,
+ Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{
+ RateLimitDaemonset: tc.daemonSetSpec,
+ },
+ }
+ r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID)
+ dp, err := r.DaemonSet()
+ require.NoError(t, err)
+
+ if *overrideTestData {
+ daemonsetYAML, err := yaml.Marshal(dp)
+ require.NoError(t, err)
+ // nolint:gosec
+ err = os.WriteFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", tc.caseName), daemonsetYAML, 0o644)
+ require.NoError(t, err)
+ return
+ }
+
+ expected, err := loadDaemonset(tc.caseName)
+ require.NoError(t, err)
+
+ assert.Equal(t, expected, dp)
+ })
+ }
+}
+
+func loadDaemonset(caseName string) (*appsv1.DaemonSet, error) {
+ daemonsetYaml, err := os.ReadFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", caseName))
+ if err != nil {
+ return nil, err
+ }
+ daemonset := &appsv1.DaemonSet{}
+ _ = yaml.Unmarshal(daemonsetYaml, daemonset)
+ return daemonset, nil
+}
+
func TestGetServiceURL(t *testing.T) {
got := GetServiceURL("envoy-gateway-system", "example-cluster.local")
assert.Equal(t, "grpc://envoy-ratelimit.envoy-gateway-system.svc.example-cluster.local:8081", got)
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
new file mode 100644
index 00000000000..eb3d1dc13d8
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
@@ -0,0 +1,151 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
new file mode 100644
index 00000000000..eb3d1dc13d8
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
@@ -0,0 +1,151 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
new file mode 100644
index 00000000000..d3182b68dd5
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
new file mode 100644
index 00000000000..e902600edbe
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
@@ -0,0 +1,138 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
new file mode 100644
index 00000000000..78242fdc716
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
@@ -0,0 +1,171 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: TRACING_ENABLED
+ value: "true"
+ - name: TRACING_SERVICE_NAME
+ value: envoy-ratelimit
+ - name: TRACING_SERVICE_NAMESPACE
+ value: envoy-gateway-system
+ - name: TRACING_SERVICE_INSTANCE_ID
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: TRACING_SAMPLING_RATE
+ value: "0.6"
+ - name: OTEL_EXPORTER_OTLP_ENDPOINT
+ value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
new file mode 100644
index 00000000000..31a4ecfdad9
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
@@ -0,0 +1,171 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: TRACING_ENABLED
+ value: "true"
+ - name: TRACING_SERVICE_NAME
+ value: envoy-ratelimit
+ - name: TRACING_SERVICE_NAMESPACE
+ value: envoy-gateway-system
+ - name: TRACING_SERVICE_INSTANCE_ID
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: TRACING_SAMPLING_RATE
+ value: "1.0"
+ - name: OTEL_EXPORTER_OTLP_ENDPOINT
+ value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
new file mode 100644
index 00000000000..9ec98bc74f3
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
@@ -0,0 +1,155 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: env_a
+ value: env_a_value
+ - name: env_b
+ value: env_b_value
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
new file mode 100644
index 00000000000..2f34b46f27e
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
@@ -0,0 +1,158 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ key1: value1
+ key2: value2
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
new file mode 100644
index 00000000000..efd6a1382c1
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
@@ -0,0 +1,158 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ key1: value1
+ key2: value2
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
new file mode 100644
index 00000000000..1de6f2237f9
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
@@ -0,0 +1,151 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "true"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
new file mode 100644
index 00000000000..8527fb93226
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
@@ -0,0 +1,157 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
new file mode 100644
index 00000000000..a16c8a713a7
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
@@ -0,0 +1,166 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "true"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: REDIS_TLS
+ value: "true"
+ - name: REDIS_TLS_CLIENT_CERT
+ value: /redis-certs/tls.crt
+ - name: REDIS_TLS_CLIENT_KEY
+ value: /redis-certs/tls.key
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: REDIS_AUTH
+ value: redis_auth_password
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ - mountPath: /redis-certs
+ name: redis-certs
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: redis-certs
+ secret:
+ defaultMode: 420
+ secretName: ratelimit-cert
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
new file mode 100644
index 00000000000..21d5051e084
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
@@ -0,0 +1,171 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "true"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: REDIS_TLS
+ value: "true"
+ - name: REDIS_TLS_CLIENT_CERT
+ value: /redis-certs/tls.crt
+ - name: REDIS_TLS_CLIENT_KEY
+ value: /redis-certs/tls.key
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: REDIS_AUTH
+ value: redis_auth_password
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ - mountPath: /redis-certs
+ name: redis-certs
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ tolerations:
+ - effect: NoSchedule
+ key: node-type
+ operator: Exists
+ value: router
+ volumes:
+ - name: redis-certs
+ secret:
+ defaultMode: 420
+ secretName: ratelimit-cert
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
new file mode 100644
index 00000000000..93f8d545754
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
@@ -0,0 +1,171 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "true"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: REDIS_TLS
+ value: "true"
+ - name: REDIS_TLS_CLIENT_CERT
+ value: /redis-certs/tls.crt
+ - name: REDIS_TLS_CLIENT_KEY
+ value: /redis-certs/tls.key
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ - name: REDIS_AUTH
+ value: redis_auth_password
+ image: custom-image
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ - mountPath: /redis-certs
+ name: redis-certs
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ tolerations:
+ - effect: NoSchedule
+ key: node-type
+ operator: Exists
+ value: router
+ volumes:
+ - name: redis-certs
+ secret:
+ defaultMode: 420
+ secretName: ratelimit-cert-origin
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: custom-cert
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
new file mode 100644
index 00000000000..89d061b8da4
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
@@ -0,0 +1,159 @@
+apiVersion: apps/v1
+kind: Daemonset
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: envoy-ratelimit
+ namespace: envoy-gateway-system
+ ownerReferences:
+ - apiVersion: apps/v1
+ kind: Daemonset
+ name: envoy-gateway
+ uid: test-owner-reference-uid-for-deployment
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - command:
+ - /bin/ratelimit
+ env:
+ - name: RUNTIME_ROOT
+ value: /data
+ - name: RUNTIME_SUBDIRECTORY
+ value: ratelimit
+ - name: RUNTIME_IGNOREDOTFILES
+ value: "true"
+ - name: RUNTIME_WATCH_ROOT
+ value: "false"
+ - name: LOG_LEVEL
+ value: info
+ - name: USE_STATSD
+ value: "false"
+ - name: CONFIG_TYPE
+ value: GRPC_XDS_SOTW
+ - name: CONFIG_GRPC_XDS_SERVER_URL
+ value: envoy-gateway:18001
+ - name: CONFIG_GRPC_XDS_NODE_ID
+ value: envoy-ratelimit
+ - name: GRPC_SERVER_USE_TLS
+ value: "true"
+ - name: GRPC_SERVER_TLS_CERT
+ value: /certs/tls.crt
+ - name: GRPC_SERVER_TLS_KEY
+ value: /certs/tls.key
+ - name: GRPC_SERVER_TLS_CA_CERT
+ value: /certs/ca.crt
+ - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
+ value: "true"
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
+ value: /certs/tls.crt
+ - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
+ value: /certs/tls.key
+ - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
+ value: /certs/ca.crt
+ - name: FORCE_START_WITHOUT_INITIAL_CONFIG
+ value: "true"
+ - name: REDIS_SOCKET_TYPE
+ value: tcp
+ - name: REDIS_URL
+ value: redis.redis.svc:6379
+ - name: USE_PROMETHEUS
+ value: "true"
+ - name: PROMETHEUS_ADDR
+ value: :19001
+ - name: PROMETHEUS_MAPPER_YAML
+ value: /etc/statsd-exporter/conf.yaml
+ image: envoyproxy/ratelimit:master
+ imagePullPolicy: IfNotPresent
+ name: envoy-ratelimit
+ ports:
+ - containerPort: 8081
+ name: grpc
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 1
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
+ dnsPolicy: ClusterFirst
+ nodeSelector:
+ key1: value1
+ key2: value2
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy-rate-limit
+ - configMap:
+ defaultMode: 420
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+ updateStrategy:
+ type: RollingUpdate
+status:
+ currentNumberScheduled: 0
+ desiredNumberScheduled: 0
+ numberMisscheduled: 0
+ numberReady: 0
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 76adfb15735..640feb97101 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1147,6 +1147,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
+| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. |
| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
@@ -2432,6 +2433,7 @@ _Appears in:_
KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource.
_Appears in:_
+- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
| Field | Type | Required | Description |
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index 76adfb15735..640feb97101 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -1147,6 +1147,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
+| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. |
| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
@@ -2432,6 +2433,7 @@ _Appears in:_
KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource.
_Appears in:_
+- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
| Field | Type | Required | Description |
From 69150309aac98dd69d76dcc20ffcd84f7a249ea8 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sat, 12 Oct 2024 22:21:36 -0600
Subject: [PATCH 09/12] comments
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 2 +-
.../infrastructure/kubernetes/ratelimit/resource_provider.go | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index 8e790ba11b4..740e3089178 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -134,7 +134,7 @@ const (
messageAddressNotAssigned = "No addresses have been assigned to the Gateway"
messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16"
messageNoResources = "Envoy replicas unavailable"
- messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy Deployment replicas available"
+ messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy replicas available"
)
// updateGatewayProgrammedCondition computes the Gateway Programmed status condition.
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index ea0da488db8..77f66893604 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -313,7 +313,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) {
if r.rateLimitDaemonset.Pod.Labels != nil {
maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels)
// Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy
- // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input
+ // It's applied again with the rateLimitLabels that are used as daemonset selector to ensure those are not overwritten by user input
maps.Copy(podLabels, rateLimitLabels())
}
@@ -389,7 +389,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) {
}
}
- // apply merge patch to deployment
+ // apply merge patch to daemonset
var err error
if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil {
return nil, err
From 2c8c8c421be0905492bf08c42cacb4018d0c3937 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sun, 13 Oct 2024 00:09:27 -0600
Subject: [PATCH 10/12] Remove ratelimit daemonset
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
.../kubernetes/ratelimit/resource_provider.go | 102 +---
.../ratelimit/resource_provider_test.go | 520 ------------------
.../ratelimit/testdata/daemonsets/custom.yaml | 151 -----
.../testdata/daemonsets/default-env.yaml | 151 -----
.../testdata/daemonsets/default.yaml | 156 ------
.../daemonsets/disable-prometheus.yaml | 138 -----
.../daemonsets/enable-tracing-custom.yaml | 171 ------
.../testdata/daemonsets/enable-tracing.yaml | 171 ------
.../testdata/daemonsets/extension-env.yaml | 155 ------
.../daemonsets/merge-annotations.yaml | 158 ------
.../testdata/daemonsets/merge-labels.yaml | 158 ------
.../testdata/daemonsets/override-env.yaml | 151 -----
.../testdata/daemonsets/patch-daemonset.yaml | 157 ------
.../daemonsets/redis-tls-settings.yaml | 166 ------
.../testdata/daemonsets/tolerations.yaml | 171 ------
.../testdata/daemonsets/volumes.yaml | 171 ------
.../daemonsets/with-node-selector.yaml | 159 ------
.../kubernetes/ratelimit_infra.go | 21 +-
.../kubernetes/ratelimit_infra_test.go | 42 +-
19 files changed, 7 insertions(+), 3062 deletions(-)
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
delete mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index 77f66893604..bcc9d580cfc 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -27,7 +27,6 @@ import (
// but also the key for the uid of their ownerReference.
const (
ResourceKindService = "Service"
- ResourceKindDaemonset = "Daemonset"
ResourceKindDeployment = "Deployment"
ResourceKindServiceAccount = "ServiceAccount"
appsAPIVersion = "apps/v1"
@@ -42,7 +41,6 @@ type ResourceRender struct {
rateLimit *egv1a1.RateLimit
rateLimitDeployment *egv1a1.KubernetesDeploymentSpec
- rateLimitDaemonset *egv1a1.KubernetesDaemonSetSpec
// ownerReferenceUID store the uid of its owner reference.
ownerReferenceUID map[string]types.UID
@@ -53,7 +51,6 @@ func NewResourceRender(ns string, gateway *egv1a1.EnvoyGateway, ownerReferenceUI
return &ResourceRender{
Namespace: ns,
rateLimit: gateway.RateLimit,
- rateLimitDaemonset: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
rateLimitDeployment: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment,
ownerReferenceUID: ownerReferenceUID,
}
@@ -297,105 +294,12 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
// DaemonSetSpec returns the `DaemonSet` sets spec.
func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) {
- return r.rateLimitDaemonset, nil
+ return nil, nil
}
+// TODO: implement this method
func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) {
- // If daemonset config is nil,ignore Daemonset.
- if daemonsetConfig, er := r.DaemonSetSpec(); daemonsetConfig == nil {
- return nil, er
- }
-
- containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDaemonset.Container, r.Namespace)
- selector := resource.GetSelector(rateLimitLabels())
-
- podLabels := rateLimitLabels()
- if r.rateLimitDaemonset.Pod.Labels != nil {
- maps.Copy(podLabels, r.rateLimitDaemonset.Pod.Labels)
- // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy
- // It's applied again with the rateLimitLabels that are used as daemonset selector to ensure those are not overwritten by user input
- maps.Copy(podLabels, rateLimitLabels())
- }
-
- var podAnnotations map[string]string
- if enablePrometheus(r.rateLimit) {
- podAnnotations = map[string]string{
- "prometheus.io/path": "/metrics",
- "prometheus.io/port": strconv.Itoa(PrometheusPort),
- "prometheus.io/scrape": "true",
- }
- }
- if r.rateLimitDaemonset.Pod.Annotations != nil {
- if podAnnotations != nil {
- maps.Copy(podAnnotations, r.rateLimitDaemonset.Pod.Annotations)
- } else {
- podAnnotations = r.rateLimitDaemonset.Pod.Annotations
- }
- }
-
- daemonset := &appsv1.DaemonSet{
- TypeMeta: metav1.TypeMeta{
- Kind: ResourceKindDaemonset,
- APIVersion: appsAPIVersion,
- },
- ObjectMeta: metav1.ObjectMeta{
- Namespace: r.Namespace,
- Labels: rateLimitLabels(),
- },
- Spec: appsv1.DaemonSetSpec{
- UpdateStrategy: *r.rateLimitDaemonset.Strategy,
- Selector: selector,
- Template: corev1.PodTemplateSpec{
- ObjectMeta: metav1.ObjectMeta{
- Labels: podLabels,
- Annotations: podAnnotations,
- },
- Spec: corev1.PodSpec{
- Containers: containers,
- ServiceAccountName: InfraName,
- AutomountServiceAccountToken: ptr.To(false),
- TerminationGracePeriodSeconds: ptr.To[int64](300),
- DNSPolicy: corev1.DNSClusterFirst,
- RestartPolicy: corev1.RestartPolicyAlways,
- SchedulerName: "default-scheduler",
- SecurityContext: r.rateLimitDaemonset.Pod.SecurityContext,
- Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDaemonset.Pod),
- Affinity: r.rateLimitDaemonset.Pod.Affinity,
- Tolerations: r.rateLimitDaemonset.Pod.Tolerations,
- ImagePullSecrets: r.rateLimitDaemonset.Pod.ImagePullSecrets,
- NodeSelector: r.rateLimitDaemonset.Pod.NodeSelector,
- },
- },
- },
- }
-
- // set name
- if r.rateLimitDaemonset.Name != nil {
- daemonset.ObjectMeta.Name = *r.rateLimitDaemonset.Name
- } else {
- daemonset.ObjectMeta.Name = r.Name()
- }
-
- if r.ownerReferenceUID != nil {
- if uid, ok := r.ownerReferenceUID[ResourceKindDaemonset]; ok {
- daemonset.OwnerReferences = []metav1.OwnerReference{
- {
- Kind: ResourceKindDaemonset,
- APIVersion: appsAPIVersion,
- Name: "envoy-gateway",
- UID: uid,
- },
- }
- }
- }
-
- // apply merge patch to daemonset
- var err error
- if daemonset, err = r.rateLimitDaemonset.ApplyMergePatch(daemonset); err != nil {
- return nil, err
- }
-
- return daemonset, nil
+ return nil, nil
}
// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec.
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
index 71d1cfc2f81..c7aa23f7943 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
@@ -37,7 +37,6 @@ const (
var ownerReferenceUID = map[string]types.UID{
ResourceKindService: "test-owner-reference-uid-for-service",
- ResourceKindDaemonset: "test-owner-reference-uid-for-deployment",
ResourceKindDeployment: "test-owner-reference-uid-for-deployment",
ResourceKindServiceAccount: "test-owner-reference-uid-for-service-account",
}
@@ -766,525 +765,6 @@ func loadDeployment(caseName string) (*appsv1.Deployment, error) {
return deployment, nil
}
-func TestDaemonset(t *testing.T) {
- cfg, err := config.New()
- // Set default DaemonsetSpec or else daemonset will be used
- cfg.EnvoyGateway.Provider.Kubernetes.RateLimitDaemonset = egv1a1.DefaultKubernetesDaemonSet(egv1a1.DefaultRateLimitImage)
- require.NoError(t, err)
- rateLimit := &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- }
- cases := []struct {
- caseName string
- rateLimit *egv1a1.RateLimit
- daemonSetSpec *egv1a1.KubernetesDaemonSetSpec
- }{
- {
- caseName: "default",
- rateLimit: rateLimit,
- daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
- },
- {
- caseName: "disable-prometheus",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- Telemetry: &egv1a1.RateLimitTelemetry{
- Metrics: &egv1a1.RateLimitMetrics{
- Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{
- Disable: true,
- },
- },
- },
- },
- daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
- },
- {
- caseName: "patch-daemonset",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Patch: &egv1a1.KubernetesPatchSpec{
- Type: ptr.To(egv1a1.StrategicMerge),
- Value: apiextensionsv1.JSON{
- Raw: []byte("{\"spec\":{\"template\":{\"spec\":{\"hostNetwork\":true,\"dnsPolicy\":\"ClusterFirstWithHostNet\"}}}}"),
- },
- },
- },
- },
- {
- caseName: "custom",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "extension-env",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: []corev1.EnvVar{
- {
- Name: "env_a",
- Value: "env_a_value",
- },
- {
- Name: "env_b",
- Value: "env_b_value",
- },
- },
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "default-env",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: nil,
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "override-env",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: []corev1.EnvVar{
- {
- Name: UseStatsdEnvVar,
- Value: "true",
- },
- },
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "redis-tls-settings",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- TLS: &egv1a1.RedisTLSSettings{
- CertificateRef: &gwapiv1.SecretObjectReference{
- Name: "ratelimit-cert",
- },
- },
- },
- },
- },
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: []corev1.EnvVar{
- {
- Name: RedisAuthEnvVar,
- Value: "redis_auth_password",
- },
- {
- Name: UseStatsdEnvVar,
- Value: "true",
- },
- },
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "tolerations",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- TLS: &egv1a1.RedisTLSSettings{
- CertificateRef: &gwapiv1.SecretObjectReference{
- Name: "ratelimit-cert",
- },
- },
- },
- },
- },
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- Tolerations: []corev1.Toleration{
- {
- Key: "node-type",
- Operator: corev1.TolerationOpExists,
- Effect: corev1.TaintEffectNoSchedule,
- Value: "router",
- },
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: []corev1.EnvVar{
- {
- Name: RedisAuthEnvVar,
- Value: "redis_auth_password",
- },
- {
- Name: UseStatsdEnvVar,
- Value: "true",
- },
- },
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- },
- },
- },
- {
- caseName: "volumes",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- TLS: &egv1a1.RedisTLSSettings{
- CertificateRef: &gwapiv1.SecretObjectReference{
- Name: "ratelimit-cert-origin",
- },
- },
- },
- },
- },
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Strategy: egv1a1.DefaultKubernetesDaemonSetStrategy(),
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/scrape": "true",
- },
- SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: ptr.To[int64](1000),
- },
- Tolerations: []corev1.Toleration{
- {
- Key: "node-type",
- Operator: corev1.TolerationOpExists,
- Effect: corev1.TaintEffectNoSchedule,
- Value: "router",
- },
- },
- Volumes: []corev1.Volume{
- {
- Name: "certs",
- VolumeSource: corev1.VolumeSource{
- Secret: &corev1.SecretVolumeSource{
- SecretName: "custom-cert",
- DefaultMode: ptr.To[int32](420),
- },
- },
- },
- },
- },
- Container: &egv1a1.KubernetesContainerSpec{
- Env: []corev1.EnvVar{
- {
- Name: RedisAuthEnvVar,
- Value: "redis_auth_password",
- },
- {
- Name: UseStatsdEnvVar,
- Value: "true",
- },
- },
- Image: ptr.To("custom-image"),
- Resources: &corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("400m"),
- corev1.ResourceMemory: resource.MustParse("2Gi"),
- },
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("200m"),
- corev1.ResourceMemory: resource.MustParse("1Gi"),
- },
- },
- SecurityContext: &corev1.SecurityContext{
- Privileged: ptr.To(true),
- },
- VolumeMounts: []corev1.VolumeMount{},
- },
- },
- },
- {
- caseName: "with-node-selector",
- rateLimit: rateLimit,
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Pod: &egv1a1.KubernetesPodSpec{
- NodeSelector: map[string]string{
- "key1": "value1",
- "key2": "value2",
- },
- },
- },
- },
- {
- caseName: "enable-tracing",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- Telemetry: &egv1a1.RateLimitTelemetry{
- Tracing: &egv1a1.RateLimitTracing{
- Provider: &egv1a1.RateLimitTracingProvider{
- URL: "http://trace-collector.envoy-gateway-system.svc.cluster.local:4318",
- },
- },
- },
- },
- daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
- },
- {
- caseName: "enable-tracing-custom",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- Telemetry: &egv1a1.RateLimitTelemetry{
- Tracing: &egv1a1.RateLimitTracing{
- SamplingRate: ptr.To[uint32](55),
- Provider: &egv1a1.RateLimitTracingProvider{
- URL: "trace-collector.envoy-gateway-system.svc.cluster.local:4317",
- },
- },
- },
- },
- daemonSetSpec: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDaemonset,
- },
- {
- caseName: "merge-labels",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- },
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Pod: &egv1a1.KubernetesPodSpec{
- Labels: map[string]string{
- "app.kubernetes.io/name": InfraName,
- "app.kubernetes.io/component": "ratelimit",
- "app.kubernetes.io/managed-by": "envoy-gateway",
- "key1": "value1",
- "key2": "value2",
- },
- },
- },
- },
- {
- caseName: "merge-annotations",
- rateLimit: &egv1a1.RateLimit{
- Backend: egv1a1.RateLimitDatabaseBackend{
- Type: egv1a1.RedisBackendType,
- Redis: &egv1a1.RateLimitRedisSettings{
- URL: "redis.redis.svc:6379",
- },
- },
- },
- daemonSetSpec: &egv1a1.KubernetesDaemonSetSpec{
- Pod: &egv1a1.KubernetesPodSpec{
- Annotations: map[string]string{
- "prometheus.io/path": "/metrics",
- "prometheus.io/port": strconv.Itoa(PrometheusPort),
- "prometheus.io/scrape": "true",
- "key1": "value1",
- "key2": "value2",
- },
- },
- },
- },
- }
- for _, tc := range cases {
- t.Run(tc.caseName, func(t *testing.T) {
- cfg.EnvoyGateway.RateLimit = tc.rateLimit
-
- cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{
- Type: egv1a1.ProviderTypeKubernetes,
- Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{
- RateLimitDaemonset: tc.daemonSetSpec,
- },
- }
- r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID)
- dp, err := r.DaemonSet()
- require.NoError(t, err)
-
- if *overrideTestData {
- daemonsetYAML, err := yaml.Marshal(dp)
- require.NoError(t, err)
- // nolint:gosec
- err = os.WriteFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", tc.caseName), daemonsetYAML, 0o644)
- require.NoError(t, err)
- return
- }
-
- expected, err := loadDaemonset(tc.caseName)
- require.NoError(t, err)
-
- assert.Equal(t, expected, dp)
- })
- }
-}
-
-func loadDaemonset(caseName string) (*appsv1.DaemonSet, error) {
- daemonsetYaml, err := os.ReadFile(fmt.Sprintf("testdata/daemonsets/%s.yaml", caseName))
- if err != nil {
- return nil, err
- }
- daemonset := &appsv1.DaemonSet{}
- _ = yaml.Unmarshal(daemonsetYaml, daemonset)
- return daemonset, nil
-}
-
func TestGetServiceURL(t *testing.T) {
got := GetServiceURL("envoy-gateway-system", "example-cluster.local")
assert.Equal(t, "grpc://envoy-ratelimit.envoy-gateway-system.svc.example-cluster.local:8081", got)
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
deleted file mode 100644
index eb3d1dc13d8..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/custom.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
deleted file mode 100644
index eb3d1dc13d8..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default-env.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
deleted file mode 100644
index d3182b68dd5..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/default.yaml
+++ /dev/null
@@ -1,156 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
deleted file mode 100644
index e902600edbe..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/disable-prometheus.yaml
+++ /dev/null
@@ -1,138 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
deleted file mode 100644
index 78242fdc716..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing-custom.yaml
+++ /dev/null
@@ -1,171 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: TRACING_ENABLED
- value: "true"
- - name: TRACING_SERVICE_NAME
- value: envoy-ratelimit
- - name: TRACING_SERVICE_NAMESPACE
- value: envoy-gateway-system
- - name: TRACING_SERVICE_INSTANCE_ID
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: TRACING_SAMPLING_RATE
- value: "0.6"
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
deleted file mode 100644
index 31a4ecfdad9..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/enable-tracing.yaml
+++ /dev/null
@@ -1,171 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: TRACING_ENABLED
- value: "true"
- - name: TRACING_SERVICE_NAME
- value: envoy-ratelimit
- - name: TRACING_SERVICE_NAMESPACE
- value: envoy-gateway-system
- - name: TRACING_SERVICE_INSTANCE_ID
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: TRACING_SAMPLING_RATE
- value: "1.0"
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
deleted file mode 100644
index 9ec98bc74f3..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/extension-env.yaml
+++ /dev/null
@@ -1,155 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: env_a
- value: env_a_value
- - name: env_b
- value: env_b_value
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
deleted file mode 100644
index 2f34b46f27e..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-annotations.yaml
+++ /dev/null
@@ -1,158 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- key1: value1
- key2: value2
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
deleted file mode 100644
index efd6a1382c1..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/merge-labels.yaml
+++ /dev/null
@@ -1,158 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- key1: value1
- key2: value2
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
deleted file mode 100644
index 1de6f2237f9..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/override-env.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "true"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
deleted file mode 100644
index 8527fb93226..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/patch-daemonset.yaml
+++ /dev/null
@@ -1,157 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
deleted file mode 100644
index a16c8a713a7..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/redis-tls-settings.yaml
+++ /dev/null
@@ -1,166 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "true"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: REDIS_TLS
- value: "true"
- - name: REDIS_TLS_CLIENT_CERT
- value: /redis-certs/tls.crt
- - name: REDIS_TLS_CLIENT_KEY
- value: /redis-certs/tls.key
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: REDIS_AUTH
- value: redis_auth_password
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- - mountPath: /redis-certs
- name: redis-certs
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: redis-certs
- secret:
- defaultMode: 420
- secretName: ratelimit-cert
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
deleted file mode 100644
index 21d5051e084..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/tolerations.yaml
+++ /dev/null
@@ -1,171 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "true"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: REDIS_TLS
- value: "true"
- - name: REDIS_TLS_CLIENT_CERT
- value: /redis-certs/tls.crt
- - name: REDIS_TLS_CLIENT_KEY
- value: /redis-certs/tls.key
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: REDIS_AUTH
- value: redis_auth_password
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- - mountPath: /redis-certs
- name: redis-certs
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- tolerations:
- - effect: NoSchedule
- key: node-type
- operator: Exists
- value: router
- volumes:
- - name: redis-certs
- secret:
- defaultMode: 420
- secretName: ratelimit-cert
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
deleted file mode 100644
index 93f8d545754..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/volumes.yaml
+++ /dev/null
@@ -1,171 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "true"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: REDIS_TLS
- value: "true"
- - name: REDIS_TLS_CLIENT_CERT
- value: /redis-certs/tls.crt
- - name: REDIS_TLS_CLIENT_KEY
- value: /redis-certs/tls.key
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- - name: REDIS_AUTH
- value: redis_auth_password
- image: custom-image
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- securityContext:
- privileged: true
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- - mountPath: /redis-certs
- name: redis-certs
- readOnly: true
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- securityContext:
- runAsUser: 1000
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- tolerations:
- - effect: NoSchedule
- key: node-type
- operator: Exists
- value: router
- volumes:
- - name: redis-certs
- secret:
- defaultMode: 420
- secretName: ratelimit-cert-origin
- - name: certs
- secret:
- defaultMode: 420
- secretName: custom-cert
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
deleted file mode 100644
index 89d061b8da4..00000000000
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/daemonsets/with-node-selector.yaml
+++ /dev/null
@@ -1,159 +0,0 @@
-apiVersion: apps/v1
-kind: Daemonset
-metadata:
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- name: envoy-ratelimit
- namespace: envoy-gateway-system
- ownerReferences:
- - apiVersion: apps/v1
- kind: Daemonset
- name: envoy-gateway
- uid: test-owner-reference-uid-for-deployment
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- template:
- metadata:
- annotations:
- prometheus.io/path: /metrics
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- creationTimestamp: null
- labels:
- app.kubernetes.io/component: ratelimit
- app.kubernetes.io/managed-by: envoy-gateway
- app.kubernetes.io/name: envoy-ratelimit
- spec:
- automountServiceAccountToken: false
- containers:
- - command:
- - /bin/ratelimit
- env:
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: LOG_LEVEL
- value: info
- - name: USE_STATSD
- value: "false"
- - name: CONFIG_TYPE
- value: GRPC_XDS_SOTW
- - name: CONFIG_GRPC_XDS_SERVER_URL
- value: envoy-gateway:18001
- - name: CONFIG_GRPC_XDS_NODE_ID
- value: envoy-ratelimit
- - name: GRPC_SERVER_USE_TLS
- value: "true"
- - name: GRPC_SERVER_TLS_CERT
- value: /certs/tls.crt
- - name: GRPC_SERVER_TLS_KEY
- value: /certs/tls.key
- - name: GRPC_SERVER_TLS_CA_CERT
- value: /certs/ca.crt
- - name: CONFIG_GRPC_XDS_SERVER_USE_TLS
- value: "true"
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: /certs/tls.crt
- - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: /certs/tls.key
- - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: /certs/ca.crt
- - name: FORCE_START_WITHOUT_INITIAL_CONFIG
- value: "true"
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis.redis.svc:6379
- - name: USE_PROMETHEUS
- value: "true"
- - name: PROMETHEUS_ADDR
- value: :19001
- - name: PROMETHEUS_MAPPER_YAML
- value: /etc/statsd-exporter/conf.yaml
- image: envoyproxy/ratelimit:master
- imagePullPolicy: IfNotPresent
- name: envoy-ratelimit
- ports:
- - containerPort: 8081
- name: grpc
- protocol: TCP
- readinessProbe:
- failureThreshold: 1
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /etc/statsd-exporter
- name: statsd-exporter-config
- readOnly: true
- dnsPolicy: ClusterFirst
- nodeSelector:
- key1: value1
- key2: value2
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
- terminationGracePeriodSeconds: 300
- volumes:
- - name: certs
- secret:
- defaultMode: 420
- secretName: envoy-rate-limit
- - configMap:
- defaultMode: 420
- name: statsd-exporter-config
- optional: true
- name: statsd-exporter-config
- updateStrategy:
- type: RollingUpdate
-status:
- currentNumberScheduled: 0
- desiredNumberScheduled: 0
- numberMisscheduled: 0
- numberReady: 0
diff --git a/internal/infrastructure/kubernetes/ratelimit_infra.go b/internal/infrastructure/kubernetes/ratelimit_infra.go
index 1b5bfd4ccb7..514f86a1d9d 100644
--- a/internal/infrastructure/kubernetes/ratelimit_infra.go
+++ b/internal/infrastructure/kubernetes/ratelimit_infra.go
@@ -10,9 +10,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
- "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
- "sigs.k8s.io/controller-runtime/pkg/client"
"github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit"
)
@@ -36,26 +34,11 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error {
}
ownerReferenceUID[ratelimit.ResourceKindService] = serviceUID
- var uid types.UID
- for _, obj := range []client.Object{&appsv1.Deployment{}, &appsv1.DaemonSet{}} {
- uid, err = i.Client.GetUID(ctx, key, obj)
- if err != nil {
- if errors.IsNotFound(err) {
- continue
- }
- return err
- }
- switch obj.(type) {
- case *appsv1.Deployment:
- ownerReferenceUID[ratelimit.ResourceKindDeployment] = uid
- case *appsv1.DaemonSet:
- ownerReferenceUID[ratelimit.ResourceKindDaemonset] = uid
- }
- break
- }
+ deploymentUID, err := i.Client.GetUID(ctx, key, &appsv1.Deployment{})
if err != nil {
return err
}
+ ownerReferenceUID[ratelimit.ResourceKindDeployment] = deploymentUID
serviceAccountUID, err := i.Client.GetUID(ctx, key, &corev1.ServiceAccount{})
if err != nil {
diff --git a/internal/infrastructure/kubernetes/ratelimit_infra_test.go b/internal/infrastructure/kubernetes/ratelimit_infra_test.go
index e49992194d4..1b4976ac361 100644
--- a/internal/infrastructure/kubernetes/ratelimit_infra_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit_infra_test.go
@@ -12,7 +12,6 @@ import (
"github.com/stretchr/testify/require"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
- kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -68,20 +67,6 @@ func createEnvoyGatewayDeployment(t *testing.T, client client.Client, ns string)
require.NoError(t, err)
}
-func createEnvoyGatewayDaemonset(t *testing.T, client client.Client, ns string) {
- err := client.Create(context.Background(), &appsv1.DaemonSet{
- TypeMeta: metav1.TypeMeta{
- Kind: "Daemonset",
- APIVersion: "apps/v1",
- },
- ObjectMeta: metav1.ObjectMeta{
- Name: "envoy-gateway",
- Namespace: ns,
- },
- })
- require.NoError(t, err)
-}
-
func createEnvoyGatewayServiceAccount(t *testing.T, client client.Client, ns string) {
err := client.Create(context.Background(), &corev1.ServiceAccount{
TypeMeta: metav1.TypeMeta{
@@ -111,15 +96,6 @@ func TestCreateRateLimitInfra(t *testing.T) {
},
expect: true,
},
- {
- name: "daemonset",
- ownerReferences: []string{
- ratelimit.ResourceKindService,
- ratelimit.ResourceKindDaemonset,
- ratelimit.ResourceKindServiceAccount,
- },
- expect: true,
- },
{
name: "default infra but missing service owner reference",
ownerReferences: []string{
@@ -162,8 +138,6 @@ func TestCreateRateLimitInfra(t *testing.T) {
createEnvoyGatewayService(t, kube.Client.Client, kube.Namespace)
case ratelimit.ResourceKindDeployment:
createEnvoyGatewayDeployment(t, kube.Client.Client, kube.Namespace)
- case ratelimit.ResourceKindDaemonset:
- createEnvoyGatewayDaemonset(t, kube.Client.Client, kube.Namespace)
case ratelimit.ResourceKindServiceAccount:
createEnvoyGatewayServiceAccount(t, kube.Client.Client, kube.Namespace)
}
@@ -186,26 +160,14 @@ func TestCreateRateLimitInfra(t *testing.T) {
}
require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(sa), sa))
- // Check for either a Deployment or DaemonSet
deploy := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: kube.Namespace,
Name: ratelimit.InfraName,
},
}
- daemonset := &appsv1.DaemonSet{
- ObjectMeta: metav1.ObjectMeta{
- Namespace: kube.Namespace,
- Name: ratelimit.InfraName,
- },
- }
- err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy)
- if kerrors.IsNotFound(err) {
- err = kube.Client.Get(context.Background(), client.ObjectKeyFromObject(daemonset), daemonset)
- require.NoError(t, err)
- } else {
- require.NoError(t, err)
- }
+ require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(deploy), deploy))
+
svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Namespace: kube.Namespace,
From 36100da48d1011c947733b27af7671c68b55b0d7 Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sun, 13 Oct 2024 00:18:31 -0600
Subject: [PATCH 11/12] remove ratelimit changes
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
api/v1alpha1/envoygateway_helpers.go | 13 ++------
api/v1alpha1/envoygateway_types.go | 7 -----
api/v1alpha1/zz_generated.deepcopy.go | 5 ----
.../kubernetes/ratelimit/resource.go | 30 +++++++++----------
.../kubernetes/ratelimit/resource_provider.go | 4 +--
site/content/en/latest/api/extension_types.md | 2 --
site/content/zh/latest/api/extension_types.md | 2 --
7 files changed, 19 insertions(+), 44 deletions(-)
diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go
index 2650ccaa78e..fed2f6fa075 100644
--- a/api/v1alpha1/envoygateway_helpers.go
+++ b/api/v1alpha1/envoygateway_helpers.go
@@ -228,20 +228,11 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
r.Kubernetes.LeaderElection = DefaultLeaderElection()
}
- // if RateLimitDeployment and RateLimitDaemonset are both nil, use RateLimitDeployment
- if r.Kubernetes.RateLimitDeployment == nil && r.Kubernetes.RateLimitDaemonset == nil {
+ if r.Kubernetes.RateLimitDeployment == nil {
r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage)
}
- // if use RateLimitDeployment, set default values
- if r.Kubernetes.RateLimitDeployment != nil {
- r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage)
- }
-
- // if use RateLimitDaemonset, set default values
- if r.Kubernetes.RateLimitDaemonset != nil {
- r.Kubernetes.RateLimitDaemonset.defaultKubernetesDaemonSetSpec(DefaultRateLimitImage)
- }
+ r.Kubernetes.RateLimitDeployment.defaultKubernetesDeploymentSpec(DefaultRateLimitImage)
if r.Kubernetes.ShutdownManager == nil {
r.Kubernetes.ShutdownManager = &ShutdownManager{Image: ptr.To(DefaultShutdownManagerImage)}
diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
index ab76c9c443e..6cf8e334182 100644
--- a/api/v1alpha1/envoygateway_types.go
+++ b/api/v1alpha1/envoygateway_types.go
@@ -202,13 +202,6 @@ type EnvoyGatewayKubernetesProvider struct {
// +optional
RateLimitDeployment *KubernetesDeploymentSpec `json:"rateLimitDeployment,omitempty"`
- // RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
- // If unspecified, default settings for the managed Envoy ratelimit daemonset resource
- // are applied.
- //
- // +optional
- RateLimitDaemonset *KubernetesDaemonSetSpec `json:"rateLimitDaemonset,omitempty"`
-
// Watch holds configuration of which input resources should be watched and reconciled.
// +optional
Watch *KubernetesWatchMode `json:"watch,omitempty"`
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index c6dd99f41d4..a72706c33bb 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1516,11 +1516,6 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet
*out = new(KubernetesDeploymentSpec)
(*in).DeepCopyInto(*out)
}
- if in.RateLimitDaemonset != nil {
- in, out := &in.RateLimitDaemonset, &out.RateLimitDaemonset
- *out = new(KubernetesDaemonSetSpec)
- (*in).DeepCopyInto(*out)
- }
if in.Watch != nil {
in, out := &in.Watch, &out.Watch
*out = new(KubernetesWatchMode)
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go
index 669df866285..4785a700d40 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource.go
@@ -138,7 +138,7 @@ func rateLimitLabels() map[string]string {
}
// expectedRateLimitContainers returns expected rateLimit containers.
-func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec,
+func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec,
namespace string,
) []corev1.Container {
ports := []corev1.ContainerPort{
@@ -152,16 +152,16 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainer
containers := []corev1.Container{
{
Name: InfraName,
- Image: *rateLimitContainerSpec.Image,
+ Image: *rateLimitDeployment.Container.Image,
ImagePullPolicy: corev1.PullIfNotPresent,
Command: []string{
"/bin/ratelimit",
},
- Env: expectedRateLimitContainerEnv(rateLimit, rateLimitContainerSpec, namespace),
+ Env: expectedRateLimitContainerEnv(rateLimit, rateLimitDeployment, namespace),
Ports: ports,
- Resources: *rateLimitContainerSpec.Resources,
- SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitContainerSpec),
- VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitContainerSpec),
+ Resources: *rateLimitDeployment.Container.Resources,
+ SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitDeployment),
+ VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitDeployment),
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
TerminationMessagePath: "/dev/termination-log",
StartupProbe: &corev1.Probe{
@@ -197,7 +197,7 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitContainer
}
// expectedContainerVolumeMounts returns expected rateLimit container volume mounts.
-func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount {
+func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount {
var volumeMounts []corev1.VolumeMount
// mount the cert
@@ -223,11 +223,11 @@ func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitContain
})
}
- return resource.ExpectedContainerVolumeMounts(rateLimitContainerSpec, volumeMounts)
+ return resource.ExpectedContainerVolumeMounts(rateLimitDeployment.Container, volumeMounts)
}
// expectedDeploymentVolumes returns expected rateLimit deployment volumes.
-func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *egv1a1.KubernetesPodSpec) []corev1.Volume {
+func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.Volume {
var volumes []corev1.Volume
if rateLimit.Backend.Redis != nil &&
@@ -269,11 +269,11 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitPodSpec *eg
})
}
- return resource.ExpectedVolumes(rateLimitPodSpec, volumes)
+ return resource.ExpectedVolumes(rateLimitDeployment.Pod, volumes)
}
// expectedRateLimitContainerEnv returns expected rateLimit container envs.
-func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContainerSpec *egv1a1.KubernetesContainerSpec,
+func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec,
namespace string,
) []corev1.EnvVar {
env := []corev1.EnvVar{
@@ -445,7 +445,7 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitContain
env = append(env, tracingEnvs...)
}
- return resource.ExpectedContainerEnv(rateLimitContainerSpec, env)
+ return resource.ExpectedContainerEnv(rateLimitDeployment.Container, env)
}
// Validate the ratelimit tls secret validating.
@@ -489,9 +489,9 @@ func checkTraceEndpointScheme(url string) string {
return fmt.Sprintf("%s%s", httpScheme, url)
}
-func expectedRateLimitContainerSecurityContext(rateLimitContainerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext {
- if rateLimitContainerSpec.SecurityContext != nil {
- return rateLimitContainerSpec.SecurityContext
+func expectedRateLimitContainerSecurityContext(rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) *corev1.SecurityContext {
+ if rateLimitDeployment.Container.SecurityContext != nil {
+ return rateLimitDeployment.Container.SecurityContext
}
return defaultSecurityContext()
}
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index bcc9d580cfc..50c5c8bf7f2 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -196,7 +196,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
return nil, er
}
- containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment.Container, r.Namespace)
+ containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace)
selector := resource.GetSelector(rateLimitLabels())
podLabels := rateLimitLabels()
@@ -250,7 +250,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
RestartPolicy: corev1.RestartPolicyAlways,
SchedulerName: "default-scheduler",
SecurityContext: r.rateLimitDeployment.Pod.SecurityContext,
- Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment.Pod),
+ Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment),
Affinity: r.rateLimitDeployment.Pod.Affinity,
Tolerations: r.rateLimitDeployment.Pod.Tolerations,
ImagePullSecrets: r.rateLimitDeployment.Pod.ImagePullSecrets,
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 640feb97101..76adfb15735 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1147,7 +1147,6 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
-| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. |
| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
@@ -2433,7 +2432,6 @@ _Appears in:_
KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource.
_Appears in:_
-- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
| Field | Type | Required | Description |
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index 640feb97101..76adfb15735 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -1147,7 +1147,6 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
-| `rateLimitDaemonset` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | RateLimitDaemonset defines the desired state of the Envoy ratelimit daemonset resource.
If unspecified, default settings for the managed Envoy ratelimit daemonset resource
are applied. |
| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
@@ -2433,7 +2432,6 @@ _Appears in:_
KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource.
_Appears in:_
-- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
| Field | Type | Required | Description |
From 29425bcf8d6dc43060fe3e40cb219af8ea7a2e4b Mon Sep 17 00:00:00 2001
From: jukie <10012479+Jukie@users.noreply.github.com>
Date: Sun, 13 Oct 2024 15:28:31 -0600
Subject: [PATCH 12/12] DaemonSet naming syntax
Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com>
---
internal/gatewayapi/status/gateway.go | 4 ++--
internal/provider/kubernetes/controller.go | 2 +-
internal/provider/kubernetes/predicates.go | 6 +++---
internal/provider/kubernetes/predicates_test.go | 10 +++++-----
internal/provider/kubernetes/test/utils.go | 4 ++--
5 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go
index 740e3089178..8bf822479d0 100644
--- a/internal/gatewayapi/status/gateway.go
+++ b/internal/gatewayapi/status/gateway.go
@@ -138,7 +138,7 @@ const (
)
// updateGatewayProgrammedCondition computes the Gateway Programmed status condition.
-// Programmed condition surfaces true when the Envoy Deployment or Daemonset status is ready.
+// Programmed condition surfaces true when the Envoy Deployment or DaemonSet status is ready.
func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) {
if len(gw.Status.Addresses) == 0 {
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
@@ -177,7 +177,7 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec
}
// If there are no available replicas for the Envoy Deployment or
- // Envoy Daemonset, don't mark the Gateway as ready yet.
+ // Envoy DaemonSet, don't mark the Gateway as ready yet.
gw.Status.Conditions = MergeConditions(gw.Status.Conditions,
newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources),
messageNoResources, time.Now(), gw.Generation))
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
index 652003b58ef..915e6e5acd8 100644
--- a/internal/provider/kubernetes/controller.go
+++ b/internal/provider/kubernetes/controller.go
@@ -1405,7 +1405,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
return err
}
- // Watch Daemonset CRUDs and process affected Gateways.
+ // Watch DaemonSet CRUDs and process affected Gateways.
daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{
predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool {
return r.validateObjectForReconcile(daemonset)
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index 4bcaee97be8..9c4d582b58b 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -440,9 +440,9 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje
return r.isEnvoyExtensionPolicyReferencingBackend(&nsName)
}
-// validateObjectForReconcile tries finding the owning Gateway of the Deployment or Daemonset
+// validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet
// if it exists, finds the Gateway's Service, and further updates the Gateway
-// status Ready condition. No Deployments or Daemonsets are pushed for reconciliation.
+// status Ready condition. No Deployments or DaemonSets are pushed for reconciliation.
func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) bool {
ctx := context.Background()
labels := obj.GetLabels()
@@ -471,7 +471,7 @@ func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) boo
return false
}
-// envoyObjectForGateway returns the Envoy Deployment or Daemonset, returning nil if neither exists.
+// envoyObjectForGateway returns the Envoy Deployment or DaemonSet, returning nil if neither exists.
func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) {
// Helper func to list and return the first object from results
listResource := func(list client.ObjectList) (client.Object, error) {
diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go
index 5525d212c0d..ef8182ffdb9 100644
--- a/internal/provider/kubernetes/predicates_test.go
+++ b/internal/provider/kubernetes/predicates_test.go
@@ -556,7 +556,7 @@ func TestValidateServiceForReconcile(t *testing.T) {
configs: []client.Object{
test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil),
sampleGateway,
- test.GetGatewayDaemonset(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil),
+ test.GetGatewayDaemonSet(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil),
},
service: test.GetService(types.NamespacedName{Name: "service"}, map[string]string{
gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
@@ -887,7 +887,7 @@ func TestValidateObjectForReconcile(t *testing.T) {
expect bool
}{
{
- // No config should lead to a reconciliation of a Deployment or Daemonset object. The main
+ // No config should lead to a reconciliation of a Deployment or DaemonSet object. The main
// purpose of the watcher is just for updating Gateway object statuses.
name: "gateway deployment or daemonset also exist",
configs: []client.Object{
@@ -902,7 +902,7 @@ func TestValidateObjectForReconcile(t *testing.T) {
test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
gatewayapi.OwningGatewayNamespaceLabel: "default",
- }), test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ }), test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{
gatewayapi.OwningGatewayNameLabel: "scheduled-status-test",
gatewayapi.OwningGatewayNamespaceLabel: "default",
}),
@@ -924,7 +924,7 @@ func TestValidateObjectForReconcile(t *testing.T) {
test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
gatewayapi.OwningGatewayClassLabel: "test-mg",
}),
- test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{
gatewayapi.OwningGatewayClassLabel: "test-mg",
}),
},
@@ -948,7 +948,7 @@ func TestValidateObjectForReconcile(t *testing.T) {
test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{
gatewayapi.OwningGatewayClassLabel: "test-mg",
}),
- test.GetGatewayDaemonset(types.NamespacedName{Name: "daemonset"}, map[string]string{
+ test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{
gatewayapi.OwningGatewayClassLabel: "test-mg",
}),
},
diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go
index 7275565f638..77bc50c5e6f 100644
--- a/internal/provider/kubernetes/test/utils.go
+++ b/internal/provider/kubernetes/test/utils.go
@@ -299,8 +299,8 @@ func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string)
}
}
-// GetGatewayDaemonset returns a sample Daemonset for a Gateway object.
-func GetGatewayDaemonset(nsName types.NamespacedName, labels map[string]string) client.Object {
+// GetGatewayDaemonSet returns a sample DaemonSet for a Gateway object.
+func GetGatewayDaemonSet(nsName types.NamespacedName, labels map[string]string) client.Object {
return &appsv1.DaemonSet{
ObjectMeta: metav1.ObjectMeta{
Namespace: nsName.Namespace,