diff --git a/.changelog/4152.txt b/.changelog/4152.txt new file mode 100644 index 0000000000..7dbc369814 --- /dev/null +++ b/.changelog/4152.txt @@ -0,0 +1,7 @@ +```release-note:improvement +control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. +``` + +```release-note:bug +connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar +``` diff --git a/.changelog/4153.txt b/.changelog/4153.txt new file mode 100644 index 0000000000..3a42a23e4b --- /dev/null +++ b/.changelog/4153.txt @@ -0,0 +1,3 @@ +```release-note:bug +terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled. +``` diff --git a/.changelog/4154.txt b/.changelog/4154.txt new file mode 100644 index 0000000000..e06736fdbc --- /dev/null +++ b/.changelog/4154.txt @@ -0,0 +1,3 @@ +```release-note:security +Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) +``` \ No newline at end of file diff --git a/.changelog/4169.txt b/.changelog/4169.txt new file mode 100644 index 0000000000..17b09a331d --- /dev/null +++ b/.changelog/4169.txt @@ -0,0 +1,3 @@ +```release-note:security +Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) +``` diff --git a/.changelog/4184.txt b/.changelog/4184.txt new file mode 100644 index 0000000000..2e56047b49 --- /dev/null +++ b/.changelog/4184.txt @@ -0,0 +1,4 @@ +```release-note:improvement +* helm: Adds `webhookCertManager.resources` field which can be configured to override the `resource` settings for the `webhook-cert-manager` deployment. +* helm: Adds `connectInject.apiGateway.managedGatewayClass.resourceJob.resources` field which can be configured to override the `resource` settings for the `gateway-resources-job` job. +``` \ No newline at end of file diff --git a/.changelog/4210.txt b/.changelog/4210.txt new file mode 100644 index 0000000000..37ae8a9776 --- /dev/null +++ b/.changelog/4210.txt @@ -0,0 +1,3 @@ +```release-note:bug +helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry +``` diff --git a/.changelog/4213.txt b/.changelog/4213.txt new file mode 100644 index 0000000000..4e88032ae6 --- /dev/null +++ b/.changelog/4213.txt @@ -0,0 +1,3 @@ +```release-note:bug +Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. +``` diff --git a/.changelog/4224.txt b/.changelog/4224.txt new file mode 100644 index 0000000000..6fde378368 --- /dev/null +++ b/.changelog/4224.txt @@ -0,0 +1,3 @@ +```release-note:bug +terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the `Registration` CRD with the service's namespace unset. +``` diff --git a/.changelog/4227.txt b/.changelog/4227.txt new file mode 100644 index 0000000000..feb7844aae --- /dev/null +++ b/.changelog/4227.txt @@ -0,0 +1,4 @@ +```release-note:bug +openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior. +This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. +``` diff --git a/.changelog/4228.txt b/.changelog/4228.txt new file mode 100644 index 0000000000..465229e7d9 --- /dev/null +++ b/.changelog/4228.txt @@ -0,0 +1,6 @@ +```release-note:security +Upgrade Docker cli to use v.27.1. This addresses CVE +[CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110)``` + +```release-note:security +Bump Go to 1.22.5 to address [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791)``` diff --git a/.changelog/4244.txt b/.changelog/4244.txt new file mode 100644 index 0000000000..424ec726e2 --- /dev/null +++ b/.changelog/4244.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27. +``` diff --git a/.changelog/4247.txt b/.changelog/4247.txt new file mode 100644 index 0000000000..b0b75950a8 --- /dev/null +++ b/.changelog/4247.txt @@ -0,0 +1,3 @@ +```release-note:bug +api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified +``` diff --git a/.changelog/4255.txt b/.changelog/4255.txt new file mode 100644 index 0000000000..1960697afa --- /dev/null +++ b/.changelog/4255.txt @@ -0,0 +1,3 @@ +```release-note:bug +sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. +``` \ No newline at end of file diff --git a/.changelog/4256.txt b/.changelog/4256.txt new file mode 100644 index 0000000000..d2279cfce7 --- /dev/null +++ b/.changelog/4256.txt @@ -0,0 +1,3 @@ +```release-note:improvement +config-entry: add validate_clusters to mesh config entry +``` \ No newline at end of file diff --git a/.changelog/4266.txt b/.changelog/4266.txt new file mode 100644 index 0000000000..44ea4ecf1c --- /dev/null +++ b/.changelog/4266.txt @@ -0,0 +1,3 @@ +```release-note:bug +sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process +``` diff --git a/.changelog/4287.txt b/.changelog/4287.txt new file mode 100644 index 0000000000..68f9f3085c --- /dev/null +++ b/.changelog/4287.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +docker: update go-discover binary +``` + +```release-note:enhancement +docker: update ubi base image to `ubi9-minimal:9.4`. +``` \ No newline at end of file diff --git a/.changelog/4307.txt b/.changelog/4307.txt new file mode 100644 index 0000000000..9de7580e9e --- /dev/null +++ b/.changelog/4307.txt @@ -0,0 +1,3 @@ +```release-note:improvement +connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole +``` diff --git a/.changelog/4313.txt b/.changelog/4313.txt new file mode 100644 index 0000000000..e6ab5ba811 --- /dev/null +++ b/.changelog/4313.txt @@ -0,0 +1,4 @@ +```release-note:security +Upgrade Go to use 1.22.7. This addresses CVE +[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) +``` \ No newline at end of file diff --git a/.changelog/4315.txt b/.changelog/4315.txt new file mode 100644 index 0000000000..05b7fb01da --- /dev/null +++ b/.changelog/4315.txt @@ -0,0 +1,3 @@ +```release-note:bug +helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. +``` diff --git a/.changelog/4316.txt b/.changelog/4316.txt new file mode 100644 index 0000000000..5397ebd093 --- /dev/null +++ b/.changelog/4316.txt @@ -0,0 +1,5 @@ +```release-note:bug +api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`. + +Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to. +``` diff --git a/.changelog/4333.txt b/.changelog/4333.txt new file mode 100644 index 0000000000..bf9ff0167a --- /dev/null +++ b/.changelog/4333.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. +``` diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh deleted file mode 100755 index 64ef618267..0000000000 --- a/.github/scripts/check_skip_ci.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -set -euo pipefail - -# Get the list of changed files -# Using `git merge-base` ensures that we're always comparing against the correct branch point. -#For example, given the commits: -# -# A---B---C---D---W---X---Y---Z # origin/main -# \---E---F # feature/branch -# -# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D` -# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).. -files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD) - -# Define the directories to check -skipped_directories=("assets" ".changelog/") - -# Loop through the changed files and find directories/files outside the skipped ones -files_to_check_array=($files_to_check) -for file_to_check in "${files_to_check_array[@]}"; do - file_is_skipped=false - echo "checking file: $file_to_check" - - # Allow changes to: - # - This script - # - Files in the skipped directories - # - Markdown files - for dir in "${skipped_directories[@]}"; do - if [[ "$file_to_check" == */check_skip_ci.sh ]] || - [[ "$file_to_check" == "$dir"* ]] || - [[ "$file_to_check" == *.md ]]; then - file_is_skipped=true - break - fi - done - - if [ "$file_is_skipped" != "true" ]; then - echo -e "non-skippable file changed: $file_to_check" - SKIP_CI=false - echo "Changes detected in non-documentation files - will not skip tests and build" - echo "skip-ci=false" >> "$GITHUB_OUTPUT" - exit 0 ## if file is outside of the skipped_directory exit script - fi -done - -echo "Changes detected in only documentation files - skipping tests and build" -echo "skip-ci=true" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 736c1ad0f0..eba3e89765 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -27,3 +27,34 @@ jobs: ref: main token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} inputs: '{ "context":"${{ env.CONTEXT }}", "actor":"${{ github.actor }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ env.SHA }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }' + + pass-required-checks-on-skip: + needs: [ conditional-skip ] + if: needs.conditional-skip.outputs.skip-ci == 'true' + runs-on: ubuntu-latest + strategy: + matrix: + include: + # The required checks that should be "passed" when the CI is skipped + - check-name: acceptance + - check-name: acceptance-cni + - check-name: acceptance-tproxy + - check-name: Unit test helm templates + - check-name: Unit test helm gen + - check-name: Unit test enterprise control plane + - check-name: Unit test control plane + - check-name: Unit test cli + - check-name: Unit test acceptance + - check-name: Unit test helm gen + steps: + - name: Update final status + uses: docker://ghcr.io/curtbushko/commit-status-action:e1d661c757934ab35c74210b4b70c44099ec747a + env: + INPUT_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + INPUT_REPOSITORY: ${{ github.repository }} + INPUT_CONTEXT: ${{ matrix.check-name }} + INPUT_STATE: success + INPUT_DESCRIPTION: "Skipped due to conditional-skip check" + INPUT_SHA: ${{ env.SHA }} + INPUT_DETAILS_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + INPUT_OWNER: "hashicorp" diff --git a/.github/workflows/reusable-conditional-skip.yml b/.github/workflows/reusable-conditional-skip.yml index ef469ee9aa..113649fd6f 100644 --- a/.github/workflows/reusable-conditional-skip.yml +++ b/.github/workflows/reusable-conditional-skip.yml @@ -12,13 +12,58 @@ jobs: runs-on: ubuntu-latest name: Check whether to skip build and tests outputs: - skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }} - env: - SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }} + skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }} steps: + # We only allow use of conditional skip in two scenarios: + # 1. PRs + # 2. Pushes (merges) to protected branches (`main`, `release/**`) + # + # The second scenario is the only place we can be sure that checking just the + # latest change on the branch is sufficient. In PRs, we need to check _all_ commits. + # The ability to do this is ultimately determined by the triggers of the calling + # workflow, since `base_ref` (the target branch of a PR) is only available in + # `pull_request` events, not `push`. + - name: Error if conditional check is not allowed + if: ${{ !github.base_ref && !github.ref_protected }} + run: | + echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch." + echo "github.base_ref: ${{ github.base_ref }}" + echo "github.ref_protected: ${{ github.ref_protected }}" + echo "github.ref_name: ${{ github.ref_name }}" + echo "Check the triggers of the calling workflow to ensure that these requirements are met." + exit 1 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 - - name: Check changed files - id: check-changed-files - run: ./.github/scripts/check_skip_ci.sh \ No newline at end of file + - name: Check for skippable file changes + id: changed-files + uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1 + with: + # This is a multi-line YAML string with one match pattern per line. + # Do not use quotes around values, as it's not supported. + # See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F + # for usage, options, and more details on match syntax. + files: | + .github/workflows/reusable-conditional-skip.yml + LICENSE + .copywrite.hcl + .gitignore + **.md + assets/** + .changelog/** + - name: Print changed files + env: + SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} + NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }} + run: | + echo "Skippable changed files:" + for file in ${SKIPPABLE_CHANGED_FILES}; do echo " $file"; done + echo + echo "Non-skippable files:" + for file in ${NON_SKIPPABLE_FILES}; do echo " $file"; done + - name: Skip tests and build if only skippable files changed + id: maybe-skip-ci + if: ${{ steps.changed-files.outputs.only_changed == 'true' }} + run: | + echo "Skipping tests and build because only skippable files changed" + echo "skip-ci=true" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 120b564301..d436f33601 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -1,3 +1,5 @@ +# This job runs a non-blocking informational security scan on the repository. +# For release-blocking security scans, see .release/security-scan.hcl. name: Security Scan on: @@ -9,6 +11,11 @@ on: branches: - main - release/** + # paths-ignore only works for non-required checks. + # Jobs that are required for merge must use reusable-conditional-skip.yml. + paths-ignore: + - 'assets/**' + - '.changelog/**' # cancel existing runs of the same workflow on the same ref concurrency: @@ -16,13 +23,8 @@ concurrency: cancel-in-progress: true jobs: - conditional-skip: - uses: ./.github/workflows/reusable-conditional-skip.yml - get-go-version: # Cascades down to test jobs - needs: [ conditional-skip ] - if: needs.conditional-skip.outputs.skip-ci != 'true' uses: ./.github/workflows/reusable-get-go-version.yml scan: @@ -46,7 +48,7 @@ jobs: uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: hashicorp/security-scanner - token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} + token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }} path: security-scanner ref: main diff --git a/.github/workflows/weekly-acceptance-1-5-x.yml b/.github/workflows/weekly-acceptance-1-4-0-rc1.yml similarity index 93% rename from .github/workflows/weekly-acceptance-1-5-x.yml rename to .github/workflows/weekly-acceptance-1-4-0-rc1.yml index ea245dc1d9..58898baeab 100644 --- a/.github/workflows/weekly-acceptance-1-5-x.yml +++ b/.github/workflows/weekly-acceptance-1-4-0-rc1.yml @@ -1,7 +1,7 @@ # Dispatch to the consul-k8s-workflows with a weekly cron # # A separate file is needed for each release because the cron schedules are different for each release. -name: weekly-acceptance-1-5-x +name: weekly-acceptance-1-4-0-rc1 on: schedule: # * is a special character in YAML so you have to quote this string @@ -10,7 +10,7 @@ on: # these should be the only settings that you will ever need to change env: - BRANCH: "release/1.5.x" + BRANCH: "release/1.4.0-rc1" CONTEXT: "weekly" jobs: diff --git a/.go-version b/.go-version index 2a0ba77cc5..87b26e8b1a 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.22.4 +1.22.7 diff --git a/CHANGELOG.md b/CHANGELOG.md index e25a0002a4..7a422cfe3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,54 @@ +## 1.5.3 (August 30, 2024) + +SECURITY: + +* Bump Go to 1.22.5 to address [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791) [[GH-4228](https://github.com/hashicorp/consul-k8s/issues/4228)] +* Upgrade Docker cli to use v.27.1. This addresses CVE +[CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110) [[GH-4228](https://github.com/hashicorp/consul-k8s/issues/4228)] + +IMPROVEMENTS: + +* docker: update go-discover binary [[GH-4287](https://github.com/hashicorp/consul-k8s/issues/4287)] +* docker: update ubi base image to `ubi9-minimal:9.4`. [[GH-4287](https://github.com/hashicorp/consul-k8s/issues/4287)] +* helm: Adds `webhookCertManager.resources` field which can be configured to override the `resource` settings for the `webhook-cert-manager` deployment. [[GH-4184](https://github.com/hashicorp/consul-k8s/issues/4184)] +* helm: Adds `connectInject.apiGateway.managedGatewayClass.resourceJob.resources` field which can be configured to override the `resource` settings for the `gateway-resources-job` job. [[GH-4184](https://github.com/hashicorp/consul-k8s/issues/4184)] +* config-entry: add validate_clusters to mesh config entry [[GH-4256](https://github.com/hashicorp/consul-k8s/issues/4256)] +* helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27. [[GH-4244](https://github.com/hashicorp/consul-k8s/issues/4244)] + +BUG FIXES: + +* Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [[GH-4213](https://github.com/hashicorp/consul-k8s/issues/4213)] +* api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [[GH-4247](https://github.com/hashicorp/consul-k8s/issues/4247)] +* helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [[GH-4210](https://github.com/hashicorp/consul-k8s/issues/4210)] +* openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior. +This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [[GH-4227](https://github.com/hashicorp/consul-k8s/issues/4227)] +* sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [[GH-4266](https://github.com/hashicorp/consul-k8s/issues/4266)] +* terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the `Registration` CRD with the service's namespace unset. [[GH-4224](https://github.com/hashicorp/consul-k8s/issues/4224)] + +## 1.5.2 (August 29, 2024) + +Release redacted, use `1.5.3` + +## 1.5.1 (July 16, 2024) + +SECURITY: + +* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-4154](https://github.com/hashicorp/consul-k8s/issues/4154)] +* Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) [[GH-4169](https://github.com/hashicorp/consul-k8s/issues/4169)] + +IMPROVEMENTS: + +* api-gateways: Change security settings to make root file system read only and to not allow privilage escalation. [[GH-3959](https://github.com/hashicorp/consul-k8s/issues/3959)] +* control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)] +* partition-init: Role no longer includes unnecessary access to Secrets resource. [[GH-4053](https://github.com/hashicorp/consul-k8s/issues/4053)] + +BUG FIXES: + +* api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [[GH-4060](https://github.com/hashicorp/consul-k8s/issues/4060)] +* connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)] +* endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [[GH-4059](https://github.com/hashicorp/consul-k8s/issues/4059)] +* terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled. [[GH-4153](https://github.com/hashicorp/consul-k8s/issues/4153)] + ## 1.5.0 (June 13, 2024) > NOTE: Consul K8s 1.5.x is compatible with Consul 1.19.x and Consul Dataplane 1.5.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info. diff --git a/Makefile b/Makefile index d6ed9f815d..793d2d46cd 100644 --- a/Makefile +++ b/Makefile @@ -254,7 +254,7 @@ ifeq (, $(shell which controller-gen)) CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\ cd $$CONTROLLER_GEN_TMP_DIR ;\ go mod init tmp ;\ - go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.1 ;\ + go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0 ;\ rm -rf $$CONTROLLER_GEN_TMP_DIR ;\ } CONTROLLER_GEN=$(shell go env GOPATH)/bin/controller-gen @@ -263,12 +263,12 @@ CONTROLLER_GEN=$(shell which controller-gen) endif .PHONY: ensure-controller-gen-version -ensure-controller-gen-version: ## Ensure controller-gen version is v0.12.1. +ensure-controller-gen-version: ## Ensure controller-gen version is v0.14.0. ifeq (, $(shell which $(CONTROLLER_GEN))) @echo "You don't have $(CONTROLLER_GEN), please install it first." else -ifeq (, $(shell $(CONTROLLER_GEN) --version | grep v0.12.1)) - @echo "controller-gen version is not v0.12.1, uninstall the binary and install the correct version with 'make get-controller-gen'." +ifeq (, $(shell $(CONTROLLER_GEN) --version | grep v0.14.0)) + @echo "controller-gen version is not v0.14.0, uninstall the binary and install the correct version with 'make get-controller-gen'." @echo "Found version: $(shell $(CONTROLLER_GEN) --version)" @exit 1 else @@ -427,7 +427,7 @@ ifndef CONSUL_K8S_RELEASE_DATE $(error CONSUL_K8S_RELEASE_DATE is required, use format , (ex. October 4, 2022)) endif ifndef CONSUL_K8S_NEXT_RELEASE_VERSION - $(error CONSUL_K8S_NEXT_RELEASE_VERSION is required) + $(error CONSUL_K8S_RELEASE_VERSION is required) endif ifndef CONSUL_K8S_CONSUL_VERSION $(error CONSUL_K8S_CONSUL_VERSION is required) diff --git a/README.md b/README.md index e59e5b8577..ab22cd0f07 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). The following pre-requisites must be met before installing Consul on Kubernetes. - * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + * **Kubernetes 1.27.x - 1.30.x** - This represents the earliest versions of Kubernetes tested. It is possible that this chart works with earlier versions, but it is untested. * Helm install diff --git a/acceptance/ci-inputs/kind-inputs.yaml b/acceptance/ci-inputs/kind-inputs.yaml index 5271ee68ba..ea49114ee4 100644 --- a/acceptance/ci-inputs/kind-inputs.yaml +++ b/acceptance/ci-inputs/kind-inputs.yaml @@ -1,6 +1,6 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -kindVersion: v0.22.0 -kindNodeImage: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 -kubectlVersion: v1.27.1 +kindVersion: v0.23.0 +kindNodeImage: kindest/node:v1.30.2@sha256:ecfe5841b9bee4fe9690f49c118c33629fa345e3350a0c67a5a34482a99d6bba +kubectlVersion: v1.30.2 diff --git a/acceptance/ci-inputs/kind_acceptance_test_packages.yaml b/acceptance/ci-inputs/kind_acceptance_test_packages.yaml index a4e09abd9c..a41acd35bf 100644 --- a/acceptance/ci-inputs/kind_acceptance_test_packages.yaml +++ b/acceptance/ci-inputs/kind_acceptance_test_packages.yaml @@ -9,4 +9,3 @@ - {runner: 4, test-packages: "cli vault metrics server"} - {runner: 5, test-packages: "api-gateway ingress-gateway sync example consul-dns"} - {runner: 6, test-packages: "config-entries terminating-gateway basic"} -- {runner: 7, test-packages: "mesh_v2 tenancy_v2"} diff --git a/acceptance/framework/consul/helm_cluster.go b/acceptance/framework/consul/helm_cluster.go index e12456876e..f23e55a48b 100644 --- a/acceptance/framework/consul/helm_cluster.go +++ b/acceptance/framework/consul/helm_cluster.go @@ -549,7 +549,6 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st require.NoError(r, err) } }) - } } @@ -701,47 +700,40 @@ func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.T } // configureSCCs creates RoleBindings that bind the default service account to cluster roles -// allowing access to the anyuid and privileged Security Context Constraints on OpenShift. +// allowing access to the privileged Security Context Constraints on OpenShift. func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) { - const anyuidClusterRole = "system:openshift:scc:anyuid" const privilegedClusterRole = "system:openshift:scc:privileged" - anyuidRoleBinding := "anyuid-test" privilegedRoleBinding := "privileged-test" // A role binding to allow default service account in the installation namespace access to the SCCs. - { - for clusterRoleName, roleBindingName := range map[string]string{anyuidClusterRole: anyuidRoleBinding, privilegedClusterRole: privilegedRoleBinding} { - // Check if this cluster role binding already exists. - _, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), roleBindingName, metav1.GetOptions{}) - - if errors.IsNotFound(err) { - roleBinding := &rbacv1.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: roleBindingName, - }, - Subjects: []rbacv1.Subject{ - { - Kind: rbacv1.ServiceAccountKind, - Name: "default", - Namespace: namespace, - }, - }, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - Name: clusterRoleName, - }, - } - - _, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{}) - require.NoError(t, err) - } else { - require.NoError(t, err) - } + // Check if this cluster role binding already exists. + _, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), privilegedRoleBinding, metav1.GetOptions{}) + + if errors.IsNotFound(err) { + roleBinding := &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: privilegedRoleBinding, + }, + Subjects: []rbacv1.Subject{ + { + Kind: rbacv1.ServiceAccountKind, + Name: "default", + Namespace: namespace, + }, + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: privilegedClusterRole, + }, } + + _, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{}) + require.NoError(t, err) + } else { + require.NoError(t, err) } helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { - _ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), anyuidRoleBinding, metav1.DeleteOptions{}) _ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), privilegedRoleBinding, metav1.DeleteOptions{}) }) } diff --git a/acceptance/framework/helpers/helpers.go b/acceptance/framework/helpers/helpers.go index 0871532426..b4af57bcea 100644 --- a/acceptance/framework/helpers/helpers.go +++ b/acceptance/framework/helpers/helpers.go @@ -6,10 +6,13 @@ package helpers import ( "context" "encoding/json" + "errors" "fmt" + "net/http" "os" "os/exec" "os/signal" + "slices" "strings" "syscall" "testing" @@ -20,10 +23,12 @@ import ( terratestLogger "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" + "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/sdk/testutil" "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" ) @@ -154,39 +159,60 @@ func MergeMaps(a, b map[string]string) { } } -// RegisterExternalService registers an external service to a virtual node in Consul for testing purposes. -// This function takes a testing.T object, a Consul client, service namespace, service name, address, and port as -// parameters. It registers the service with Consul, and if a namespace is provided, it also creates the namespace -// in Consul. It uses the provided testing.T object to log registration details and verify the registration process. -// If the registration fails, the test calling the function will fail. -func RegisterExternalService(t *testing.T, consulClient *api.Client, namespace, name, address string, port int) { - t.Helper() +type K8sOptions struct { + Options *k8s.KubectlOptions + NoCleanupOnFailure bool + NoCleanup bool + KustomizeConfigPath string +} - service := &api.AgentService{ - ID: name, - Service: name, - Port: port, - } +type ConsulOptions struct { + ConsulClient *api.Client + Namespace string + ExternalServiceNameRegistration string +} - if namespace != "" { - address = fmt.Sprintf("%s.%s", name, namespace) - service.Namespace = namespace +func RegisterExternalServiceCRD(t *testing.T, k8sOptions K8sOptions, consulOptions ConsulOptions) { + t.Helper() + t.Logf("Registering external service %s", k8sOptions.KustomizeConfigPath) - logger.Logf(t, "creating the %s namespace in Consul", namespace) - _, _, err := consulClient.Namespaces().Create(&api.Namespace{ - Name: namespace, + if consulOptions.Namespace != "" && consulOptions.Namespace != "default" { + logger.Logf(t, "creating the %s namespace in Consul", consulOptions.Namespace) + _, _, err := consulOptions.ConsulClient.Namespaces().Create(&api.Namespace{ + Name: consulOptions.Namespace, }, nil) require.NoError(t, err) } - logger.Log(t, "registering the external service %s", name) - _, err := consulClient.Catalog().Register(&api.CatalogRegistration{ - Node: "external", - Address: address, - NodeMeta: map[string]string{"external-node": "true", "external-probe": "true"}, - Service: service, - }, nil) - require.NoError(t, err) + // Register the external service + k8s.KubectlApplyFromKustomize(t, k8sOptions.Options, k8sOptions.KustomizeConfigPath) + Cleanup(t, k8sOptions.NoCleanupOnFailure, k8sOptions.NoCleanup, func() { + k8s.KubectlDeleteFromKustomize(t, k8sOptions.Options, k8sOptions.KustomizeConfigPath) + }) + + CheckExternalServiceConditions(t, consulOptions.ExternalServiceNameRegistration, k8sOptions.Options) +} + +func CheckExternalServiceConditions(t *testing.T, registrationName string, opts *k8s.KubectlOptions) { + t.Helper() + + ogLogger := opts.Logger + defer func() { + opts.Logger = ogLogger + }() + + opts.Logger = terratestLogger.Discard + retry.RunWith(&retry.Counter{Wait: 2 * time.Second, Count: 15}, t, func(r *retry.R) { + var err error + out, err := k8s.RunKubectlAndGetOutputE(r, opts, "get", "-o=json", "registrations.consul.hashicorp.com", registrationName) + require.NoError(r, err) + reg := v1alpha1.Registration{} + err = json.Unmarshal([]byte(out), ®) + require.NoError(r, err) + require.NotEmpty(r, reg.Status.Conditions, "conditions should not be empty, retrying") + // ensure all statuses are true which means that the registration is successful + require.True(r, !slices.ContainsFunc(reg.Status.Conditions, func(c v1alpha1.Condition) bool { return c.Status == corev1.ConditionFalse }), "registration failed because of %v", reg.Status.Conditions) + }) } type Command struct { @@ -320,3 +346,53 @@ func createCmdArgs(options *k8s.KubectlOptions) []string { } return cmdArgs } + +const DEFAULT_PAUSE_PORT = "38501" + +// WaitForInput starts a http server on a random port (which is output in the logs) and waits until you +// issue a request to that endpoint to continue the tests. This is useful for debugging tests that require +// inspecting the current state of a running cluster and you don't need to use long sleeps. +func WaitForInput(t *testing.T) { + t.Helper() + + listenerPort := os.Getenv("CONSUL_K8S_TEST_PAUSE_PORT") + + if listenerPort == "" { + listenerPort = DEFAULT_PAUSE_PORT + } + + mux := http.NewServeMux() + srv := &http.Server{ + Addr: fmt.Sprintf(":%s", listenerPort), + Handler: mux, + } + + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + + _, err := w.Write([]byte("input received\n")) + if err != nil { + t.Logf("error writing body: %v", err) + err = nil + } + + err = r.Body.Close() + if err != nil { + t.Logf("error closing request body: %v", err) + err = nil + } + + t.Log("input received, continuing test") + go func() { + err = srv.Shutdown(context.Background()) + if err != nil { + t.Logf("error closing listener: %v", err) + } + }() + }) + + t.Logf("Waiting for input on http://localhost:%s", listenerPort) + if err := srv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) { + t.Fatal(err) + } +} diff --git a/acceptance/framework/k8s/deploy.go b/acceptance/framework/k8s/deploy.go index e1d9f01a80..2db7224690 100644 --- a/acceptance/framework/k8s/deploy.go +++ b/acceptance/framework/k8s/deploy.go @@ -165,10 +165,10 @@ func CheckStaticServerConnectionSuccessfulWithMessage(t *testing.T, options *k8s // CheckStaticServerConnectionSuccessful is just like CheckStaticServerConnection // but it always expects a successful connection. -func CheckStaticServerConnectionSuccessful(t *testing.T, options *k8s.KubectlOptions, sourceApp string, curlArgs ...string) { +func CheckStaticServerConnectionSuccessful(t *testing.T, sourceAppOpts *k8s.KubectlOptions, sourceApp string, curlArgs ...string) { t.Helper() start := time.Now() - CheckStaticServerConnection(t, options, sourceApp, true, nil, "", curlArgs...) + CheckStaticServerConnection(t, sourceAppOpts, sourceApp, true, nil, "", curlArgs...) logger.Logf(t, "Took %s to check if static server connection was successful", time.Since(start)) } diff --git a/acceptance/go.mod b/acceptance/go.mod index 1cac90636e..71240d0342 100644 --- a/acceptance/go.mod +++ b/acceptance/go.mod @@ -5,12 +5,12 @@ go 1.21.1 toolchain go1.22.0 require ( - github.com/go-logr/logr v1.2.4 + github.com/go-logr/logr v1.3.0 github.com/google/uuid v1.3.0 github.com/gruntwork-io/terratest v0.46.7 - github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240226161840-f3842c41cb2b - github.com/hashicorp/consul/api v1.29.1 - github.com/hashicorp/consul/proto-public v0.6.1 + github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108 + github.com/hashicorp/consul/api v1.29.4 + github.com/hashicorp/consul/proto-public v0.6.2 github.com/hashicorp/consul/sdk v0.16.1 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-uuid v1.0.3 @@ -26,11 +26,14 @@ require ( k8s.io/api v0.28.9 k8s.io/apimachinery v0.28.9 k8s.io/client-go v0.28.9 - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.16.5 sigs.k8s.io/gateway-api v0.7.1 ) +// replace these so we always use the latest version of the control-plane types +replace github.com/hashicorp/consul-k8s/version => ../version + require ( github.com/armon/go-metrics v0.4.1 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect @@ -45,7 +48,8 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fatih/color v1.16.0 // indirect + github.com/fatih/color v1.17.0 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-jose/go-jose/v3 v3.0.3 // indirect @@ -63,24 +67,26 @@ require ( github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect github.com/go-sql-driver/mysql v1.5.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/gruntwork-io/go-commons v0.8.0 // indirect + github.com/hashicorp/consul-k8s/version v0.0.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-bexpr v0.1.11 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-hclog v1.5.0 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect - github.com/hashicorp/go-retryablehttp v0.6.6 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect - github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.13 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -121,22 +127,25 @@ require ( go.opentelemetry.io/otel/metric v1.19.0 // indirect go.opentelemetry.io/otel/sdk v1.19.0 // indirect go.opentelemetry.io/otel/trace v1.19.0 // indirect - golang.org/x/crypto v0.22.0 // indirect - golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.28.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.16.1 // indirect + golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.28.3 // indirect + k8s.io/component-base v0.28.3 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/acceptance/go.sum b/acceptance/go.sum index e2ebe425ee..ffdce146c1 100644 --- a/acceptance/go.sum +++ b/acceptance/go.sum @@ -56,8 +56,8 @@ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2Vvl github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= @@ -73,8 +73,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= @@ -169,8 +169,9 @@ github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYu github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -186,14 +187,14 @@ github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRa github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= github.com/gruntwork-io/terratest v0.46.7 h1:oqGPBBO87SEsvBYaA0R5xOq+Lm2Xc5dmFVfxEolfZeU= github.com/gruntwork-io/terratest v0.46.7/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM= -github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240226161840-f3842c41cb2b h1:AdeWjUb+rxrRryC5ZHaL32oOZuxubOzV2q6oJ97UMT0= -github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240226161840-f3842c41cb2b/go.mod h1:TVaSJM7vYM/mtKGpVc/Lch53lrqLI9XAXJgy/gY8v4A= +github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108 h1:5jSMtMGeY//hvkAefiomxP1Jqb5MtnKgsnlsZpEwiJE= +github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108/go.mod h1:SY22WR9TJmlcK18Et2MAqy+kqAFJzbWFElN89vMTSiM= github.com/hashicorp/consul-server-connection-manager v0.1.6 h1:ktj8Fi+dRXn9hhM+FXsfEJayhzzgTqfH08Ne5M6Fmug= github.com/hashicorp/consul-server-connection-manager v0.1.6/go.mod h1:HngMIv57MT+pqCVeRQMa1eTB5dqnyMm8uxjyv+Hn8cs= -github.com/hashicorp/consul/api v1.29.1 h1:UEwOjYJrd3lG1x5w7HxDRMGiAUPrb3f103EoeKuuEcc= -github.com/hashicorp/consul/api v1.29.1/go.mod h1:lumfRkY/coLuqMICkI7Fh3ylMG31mQSRZyef2c5YvJI= -github.com/hashicorp/consul/proto-public v0.6.1 h1:+uzH3olCrksXYWAYHKqK782CtK9scfqH+Unlw3UHhCg= -github.com/hashicorp/consul/proto-public v0.6.1/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= +github.com/hashicorp/consul/api v1.29.4 h1:P6slzxDLBOxUSj3fWo2o65VuKtbtOXFi7TSSgtXutuE= +github.com/hashicorp/consul/api v1.29.4/go.mod h1:HUlfw+l2Zy68ceJavv2zAyArl2fqhGWnMycyt56sBgg= +github.com/hashicorp/consul/proto-public v0.6.2 h1:+DA/3g/IiKlJZb88NBn0ZgXrxJp2NlvCZdEyl+qxvL0= +github.com/hashicorp/consul/proto-public v0.6.2/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg= github.com/hashicorp/consul/sdk v0.16.1/go.mod h1:fSXvwxB2hmh1FMZCNl6PwX0Q/1wdWtHJcZ7Ea5tns0s= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -202,12 +203,10 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-bexpr v0.1.11 h1:6DqdA/KBjurGby9yTY0bmkathya0lfwF2SeuubCI7dY= github.com/hashicorp/go-bexpr v0.1.11/go.mod h1:f03lAo0duBlDIUMGCuad8oLcgejw4m7U+N8T+6Kz1AE= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= -github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= @@ -221,8 +220,8 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/go-netaddrs v0.1.0 h1:TnlYvODD4C/wO+j7cX1z69kV5gOzI87u3OcUinANaW8= github.com/hashicorp/go-netaddrs v0.1.0/go.mod h1:33+a/emi5R5dqRspOuZKO0E+Tuz5WV1F84eRWALkedA= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= -github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= @@ -241,8 +240,8 @@ github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= -github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcp-sdk-go v0.50.0 h1:vOUpVf4MQF/gtoBukuoYKs/i6KinTSpP5jhKCvsZ2bc= @@ -461,6 +460,8 @@ go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1 go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= @@ -475,17 +476,17 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -505,8 +506,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -519,8 +520,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -552,21 +553,22 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -576,8 +578,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -592,8 +595,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -644,12 +647,14 @@ k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA= k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= k8s.io/client-go v0.28.9 h1:mmMvejwc/KDjMLmDpyaxkWNzlWRCJ6ht7Qsbsnwn39Y= k8s.io/client-go v0.28.9/go.mod h1:GFDy3rUNId++WGrr0hRaBrs+y1eZz5JtVZODEalhRMo= +k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= +k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= +k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw= sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= sigs.k8s.io/gateway-api v0.7.1 h1:Tts2jeepVkPA5rVG/iO+S43s9n7Vp7jCDhZDQYtPigQ= diff --git a/acceptance/tests/api-gateway/api_gateway_gatewayclassconfig_test.go b/acceptance/tests/api-gateway/api_gateway_gatewayclassconfig_test.go index 14ef0e0035..d43d7779a6 100644 --- a/acceptance/tests/api-gateway/api_gateway_gatewayclassconfig_test.go +++ b/acceptance/tests/api-gateway/api_gateway_gatewayclassconfig_test.go @@ -21,7 +21,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) @@ -32,9 +32,9 @@ import ( // the child gateways. func TestAPIGateway_GatewayClassConfig(t *testing.T) { var ( - defaultInstances = pointer.Int32(2) - maxInstances = pointer.Int32(3) - minInstances = pointer.Int32(1) + defaultInstances = ptr.To(int32(2)) + maxInstances = ptr.To(int32(3)) + minInstances = ptr.To(int32(1)) namespace = "default" gatewayClassName = "gateway-class" @@ -145,16 +145,16 @@ func TestAPIGateway_GatewayClassConfig(t *testing.T) { logger.Log(t, "updating gatewayclassconfig values") err = k8sClient.Get(context.Background(), types.NamespacedName{Name: gatewayClassConfigName, Namespace: namespace}, gatewayClassConfig) require.NoError(t, err) - gatewayClassConfig.Spec.DeploymentSpec.DefaultInstances = pointer.Int32(8) - gatewayClassConfig.Spec.DeploymentSpec.MinInstances = pointer.Int32(5) + gatewayClassConfig.Spec.DeploymentSpec.DefaultInstances = ptr.To(int32(8)) + gatewayClassConfig.Spec.DeploymentSpec.MinInstances = ptr.To(int32(5)) err = k8sClient.Update(context.Background(), gatewayClassConfig) require.NoError(t, err) checkNumberOfInstances(t, k8sClient, consulClient, gateway.Name, gateway.Namespace, defaultInstances, gateway) // Scenario: gateways should be able to scale independently and not get overridden by the controller unless it's above the max - scale(t, k8sClient, gateway.Name, gateway.Namespace, pointer.Int32(*maxInstances+1)) + scale(t, k8sClient, gateway.Name, gateway.Namespace, ptr.To(int32(*maxInstances+1))) checkNumberOfInstances(t, k8sClient, consulClient, gateway.Name, gateway.Namespace, maxInstances, gateway) - scale(t, k8sClient, gateway.Name, gateway.Namespace, pointer.Int32(0)) + scale(t, k8sClient, gateway.Name, gateway.Namespace, ptr.To(int32(0))) checkNumberOfInstances(t, k8sClient, consulClient, gateway.Name, gateway.Namespace, minInstances, gateway) } diff --git a/acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go b/acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go index d701220a8c..9880298a2b 100644 --- a/acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go +++ b/acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go @@ -142,6 +142,10 @@ func TestAPIGateway_KitchenSink(t *testing.T) { checkStatusCondition(r, gateway.Status.Conditions, trueCondition("ConsulAccepted", "Accepted")) require.Len(r, gateway.Status.Listeners, 2) + // http route checks + err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute) + require.NoError(r, err) + require.EqualValues(r, int32(1), gateway.Status.Listeners[0].AttachedRoutes) checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, trueCondition("Accepted", "Accepted")) checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, falseCondition("Conflicted", "NoConflicts")) @@ -152,10 +156,6 @@ func TestAPIGateway_KitchenSink(t *testing.T) { // now we know we have an address, set it so we can use it gatewayAddress = gateway.Status.Addresses[0].Value - // http route checks - err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute) - require.NoError(r, err) - // check our finalizers require.Len(r, httpRoute.Finalizers, 1) require.EqualValues(r, gatewayFinalizer, httpRoute.Finalizers[0]) diff --git a/acceptance/tests/config-entries/config_entries_namespaces_test.go b/acceptance/tests/config-entries/config_entries_namespaces_test.go index aa74bdc2b5..bcc7605b31 100644 --- a/acceptance/tests/config-entries/config_entries_namespaces_test.go +++ b/acceptance/tests/config-entries/config_entries_namespaces_test.go @@ -90,6 +90,10 @@ func TestControllerNamespaces(t *testing.T) { "global.acls.manageSystemACLs": strconv.FormatBool(c.secure), "global.tls.enabled": strconv.FormatBool(c.secure), + + "terminatingGateways.enabled": "true", + "terminatingGateways.gateways[0].name": "terminating-gateway", + "terminatingGateways.gateways[0].replicas": "1", } releaseName := helpers.RandomName() diff --git a/acceptance/tests/config-entries/config_entries_test.go b/acceptance/tests/config-entries/config_entries_test.go index 9f2595ed4f..2ee242b866 100644 --- a/acceptance/tests/config-entries/config_entries_test.go +++ b/acceptance/tests/config-entries/config_entries_test.go @@ -59,6 +59,10 @@ func TestController(t *testing.T) { "connectInject.enabled": "true", "global.tls.enabled": strconv.FormatBool(c.secure), "global.acls.manageSystemACLs": strconv.FormatBool(c.secure), + + "terminatingGateways.enabled": "true", + "terminatingGateways.gateways[0].name": "terminating-gateway", + "terminatingGateways.gateways[0].replicas": "1", } releaseName := helpers.RandomName() @@ -238,7 +242,6 @@ func TestController(t *testing.T) { require.Equal(r, 100.0, rateLimitIPConfigEntry.Session.WriteRate) require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.ReadRate) require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.WriteRate) - }) } diff --git a/acceptance/tests/fixtures/bases/external-service-registration/external-service.yaml b/acceptance/tests/fixtures/bases/external-service-registration/external-service.yaml new file mode 100644 index 0000000000..bcb4735ebe --- /dev/null +++ b/acceptance/tests/fixtures/bases/external-service-registration/external-service.yaml @@ -0,0 +1,18 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: Registration +metadata: + name: static-server-registration +spec: + datacenter: dc1 + node: external + nodeMeta: + external-node: "true" + external-probe: "true" + address: static-server + service: + id: static-server + name: static-server + port: 80 diff --git a/acceptance/tests/fixtures/bases/external-service-registration/kustomization.yaml b/acceptance/tests/fixtures/bases/external-service-registration/kustomization.yaml new file mode 100644 index 0000000000..345a681cd9 --- /dev/null +++ b/acceptance/tests/fixtures/bases/external-service-registration/kustomization.yaml @@ -0,0 +1,5 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +resources: + - external-service.yaml diff --git a/acceptance/tests/fixtures/bases/multiport-app/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/multiport-app/anyuid-scc-rolebinding.yaml deleted file mode 100644 index 5c2e0dcfa2..0000000000 --- a/acceptance/tests/fixtures/bases/multiport-app/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: multiport-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: multiport ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: multiport-admin-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: multiport-admin diff --git a/acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml b/acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml index fb792d63a7..ecd2015a34 100644 --- a/acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml @@ -7,5 +7,4 @@ resources: - secret.yaml - serviceaccount.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/static-client/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-client/anyuid-scc-rolebinding.yaml deleted file mode 100644 index b80bc5c562..0000000000 --- a/acceptance/tests/fixtures/bases/static-client/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: static-client-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: static-client \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-client/kustomization.yaml b/acceptance/tests/fixtures/bases/static-client/kustomization.yaml index 9aa0009dc4..929d64ac24 100644 --- a/acceptance/tests/fixtures/bases/static-client/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/static-client/kustomization.yaml @@ -6,5 +6,4 @@ resources: - service.yaml - serviceaccount.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/static-server-https/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-server-https/anyuid-scc-rolebinding.yaml deleted file mode 100644 index 2be7cf13db..0000000000 --- a/acceptance/tests/fixtures/bases/static-server-https/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: static-server-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: static-server \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml b/acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml index da166af201..6d7daa8f88 100644 --- a/acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml @@ -7,5 +7,4 @@ resources: - service.yaml - serviceaccount.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/static-server-tcp/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-server-tcp/anyuid-scc-rolebinding.yaml deleted file mode 100644 index eb86dc8bae..0000000000 --- a/acceptance/tests/fixtures/bases/static-server-tcp/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: static-server-tcp-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: static-server-tcp \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml b/acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml index 2180aa94e1..946e8d6b68 100644 --- a/acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml @@ -7,5 +7,4 @@ resources: - serviceaccount.yaml - servicedefaults.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/static-server/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-server/anyuid-scc-rolebinding.yaml deleted file mode 100644 index 2be7cf13db..0000000000 --- a/acceptance/tests/fixtures/bases/static-server/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: static-server-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: static-server \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server/kustomization.yaml b/acceptance/tests/fixtures/bases/static-server/kustomization.yaml index 9aa0009dc4..929d64ac24 100644 --- a/acceptance/tests/fixtures/bases/static-server/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/static-server/kustomization.yaml @@ -6,5 +6,4 @@ resources: - service.yaml - serviceaccount.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/terminating-gateway/kustomization.yaml b/acceptance/tests/fixtures/bases/terminating-gateway/kustomization.yaml new file mode 100644 index 0000000000..a5f13bc625 --- /dev/null +++ b/acceptance/tests/fixtures/bases/terminating-gateway/kustomization.yaml @@ -0,0 +1,5 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +resources: + - terminating-gateway.yaml diff --git a/acceptance/tests/fixtures/bases/terminating-gateway/terminating-gateway.yaml b/acceptance/tests/fixtures/bases/terminating-gateway/terminating-gateway.yaml new file mode 100644 index 0000000000..b41c36a50b --- /dev/null +++ b/acceptance/tests/fixtures/bases/terminating-gateway/terminating-gateway.yaml @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: TerminatingGateway +metadata: + name: terminating-gateway +spec: + services: + - name: static-server diff --git a/acceptance/tests/fixtures/bases/v2-multiport-app/anyuid-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/v2-multiport-app/anyuid-scc-rolebinding.yaml deleted file mode 100644 index 5c2e0dcfa2..0000000000 --- a/acceptance/tests/fixtures/bases/v2-multiport-app/anyuid-scc-rolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: multiport-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: multiport ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: multiport-admin-openshift-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:anyuid -subjects: - - kind: ServiceAccount - name: multiport-admin diff --git a/acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml b/acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml index fb792d63a7..ecd2015a34 100644 --- a/acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml +++ b/acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml @@ -7,5 +7,4 @@ resources: - secret.yaml - serviceaccount.yaml - psp-rolebinding.yaml - - anyuid-scc-rolebinding.yaml - - privileged-scc-rolebinding.yaml \ No newline at end of file + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/kustomization.yaml b/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/kustomization.yaml new file mode 100644 index 0000000000..f97dc12cb8 --- /dev/null +++ b/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../fixtures/bases/terminating-gateway +patches: +- path: terminating-gateway.yaml diff --git a/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/terminating-gateway.yaml new file mode 100644 index 0000000000..74c1a1974c --- /dev/null +++ b/acceptance/tests/fixtures/cases/crd-peers/default-terminating-gateway/terminating-gateway.yaml @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: TerminatingGateway +metadata: + name: terminating-gateway +spec: + services: + - name: static-server-hostname diff --git a/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/external-service.yaml b/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/external-service.yaml new file mode 100644 index 0000000000..e55f8dd3a7 --- /dev/null +++ b/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/external-service.yaml @@ -0,0 +1,18 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: Registration +metadata: + name: static-server-registration +spec: + datacenter: server + node: external + nodeMeta: + external-node: "true" + external-probe: "true" + address: static-server.external + service: + id: static-server + name: static-server-hostname + port: 80 diff --git a/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/kustomization.yaml b/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/kustomization.yaml new file mode 100644 index 0000000000..db0a3d9e6c --- /dev/null +++ b/acceptance/tests/fixtures/cases/crd-peers/external-service-registration/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../bases/external-service-registration +patches: +- path: external-service.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-destinations/kustomization.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-destinations/kustomization.yaml new file mode 100644 index 0000000000..4c0f462d1f --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-destinations/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../fixtures/bases/terminating-gateway +patches: +- path: terminating-gateway.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-destinations/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-destinations/terminating-gateway.yaml new file mode 100644 index 0000000000..2de0225ec2 --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-destinations/terminating-gateway.yaml @@ -0,0 +1,11 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: TerminatingGateway +metadata: + name: terminating-gateway +spec: + services: + - name: static-server-hostname + - name: static-server-ip diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/external-service.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/external-service.yaml new file mode 100644 index 0000000000..30dc1ffeed --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/external-service.yaml @@ -0,0 +1,19 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: Registration +metadata: + name: static-server-registration +spec: + datacenter: dc1 + node: external + nodeMeta: + external-node: "true" + external-probe: "true" + address: static-server.ns1 + service: + id: static-server + name: static-server + namespace: ns1 + port: 80 diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/kustomization.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/kustomization.yaml new file mode 100644 index 0000000000..0db7394100 --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../bases/external-service-registration/ +patches: +- path: external-service.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/kustomization.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/kustomization.yaml new file mode 100644 index 0000000000..793a233b8f --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../bases/terminating-gateway +patches: +- path: terminating-gateway.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/terminating-gateway.yaml new file mode 100644 index 0000000000..6b69cc1fc5 --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway/terminating-gateway.yaml @@ -0,0 +1,11 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: TerminatingGateway +metadata: + name: terminating-gateway +spec: + services: + - name: static-server + namespace: ns1 diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/kustomization.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/kustomization.yaml new file mode 100644 index 0000000000..81535d787f --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../bases/static-client/ +patches: +- path: patch.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/patch.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/patch.yaml new file mode 100644 index 0000000000..0879b41557 --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject/patch.yaml @@ -0,0 +1,13 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-client +spec: + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "true" + "consul.hashicorp.com/connect-service-upstreams": "static-server.default:1234" diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/kustomization.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/kustomization.yaml new file mode 100644 index 0000000000..793a233b8f --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/kustomization.yaml @@ -0,0 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../bases/terminating-gateway +patches: +- path: terminating-gateway.yaml diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/terminating-gateway.yaml new file mode 100644 index 0000000000..607ed976a7 --- /dev/null +++ b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway/terminating-gateway.yaml @@ -0,0 +1,11 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: consul.hashicorp.com/v1alpha1 +kind: TerminatingGateway +metadata: + name: terminating-gateway +spec: + services: + - name: static-server + namespace: default diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index 6bab0aa909..b2ccf89c63 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -344,19 +344,33 @@ func TestPeering_Connect(t *testing.T) { terminatinggateway.CreateMeshConfigEntry(t, staticClientPeerClient, "") // Create the config entry for the terminating gateway - terminatinggateway.CreateTerminatingGatewayConfigEntry(t, staticServerPeerClient, "", "", externalServerHostnameID) - if c.ACLsEnabled { - // Allow the terminating gateway write access to services prefixed with "static-server". - terminatinggateway.UpdateTerminatingGatewayRole(t, staticServerPeerClient, terminatingGatewayRules) - } + logger.Log(t, "creating terminating gateway") + k8s.KubectlApplyK(t, staticServerPeerClusterContext.KubectlOptions(t), "../fixtures/cases/crd-peers/default-terminating-gateway") + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), "../fixtures/cases/crd-peers/default-terminating-gateway") + }) // This is the URL that the static-client will use to dial the external static server in the server peer. externalServerHostnameURL := fmt.Sprintf("http://%s.virtual.%s.consul", externalServerHostnameID, staticServerPeer) // Register the external service. terminatinggateway.CreateServiceDefaultDestination(t, staticServerPeerClient, "", externalServerHostnameID, "http", 80, fmt.Sprintf("%s.%s", externalServerServiceName, externalServerK8sNamespace)) + + // Register the external service + k8sOptions := helpers.K8sOptions{ + Options: staticServerPeerClusterContext.KubectlOptions(t), + NoCleanupOnFailure: cfg.NoCleanupOnFailure, + NoCleanup: cfg.NoCleanup, + KustomizeConfigPath: "../fixtures/cases/crd-peers/external-service-registration", + } + + consulOptions := helpers.ConsulOptions{ + ConsulClient: staticServerPeerClient, + ExternalServiceNameRegistration: "static-server-registration", + } + // (t-eckert) this shouldn't be required but currently is with HTTP services. It works around a bug. - helpers.RegisterExternalService(t, staticServerPeerClient, "", externalServerHostnameID, fmt.Sprintf("%s.%s", externalServerServiceName, externalServerK8sNamespace), 80) + helpers.RegisterExternalServiceCRD(t, k8sOptions, consulOptions) // Export the external service to the client peer. logger.Log(t, "creating exported external services") diff --git a/acceptance/tests/terminating-gateway/common.go b/acceptance/tests/terminating-gateway/common.go index 65dd7545a8..d02bde16a7 100644 --- a/acceptance/tests/terminating-gateway/common.go +++ b/acceptance/tests/terminating-gateway/common.go @@ -39,37 +39,6 @@ func AddIntention(t *testing.T, consulClient *api.Client, sourcePeer, sourceNS, require.NoError(t, err) } -func CreateTerminatingGatewayConfigEntry(t *testing.T, consulClient *api.Client, gwNamespace, serviceNamespace string, serviceNames ...string) { - t.Helper() - - logger.Log(t, "creating config entry") - - if serviceNamespace != "" { - logger.Logf(t, "creating the %s namespace in Consul", serviceNamespace) - _, _, err := consulClient.Namespaces().Create(&api.Namespace{ - Name: serviceNamespace, - }, nil) - require.NoError(t, err) - } - - var gatewayServices []api.LinkedService - for _, serviceName := range serviceNames { - linkedService := api.LinkedService{Name: serviceName, Namespace: serviceNamespace} - gatewayServices = append(gatewayServices, linkedService) - } - - configEntry := &api.TerminatingGatewayConfigEntry{ - Kind: api.TerminatingGateway, - Name: "terminating-gateway", - Namespace: gwNamespace, - Services: gatewayServices, - } - - created, _, err := consulClient.ConfigEntries().Set(configEntry, nil) - require.NoError(t, err) - require.True(t, created, "failed to create config entry") -} - func UpdateTerminatingGatewayRole(t *testing.T, consulClient *api.Client, rules string) { t.Helper() diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go index 67097b7648..3edb4a3b71 100644 --- a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go +++ b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go @@ -78,6 +78,7 @@ func TestTerminatingGatewayDestinations(t *testing.T) { // with service:write permissions to the static-server service // so that it can request Connect certificates for it. if c.secure { + logger.Log(t, "updating acl role") UpdateTerminatingGatewayRole(t, consulClient, terminatingGatewayRules) } @@ -86,7 +87,11 @@ func TestTerminatingGatewayDestinations(t *testing.T) { CreateMeshConfigEntry(t, consulClient, "") // Create the config entry for the terminating gateway. - CreateTerminatingGatewayConfigEntry(t, consulClient, "", "", staticServerHostnameID, staticServerIPID) + logger.Log(t, "creating terminating gateway") + k8s.KubectlApplyK(t, ctx.KubectlOptions(t), "../fixtures/cases/terminating-gateway-destinations") + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.KubectlDeleteK(t, ctx.KubectlOptions(t), "../fixtures/cases/terminating-gateway-destinations") + }) // Deploy the static client logger.Log(t, "deploying static client") diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go index ee51a64c0d..2bec2b1698 100644 --- a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go +++ b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go @@ -76,18 +76,27 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) { logger.Log(t, "creating static-server deployment") k8s.DeployKustomize(t, nsK8SOptions, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/bases/static-server") - // Register the external service. - helpers.RegisterExternalService(t, consulClient, testNamespace, staticServerName, staticServerName, 80) + // Register the external service + k8sOptions := helpers.K8sOptions{ + Options: ctx.KubectlOptions(t), + NoCleanupOnFailure: cfg.NoCleanupOnFailure, + NoCleanup: cfg.NoCleanup, + KustomizeConfigPath: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration/", + } - // If ACLs are enabled we need to update the role of the terminating gateway - // with service:write permissions to the static-server service - // so that it can request Connect certificates for it. - if c.secure { - UpdateTerminatingGatewayRole(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace)) + consulOptions := helpers.ConsulOptions{ + ConsulClient: consulClient, + Namespace: testNamespace, + ExternalServiceNameRegistration: "static-server-registration", } - // Create the config entry for the terminating gateway. - CreateTerminatingGatewayConfigEntry(t, consulClient, testNamespace, testNamespace, staticServerName) + helpers.RegisterExternalServiceCRD(t, k8sOptions, consulOptions) + + logger.Log(t, "creating terminating gateway") + k8s.KubectlApplyK(t, nsK8SOptions, "../fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway") + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.KubectlDeleteK(t, nsK8SOptions, "../fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway") + }) // Deploy the static client. logger.Log(t, "deploying static client") @@ -113,115 +122,229 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) { } // Test we can connect through the terminating gateway when the terminating gateway, -// the external service, and the connect service are in different namespace. +// the external service, and the connect service are in different combinations of namespaces. func TestTerminatingGatewayNamespaceMirroring(t *testing.T) { cfg := suite.Config() if !cfg.EnableEnterprise { t.Skipf("skipping this test because -enable-enterprise is not set") } - cases := []struct { - secure bool + type config struct { + path string + namespace string + } + + // for simplicity/to keep from an explosion of test cases we're keeping the registration in the same namespace as the + // service being registered, this shouldn't matter because external services should be outside of the cluster typically + cases := map[string]struct { + termGWConfig config + externalServiceRegistrationConfig config + staticServerConfig config + staticClientConfig config }{ - { - secure: false, + "all in default namespace": { + termGWConfig: config{ + path: "../fixtures/bases/terminating-gateway", + namespace: "default", + }, + externalServiceRegistrationConfig: config{ + path: "../fixtures/bases/external-service-registration", + namespace: "default", + }, + staticServerConfig: config{ + path: "../fixtures/bases/static-server", + namespace: "default", + }, + staticClientConfig: config{ + path: "../fixtures/cases/static-client-inject", + namespace: "default", + }, }, - { - secure: true, + "all in same non-default namespace": { + termGWConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway", + namespace: "ns1", + }, + externalServiceRegistrationConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration", + namespace: "ns1", + }, + staticServerConfig: config{ + path: "../fixtures/bases/static-server", + namespace: "ns1", + }, + staticClientConfig: config{ + path: "../fixtures/cases/static-client-namespaces", + namespace: "ns1", + }, + }, + "mesh service in default namespace everything else in non-default namespace": { + termGWConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway", + namespace: "ns1", + }, + externalServiceRegistrationConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration", + namespace: "ns1", + }, + staticServerConfig: config{ + path: "../fixtures/bases/static-server", + namespace: "ns1", + }, + staticClientConfig: config{ + path: "../fixtures/cases/static-client-namespaces", + namespace: "default", + }, }, + "external service in default namespace everything else in non-default namespace": { + termGWConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/client-non-default/terminating-gateway", + namespace: "ns1", + }, + externalServiceRegistrationConfig: config{ + path: "../fixtures/bases/external-service-registration", + namespace: "default", + }, + staticServerConfig: config{ + path: "../fixtures/bases/static-server", + namespace: "default", + }, + staticClientConfig: config{ + path: "../fixtures/cases/terminating-gateway-namespaces/client-non-default/static-client-inject", + namespace: "ns1", + }, + }, + // TODO: (NET-10248) need to dig in more on why this isn't working when acls are enabled. + // "terminating gateway in default namespace everything else in non-default namespace": { + // termGWConfig: config{ + // path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/terminating-gateway", + // namespace: "default", + // }, + // externalServiceRegistrationConfig: config{ + // path: "../fixtures/cases/terminating-gateway-namespaces/all-non-default/external-service-registration", + // namespace: "ns1", + // }, + // staticServerConfig: config{ + // path: "../fixtures/bases/static-server", + // namespace: "ns1", + // }, + // staticClientConfig: config{ + // path: "../fixtures/cases/static-client-namespaces", + // namespace: "ns1", + // }, + // }, } - for _, c := range cases { - name := fmt.Sprintf("secure: %t", c.secure) - t.Run(name, func(t *testing.T) { - ctx := suite.Environment().DefaultContext(t) - - // Install the Helm chart without the terminating gateway first - // so that we can create the namespace for it. - helmValues := map[string]string{ - "connectInject.enabled": "true", - "connectInject.consulNamespaces.mirroringK8S": "true", - - "global.enableConsulNamespaces": "true", - "global.acls.manageSystemACLs": strconv.FormatBool(c.secure), - "global.tls.enabled": strconv.FormatBool(c.secure), - - "terminatingGateways.enabled": "true", - "terminatingGateways.gateways[0].name": "terminating-gateway", - "terminatingGateways.gateways[0].replicas": "1", - } - - releaseName := helpers.RandomName() - consulCluster := consul.NewHelmCluster(t, helmValues, ctx, cfg, releaseName) - - consulCluster.Create(t) - - consulClient, _ := consulCluster.SetupConsulClient(t, c.secure) - - logger.Logf(t, "creating Kubernetes namespace %s", testNamespace) - k8s.RunKubectl(t, ctx.KubectlOptions(t), "create", "ns", testNamespace) - helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { - k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "ns", testNamespace) - }) - - StaticClientNamespace := "ns2" - logger.Logf(t, "creating Kubernetes namespace %s", StaticClientNamespace) - k8s.RunKubectl(t, ctx.KubectlOptions(t), "create", "ns", StaticClientNamespace) - helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { - k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "ns", StaticClientNamespace) + for name, tc := range cases { + for _, secure := range []bool{true, false} { + name := fmt.Sprintf("%s secure: %t", name, secure) + t.Run(name, func(t *testing.T) { + ctx := suite.Environment().DefaultContext(t) + + // Install the Helm chart without the terminating gateway first + // so that we can create the namespace for it. + helmValues := map[string]string{ + "connectInject.enabled": "true", + "connectInject.consulNamespaces.mirroringK8S": "true", + + "global.enableConsulNamespaces": "true", + "global.acls.manageSystemACLs": strconv.FormatBool(secure), + "global.tls.enabled": strconv.FormatBool(secure), + + "terminatingGateways.enabled": "true", + "terminatingGateways.gateways[0].name": "terminating-gateway", + "terminatingGateways.gateways[0].replicas": "1", + "terminatingGateways.gateways[0].consulNamespace": tc.termGWConfig.namespace, + } + + releaseName := helpers.RandomName() + consulCluster := consul.NewHelmCluster(t, helmValues, ctx, cfg, releaseName) + + consulCluster.Create(t) + + consulClient, _ := consulCluster.SetupConsulClient(t, secure) + + seen := make(map[string]struct{}, 4) + for _, ns := range []string{tc.externalServiceRegistrationConfig.namespace, tc.staticServerConfig.namespace, tc.staticClientConfig.namespace, tc.termGWConfig.namespace} { + _, ok := seen[ns] + if ns != "default" && !ok { + logger.Logf(t, "creating Kubernetes namespace %s", ns) + k8s.RunKubectl(t, ctx.KubectlOptions(t), "create", "ns", ns) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "ns", ns) + }) + seen[ns] = struct{}{} + } + } + + staticServerNSOpts := &terratestk8s.KubectlOptions{ + ContextName: ctx.KubectlOptions(t).ContextName, + ConfigPath: ctx.KubectlOptions(t).ConfigPath, + Namespace: tc.staticServerConfig.namespace, + } + + staticClientNSOpts := &terratestk8s.KubectlOptions{ + ContextName: ctx.KubectlOptions(t).ContextName, + ConfigPath: ctx.KubectlOptions(t).ConfigPath, + Namespace: tc.staticClientConfig.namespace, + } + + termGWNSOpts := &terratestk8s.KubectlOptions{ + ContextName: ctx.KubectlOptions(t).ContextName, + ConfigPath: ctx.KubectlOptions(t).ConfigPath, + Namespace: tc.termGWConfig.namespace, + } + + externalServiceRegistrationNSOpts := &terratestk8s.KubectlOptions{ + ContextName: ctx.KubectlOptions(t).ContextName, + ConfigPath: ctx.KubectlOptions(t).ConfigPath, + Namespace: tc.externalServiceRegistrationConfig.namespace, + } + + // Deploy a static-server that will play the role of an external service. + logger.Log(t, "creating static-server deployment") + k8s.DeployKustomize(t, staticServerNSOpts, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, tc.staticServerConfig.path) + + // Create the config entry for the terminating gateway. + logger.Log(t, "creating terminating gateway") + k8s.KubectlApplyK(t, termGWNSOpts, tc.termGWConfig.path) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.KubectlDeleteK(t, termGWNSOpts, tc.termGWConfig.path) + }) + + k8sOpts := helpers.K8sOptions{ + Options: externalServiceRegistrationNSOpts, + NoCleanupOnFailure: cfg.NoCleanupOnFailure, + NoCleanup: cfg.NoCleanup, + KustomizeConfigPath: tc.externalServiceRegistrationConfig.path, + } + + consulOpts := helpers.ConsulOptions{ + ConsulClient: consulClient, + Namespace: tc.externalServiceRegistrationConfig.namespace, + ExternalServiceNameRegistration: "static-server-registration", + } + + helpers.RegisterExternalServiceCRD(t, k8sOpts, consulOpts) + + // Deploy the static client + logger.Log(t, "deploying static client") + k8s.DeployKustomize(t, staticClientNSOpts, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, tc.staticClientConfig.path) + // If ACLs are enabled, test that intentions prevent connections. + if secure { + // With the terminating gateway up, we test that we can make a call to it + // via the static-server. It should fail to connect with the + // static-server pod because of intentions. + logger.Log(t, "testing intentions prevent connections through the terminating gateway") + k8s.CheckStaticServerConnectionFailing(t, staticClientNSOpts, staticClientName, staticServerLocalAddress) + + logger.Log(t, "adding intentions to allow traffic from client ==> server") + AddIntention(t, consulClient, "", tc.staticClientConfig.namespace, staticClientName, tc.staticServerConfig.namespace, staticServerName) + } + + // Test that we can make a call to the terminating gateway + logger.Log(t, "trying calls to terminating gateway") + k8s.CheckStaticServerConnectionSuccessful(t, staticClientNSOpts, staticClientName, staticServerLocalAddress) }) - - ns1K8SOptions := &terratestk8s.KubectlOptions{ - ContextName: ctx.KubectlOptions(t).ContextName, - ConfigPath: ctx.KubectlOptions(t).ConfigPath, - Namespace: testNamespace, - } - ns2K8SOptions := &terratestk8s.KubectlOptions{ - ContextName: ctx.KubectlOptions(t).ContextName, - ConfigPath: ctx.KubectlOptions(t).ConfigPath, - Namespace: StaticClientNamespace, - } - - // Deploy a static-server that will play the role of an external service. - logger.Log(t, "creating static-server deployment") - k8s.DeployKustomize(t, ns1K8SOptions, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/bases/static-server") - - // Register the external service - helpers.RegisterExternalService(t, consulClient, testNamespace, staticServerName, staticServerName, 80) - - // If ACLs are enabled we need to update the role of the terminating gateway - // with service:write permissions to the static-server service - // so that it can request Connect certificates for it. - if c.secure { - UpdateTerminatingGatewayRole(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace)) - } - - // Create the config entry for the terminating gateway - CreateTerminatingGatewayConfigEntry(t, consulClient, "", testNamespace, staticServerName) - - // Deploy the static client - logger.Log(t, "deploying static client") - k8s.DeployKustomize(t, ns2K8SOptions, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/cases/static-client-namespaces") - - // If ACLs are enabled, test that intentions prevent connections. - if c.secure { - // With the terminating gateway up, we test that we can make a call to it - // via the static-server. It should fail to connect with the - // static-server pod because of intentions. - logger.Log(t, "testing intentions prevent connections through the terminating gateway") - k8s.CheckStaticServerConnectionFailing(t, ns2K8SOptions, staticClientName, staticServerLocalAddress) - - logger.Log(t, "adding intentions to allow traffic from client ==> server") - AddIntention(t, consulClient, "", StaticClientNamespace, staticClientName, testNamespace, staticServerName) - } - - // Test that we can make a call to the terminating gateway - logger.Log(t, "trying calls to terminating gateway") - k8s.CheckStaticServerConnectionSuccessful(t, ns2K8SOptions, staticClientName, staticServerLocalAddress) - }) + } } } - -const staticServerPolicyRulesNamespace = `namespace %q { -service "static-server" { - policy = "write" -}}` diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_test.go index acd0232227..168fa497a0 100644 --- a/acceptance/tests/terminating-gateway/terminating_gateway_test.go +++ b/acceptance/tests/terminating-gateway/terminating_gateway_test.go @@ -54,18 +54,27 @@ func TestTerminatingGateway(t *testing.T) { // Once the cluster is up, register the external service, then create the config entry. consulClient, _ := consulCluster.SetupConsulClient(t, c.secure) - // Register the external service - helpers.RegisterExternalService(t, consulClient, "", staticServerName, staticServerName, 80) + logger.Log(t, "creating terminating gateway") + k8s.KubectlApplyK(t, ctx.KubectlOptions(t), "../fixtures/bases/terminating-gateway") + helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() { + k8s.KubectlDeleteK(t, ctx.KubectlOptions(t), "../fixtures/bases/terminating-gateway") + }) + + k8sOpts := helpers.K8sOptions{ + Options: ctx.KubectlOptions(t), + NoCleanupOnFailure: cfg.NoCleanupOnFailure, + NoCleanup: cfg.NoCleanup, + KustomizeConfigPath: "../fixtures/bases/external-service-registration", + } - // If ACLs are enabled we need to update the role of the terminating gateway - // with service:write permissions to the static-server service - // so that it can request Connect certificates for it. - if c.secure { - UpdateTerminatingGatewayRole(t, consulClient, staticServerPolicyRules) + consulOpts := helpers.ConsulOptions{ + ConsulClient: consulClient, + ExternalServiceNameRegistration: "static-server-registration", } - // Create the config entry for the terminating gateway. - CreateTerminatingGatewayConfigEntry(t, consulClient, "", "", staticServerName) + helpers.RegisterExternalServiceCRD(t, k8sOpts, consulOpts) + + helpers.CheckExternalServiceConditions(t, "static-server-registration", k8sOpts.Options) // Deploy the static client logger.Log(t, "deploying static client") @@ -89,7 +98,3 @@ func TestTerminatingGateway(t *testing.T) { }) } } - -const staticServerPolicyRules = `service "static-server" { - policy = "write" -}` diff --git a/charts/consul/Chart.yaml b/charts/consul/Chart.yaml index 3dc8d13015..caeccaba35 100644 --- a/charts/consul/Chart.yaml +++ b/charts/consul/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: consul -version: 1.6.0-dev -appVersion: 1.20-dev +version: 1.5.1-dev +appVersion: 1.19-dev kubeVersion: ">=1.22.0-0" description: Official HashiCorp Consul Chart home: https://www.consul.io @@ -16,11 +16,11 @@ annotations: artifacthub.io/prerelease: true artifacthub.io/images: | - name: consul - image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev + image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.19-dev - name: consul-k8s-control-plane - image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev + image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.5-dev - name: consul-dataplane - image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev + image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.5-dev - name: envoy image: envoyproxy/envoy:v1.25.11 artifacthub.io/license: MPL-2.0 diff --git a/charts/consul/README.md b/charts/consul/README.md index a0a9929ed4..d917af676b 100644 --- a/charts/consul/README.md +++ b/charts/consul/README.md @@ -42,7 +42,7 @@ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). The following pre-requisites must be met before installing Consul on Kubernetes. - * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + * **Kubernetes 1.27.x - 1.30.x** - This represents the earliest versions of Kubernetes tested. It is possible that this chart works with earlier versions, but it is untested. * Helm install diff --git a/charts/consul/templates/client-securitycontextconstraints.yaml b/charts/consul/templates/client-securitycontextconstraints.yaml index 07e7711384..c14dd1c991 100644 --- a/charts/consul/templates/client-securitycontextconstraints.yaml +++ b/charts/consul/templates/client-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required to run the consul client. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). {{- if .Values.client.dataDirectoryHostPath }} allowHostDirVolumePlugin: true {{- else }} @@ -44,13 +45,17 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir -- persistentVolumeClaim -- projected -- secret {{- if .Values.client.dataDirectoryHostPath }} - hostPath {{- end }} +- persistentVolumeClaim +- projected +- secret {{- end}} diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml index 2c09dba9b8..cb60104cf0 100644 --- a/charts/consul/templates/cni-securitycontextconstraints.yaml +++ b/charts/consul/templates/cni-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required to run consul-cni. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false @@ -40,11 +41,15 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir +- hostPath - persistentVolumeClaim - projected - secret -- hostPath {{- end }} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 9c8596b05b..2f609500ae 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -156,15 +156,21 @@ rules: - update - watch {{- end }} +- apiGroups: [""] + resources: ["secrets", "serviceaccounts", "services"] + verbs: + - get + - list + - watch + - delete + - create + - update - apiGroups: [ "" ] - resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + resources: ["endpoints", "namespaces", "nodes"] verbs: - - create - get - list - watch - - delete - - update - apiGroups: [ "rbac.authorization.k8s.io" ] resources: [ "roles", "rolebindings" ] verbs: diff --git a/charts/consul/templates/connect-inject-configmap.yaml b/charts/consul/templates/connect-inject-configmap.yaml new file mode 100644 index 0000000000..98a7dae45f --- /dev/null +++ b/charts/consul/templates/connect-inject-configmap.yaml @@ -0,0 +1,18 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +data: + config.json: | + { + "image_pull_secrets": {{ .Values.global.imagePullSecrets | toJson }} + } +{{- end }} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 5aaa50a107..2960365cb1 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -142,6 +142,7 @@ spec: - "-ec" - | exec consul-k8s-control-plane inject-connect \ + -config-file=/consul/config/config.json \ {{- if .Values.global.federation.enabled }} -enable-federation \ {{- end }} @@ -318,6 +319,9 @@ spec: successThreshold: 1 timeoutSeconds: 5 volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs mountPath: /etc/connect-injector/certs @@ -333,6 +337,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-connect-inject-config {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs secret: diff --git a/charts/consul/templates/crd-apigateways.yaml b/charts/consul/templates/crd-apigateways.yaml index a01d40c027..c790c6ddf9 100644 --- a/charts/consul/templates/crd-apigateways.yaml +++ b/charts/consul/templates/crd-apigateways.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: APIGateway is the Schema for the API Gateway properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -60,13 +65,14 @@ spec: items: properties: hostname: - description: Hostname is the host name that a listener should - be bound to, if unspecified, the listener accepts requests - for all hostnames. + description: |- + Hostname is the host name that a listener should be bound to, if + unspecified, the listener accepts requests for all hostnames. type: string name: - description: Name is the name of the listener in a given gateway. - This must be unique within a gateway. + description: |- + Name is the name of the listener in a given gateway. This must be + unique within a gateway. type: string port: format: int32 @@ -74,18 +80,21 @@ spec: minimum: 0 type: integer protocol: - description: Protocol is the protocol that a listener should - use, it must either be "http" or "tcp" + description: |- + Protocol is the protocol that a listener should use, it must + either be "http" or "tcp" type: string tls: description: TLS is the TLS settings for the listener. properties: certificates: - description: Certificates is a set of references to certificates + description: |- + Certificates is a set of references to certificates that a gateway listener uses for TLS termination. items: - description: Reference identifies which resource a condition - relates to, when it is not the core resource itself. + description: |- + Reference identifies which resource a condition relates to, when it is not + the core resource itself. properties: name: description: Name is the user-given name of the resource @@ -96,37 +105,41 @@ spec: resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list resources - across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list resources - across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes are - made to the group's resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource @@ -216,8 +229,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition - for a Consul resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the @@ -260,8 +274,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a - Consul resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-controlplanerequestlimits.yaml b/charts/consul/templates/crd-controlplanerequestlimits.yaml index 1939a8d373..4e11ceb1c3 100644 --- a/charts/consul/templates/crd-controlplanerequestlimits.yaml +++ b/charts/consul/templates/crd-controlplanerequestlimits.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -36,14 +36,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -155,8 +160,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-exportedservices-v1.yaml b/charts/consul/templates/crd-exportedservices-v1.yaml index 081a2b0cf0..a7fbd87e27 100644 --- a/charts/consul/templates/crd-exportedservices-v1.yaml +++ b/charts/consul/templates/crd-exportedservices-v1.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ExportedServices is the Schema for the exportedservices API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,11 +61,13 @@ spec: description: ExportedServicesSpec defines the desired state of ExportedServices. properties: services: - description: Services is a list of services to be exported and the - list of partitions to expose them to. + description: |- + Services is a list of services to be exported and the list of partitions + to expose them to. items: - description: ExportedService manages the exporting of a service - in the local partition to other partitions. + description: |- + ExportedService manages the exporting of a service in the local partition to + other partitions. properties: consumers: description: Consumers is a list of downstream consumers of @@ -99,8 +106,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-exportedservices.yaml b/charts/consul/templates/crd-exportedservices.yaml index 6613e3da7e..4b9beb651d 100644 --- a/charts/consul/templates/crd-exportedservices.yaml +++ b/charts/consul/templates/crd-exportedservices.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: ExportedServices is the Schema for the Exported Services API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -68,8 +73,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-gatewayclassconfigs-v1.yaml b/charts/consul/templates/crd-gatewayclassconfigs-v1.yaml index a611e91b2b..2db954b93d 100644 --- a/charts/consul/templates/crd-gatewayclassconfigs-v1.yaml +++ b/charts/consul/templates/crd-gatewayclassconfigs-v1.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -27,14 +27,19 @@ spec: for Consul API Gateway. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,19 +86,24 @@ spec: gateway. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -109,8 +119,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -119,11 +130,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -136,8 +147,9 @@ spec: description: Metrics defines how to configure the metrics for a gateway. properties: enabled: - description: Enable metrics for this class of gateways. If unspecified, - will inherit behavior from the global Helm configuration. + description: |- + Enable metrics for this class of gateways. If unspecified, will inherit + behavior from the global Helm configuration. type: boolean path: description: The path used for metrics. @@ -152,9 +164,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for the - pod to fit on a node. Selector which must match a node''s labels - for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object openshiftSCCName: description: The name of the OpenShift SecurityContextConstraints @@ -172,43 +185,43 @@ spec: - LoadBalancer type: string tolerations: - description: 'Tolerations allow the scheduler to schedule nodes with - matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + description: |- + Tolerations allow the scheduler to schedule nodes with matching taints. + More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array diff --git a/charts/consul/templates/crd-gatewayclassconfigs.yaml b/charts/consul/templates/crd-gatewayclassconfigs.yaml index 065efb0df8..50944acae0 100644 --- a/charts/consul/templates/crd-gatewayclassconfigs.yaml +++ b/charts/consul/templates/crd-gatewayclassconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -31,14 +31,19 @@ spec: description: GatewayClassConfig is the Schema for the Mesh Gateway API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,18 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key included - here will override those in Set if specified on the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included here - will be overridden if present in InheritFromGateway and set - on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object deployment: @@ -78,22 +82,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -103,32 +105,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -141,32 +137,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -188,53 +178,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -247,32 +230,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -295,18 +272,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -325,30 +300,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -360,53 +330,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -418,42 +380,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -462,23 +419,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -489,28 +445,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -523,51 +475,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -580,33 +525,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -619,18 +560,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -649,30 +588,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -684,53 +618,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -742,42 +668,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -786,23 +707,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -813,28 +733,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -847,51 +763,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -904,33 +813,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -942,20 +847,18 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object container: @@ -982,10 +885,9 @@ spec: format: int32 type: integer portModifier: - description: PortModifier specifies the value to be added - to every port value for listeners on this gateway. This - is generally used to avoid binding to privileged ports in - the container. + description: |- + PortModifier specifies the value to be added to every port value for listeners on this gateway. + This is generally used to avoid binding to privileged ports in the container. format: int32 type: integer resources: @@ -993,18 +895,23 @@ spec: for the created Deployment's container properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1021,8 +928,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1031,11 +939,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -1075,18 +983,23 @@ spec: for the created Deployment's init container properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1103,8 +1016,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1113,11 +1027,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -1125,31 +1039,30 @@ spec: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a feature that constrains the scheduling - of a pod to nodes that match specified labels. By defining NodeSelector - in a pod''s configuration, you can ensure that the pod is only - scheduled to nodes with the corresponding labels, providing - a way to influence the placement of workloads based on node - attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a feature that constrains the scheduling of a pod to nodes that + match specified labels. + By defining NodeSelector in a pod's configuration, you can ensure that the pod is + only scheduled to nodes with the corresponding labels, providing a way to + influence the placement of workloads based on node attributes. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object priorityClassName: description: PriorityClassName specifies the priority class name @@ -1165,17 +1078,17 @@ spec: format: int32 type: integer max: - description: Max is the maximum number of replicas allowed - for a gateway with this class. If the replica count exceeds - this value due to manual or automated scaling, the replica - count will be restored to this value. + description: |- + Max is the maximum number of replicas allowed for a gateway with this class. + If the replica count exceeds this value due to manual or automated scaling, + the replica count will be restored to this value. format: int32 type: integer min: - description: Min is the minimum number of replicas allowed - for a gateway with this class. If the replica count drops - below this value due to manual or automated scaling, the - replica count will be restored to this value. + description: |- + Min is the minimum number of replicas allowed for a gateway with this class. + If the replica count drops below this value due to manual or automated scaling, + the replica count will be restored to this value. format: int32 type: integer type: object @@ -1184,63 +1097,68 @@ spec: the created Deployment's Pod. properties: fsGroup: - description: "A special supplemental group that applies to - all containers in a pod. Some volume types allow the Kubelet - to change the ownership of that volume to be owned by the - pod: \n 1. The owning GID will be the FSGroup 2. The setgid - bit is set (new files created in the volume will be owned - by FSGroup) 3. The permission bits are OR'd with rw-rw---- - \n If unset, the Kubelet will not modify the ownership and - permissions of any volume. Note that this field cannot be - set when spec.os.name is windows." + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of changing - ownership and permission of the volume before being exposed - inside Pod. This field will only apply to volume types which - support fsGroup based ownership(and permissions). It will - have no effect on ephemeral volume types such as: secret, - configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. Note that - this field cannot be set when spec.os.name is windows.' + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be set - in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this field - cannot be set when spec.os.name is windows. + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root - user. If true, the Kubelet will validate the image at runtime - to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. If unset or false, no - such validation will be performed. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata if - unspecified. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence for that container. - Note that this field cannot be set when spec.os.name is - windows. + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random - SELinux context for each container. May also be set in - SecurityContext. If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that applies @@ -1260,47 +1178,48 @@ spec: type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when spec.os.name - is windows. + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined - in a file on the node should be used. The profile must - be preconfigured on the node to work. Must be a descending - path, relative to the kubelet's configured seccomp profile - location. Must be set if type is "Localhost". Must NOT - be set for any other type. + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile - will be applied. Valid options are: \n Localhost - a - profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile - should be used. Unconfined - no profile should be applied." + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's primary - GID, the fsGroup (if specified), and group memberships defined - in the container image for the uid of the container process. - If unspecified, no additional groups are added to any container. - Note that group memberships defined in the container image - for the uid of the container process are still effective, - even if they are not included in this list. Note that this - field cannot be set when spec.os.name is windows. + description: |- + A list of groups applied to the first process run in each container, in addition + to the container's primary GID, the fsGroup (if specified), and group memberships + defined in the container image for the uid of the container process. If unspecified, + no additional groups are added to any container. Note that group memberships + defined in the container image for the uid of the container process are still effective, + even if they are not included in this list. + Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array sysctls: - description: Sysctls hold a list of namespaced sysctls used - for the pod. Pods with unsupported sysctls (by the container - runtime) might fail to launch. Note that this field cannot - be set when spec.os.name is windows. + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. items: description: Sysctl defines a kernel parameter to be set properties: @@ -1316,39 +1235,35 @@ spec: type: object type: array windowsOptions: - description: The Windows specific settings applied to all - containers. If unspecified, the options within a container's - SecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set when - spec.os.name is linux. + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission - webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec named - by the GMSACredentialSpecName field. + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should - be run as a 'Host Process' container. All of a Pod's - containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must also be - set to true. + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: string type: object type: object @@ -1356,62 +1271,62 @@ spec: description: Tolerations specifies the tolerations to use on the created Deployment. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: 'TopologySpreadConstraints is a feature that controls - how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + description: |- + TopologySpreadConstraints is a feature that controls how pods are spead across your topology. + More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ items: description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine - the number of pods in their corresponding topology domain. + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1419,17 +1334,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1441,132 +1355,134 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: - description: "MatchLabelKeys is a set of pod label keys - to select the pods over which spreading will be calculated. - The keys are used to lookup values from the incoming pod - labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading - will be calculated for the incoming pod. The same key - is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't - set. Keys that don't exist in the incoming pod labels - will be ignored. A null or empty list means only match - against labelSelector. \n This is a beta field and requires - the MatchLabelKeysInPodTopologySpread feature gate to - be enabled (enabled by default)." + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to which pods - may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between the number - of matching pods in the target topology and the global - minimum. The global minimum is the minimum number of matching - pods in an eligible domain or zero if the number of eligible - domains is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with the same labelSelector - spread as 2/2/1: In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled - onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies that - satisfy it. It''s a required field. Default value is 1 - and 0 is not allowed.' + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number of eligible - domains. When the number of eligible domains with matching - topology keys is less than minDomains, Pod Topology Spread - treats \"global minimum\" as 0, and then the calculation - of Skew is performed. And when the number of eligible - domains with matching topology keys equals or greater - than minDomains, this value has no effect on scheduling. - As a result, when the number of eligible domains is less - than minDomains, scheduler won't schedule more than maxSkew - Pods to those domains. If value is nil, the constraint - behaves as if MinDomains is equal to 1. Valid values are - integers greater than 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a 3-zone cluster, - MaxSkew is set to 2, MinDomains is set to 5 and pods with - the same labelSelector spread as 2/2/2: | zone1 | zone2 - | zone3 | | P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" is treated - as 0. In this situation, new pod with the same labelSelector - cannot be scheduled, because computed skew will be 3(3 - - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is a beta field and requires - the MinDomainsInPodTopologySpread feature gate to be enabled - (enabled by default)." + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + + + This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: - description: "NodeAffinityPolicy indicates how we will treat - Pod's nodeAffinity/nodeSelector when calculating pod topology - spread skew. Options are: - Honor: only nodes matching - nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes - are included in the calculations. \n If this value is - nil, the behavior is equivalent to the Honor policy. This - is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string nodeTaintsPolicy: - description: "NodeTaintsPolicy indicates how we will treat - node taints when calculating pod topology spread skew. - Options are: - Honor: nodes without taints, along with - tainted nodes for which the incoming pod has a toleration, - are included. - Ignore: node taints are ignored. All nodes - are included. \n If this value is nil, the behavior is - equivalent to the Ignore policy. This is a beta-level - feature default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string topologyKey: - description: TopologyKey is the key of node labels. Nodes - that have a label with this key and identical values are - considered to be in the same topology. We consider each - as a "bucket", and try to put balanced number - of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible domain - as a domain whose nodes meet the requirements of nodeAffinityPolicy - and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, if TopologyKey - is "topology.kubernetes.io/zone", each zone is a domain - of that topology. It's a required field. + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal with - a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule - it. - ScheduleAnyway tells the scheduler to schedule the - pod in any location, but giving higher precedence to topologies - that would help reduce the skew. A constraint is considered - "Unsatisfiable" for an incoming pod if and only if every - possible node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, MaxSkew - is set to 1, and pods with the same labelSelector spread - as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming - pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). - In other words, the cluster can still be imbalanced, but - scheduler won''t make it *more* imbalanced. It''s a required - field.' + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. type: string required: - maxSkew @@ -1579,19 +1495,18 @@ spec: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key included - here will override those in Set if specified on the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included here - will be overridden if present in InheritFromGateway and set - on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object role: @@ -1602,40 +1517,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1647,40 +1558,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1692,40 +1599,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: @@ -1745,40 +1648,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1789,8 +1688,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-gatewayclasses.yaml b/charts/consul/templates/crd-gatewayclasses.yaml index 70763f9104..9880d7db0f 100644 --- a/charts/consul/templates/crd-gatewayclasses.yaml +++ b/charts/consul/templates/crd-gatewayclasses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -31,28 +31,35 @@ spec: description: GatewayClass is the Schema for the Gateway Class API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controllerName: - description: ControllerName is the name of the Kubernetes controller + description: |- + ControllerName is the name of the Kubernetes controller that manages Gateways of this class type: string description: description: Description of GatewayClass type: string parametersRef: - description: ParametersRef refers to a resource responsible for configuring + description: |- + ParametersRef refers to a resource responsible for configuring the behavior of the GatewayClass. properties: group: @@ -82,8 +89,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-gatewaypolicies.yaml b/charts/consul/templates/crd-gatewaypolicies.yaml index 1cdfa331f5..904b65d607 100644 --- a/charts/consul/templates/crd-gatewaypolicies.yaml +++ b/charts/consul/templates/crd-gatewaypolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: GatewayPolicy is the Schema for the gatewaypolicies API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -67,9 +72,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry - with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -85,11 +90,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the - given path: - If the type at the path is a list - then we verify that this value is contained - in the list. \n - If the type at the path is - a string then we verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -118,9 +126,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry - with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -136,11 +144,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the - given path: - If the type at the path is a list - then we verify that this value is contained - in the list. \n - If the type at the path is - a string then we verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -174,10 +185,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it may only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it may only apply to traffic originating from the same + namespace as the policy. maxLength: 253 minLength: 1 type: string @@ -200,46 +212,53 @@ spec: description: GatewayPolicyStatus defines the observed state of the gateway. properties: conditions: - description: "Conditions describe the current conditions of the Policy. - \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + description: |- + Conditions describe the current conditions of the Policy. + + + Known condition types are: + + + * "Accepted" + * "ResolvedRefs" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -253,11 +272,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/charts/consul/templates/crd-grpcroutes.yaml b/charts/consul/templates/crd-grpcroutes.yaml index 8766c8edbe..8d2c61c75e 100644 --- a/charts/consul/templates/crd-grpcroutes.yaml +++ b/charts/consul/templates/crd-grpcroutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,45 +41,67 @@ spec: description: GRPCRoute is the Schema for the GRPC Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + + + This is a Resource type. properties: hostnames: - description: "Hostnames are the hostnames for which this GRPCRoute - should respond to requests. \n This is only valid for north/south." + description: |- + Hostnames are the hostnames for which this GRPCRoute should respond to requests. + + + This is only valid for north/south. items: type: string type: array parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -90,36 +112,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -134,22 +161,31 @@ spec: items: properties: backendRefs: - description: "BackendRefs defines the backend(s) where matching - requests should be sent. Failure behavior here depends on - how many BackendRefs are specified and how many are invalid. - \n If all entries in BackendRefs are invalid, and there are - also no filters specified in this route rule, all traffic - which matches this rule MUST receive a 500 status code. \n - See the GRPCBackendRef definition for the rules about what - makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef - is invalid, 500 status codes MUST be returned for requests - that would have otherwise been routed to an invalid backend. - If multiple backends are specified, and some are invalid, - the proportion of requests that would otherwise have been - routed to an invalid backend MUST receive a 500 status code. - \n For example, if two backends are specified with equal weights, - and one is invalid, 50 percent of traffic must receive a 500. - Implementations may choose how that 50 percent is determined." + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If all entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, all traffic which matches this rule MUST + receive a 500 status code. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend MUST + receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. items: properties: backendRef: @@ -157,12 +193,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -177,36 +215,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -217,20 +259,20 @@ spec: type: object type: object filters: - description: Filters defined at this level should be executed - if and only if the request is being forwarded to the - backend defined here. + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema - for a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -240,17 +282,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -262,14 +304,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema - for a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -279,17 +321,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -301,8 +343,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -310,18 +353,19 @@ spec: type: object type: array weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -330,13 +374,14 @@ spec: items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema for - a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -346,16 +391,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -366,13 +413,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema for - a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -382,16 +430,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -402,8 +452,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -414,24 +465,27 @@ spec: items: properties: headers: - description: Headers specifies gRPC request header matchers. - Multiple match values are ANDed together, meaning, a - request MUST match all the specified headers to select - the route. + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers to + select the route. items: properties: name: type: string type: - description: "HeaderMatchType specifies the semantics - of how HTTP header values should be compared. - Valid HeaderMatchType values, along with their - conformance levels, are: \n Note that values may - be added to this enum, implementations must ensure - that unknown values will not cause a crash. \n - Unknown values here must result in the implementation - setting the Accepted Condition for the Route to - status: False, with a Reason of UnsupportedValue." + description: |- + HeaderMatchType specifies the semantics of how HTTP header values should be + compared. Valid HeaderMatchType values, along with their conformance levels, + are: + + + Note that values may be added to this enum, implementations must ensure that + unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the Accepted + Condition for the Route to status: False, with a Reason of UnsupportedValue. enum: - HEADER_MATCH_TYPE_UNSPECIFIED - HEADER_MATCH_TYPE_EXACT @@ -446,26 +500,30 @@ spec: type: object type: array method: - description: Method specifies a gRPC request service/method - matcher. If this field is not specified, all services - and methods will match. + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. properties: method: - description: "Value of the method to match against. - If left empty or omitted, will match all services. - \n At least one of Service and Method MUST be a - non-empty string.}" + description: |- + Value of the method to match against. If left empty or omitted, will match + all services. + + + At least one of Service and Method MUST be a non-empty string.} type: string service: - description: "Value of the service to match against. - If left empty or omitted, will match any service. - \n At least one of Service and Method MUST be a - non-empty string." + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. type: string type: - description: 'Type specifies how to match against - the service and/or method. Support: Core (Exact - with service and method specified)' + description: |- + Type specifies how to match against the service and/or method. Support: + Core (Exact with service and method specified) enum: - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED - GRPC_METHOD_MATCH_TYPE_EXACT @@ -478,8 +536,9 @@ spec: retries: properties: number: - description: Number is the number of times to retry the - request when a retryable result occurs. + description: |- + Number is the number of times to retry the request when a retryable + result occurs. properties: value: description: The uint32 value. @@ -487,27 +546,30 @@ spec: type: integer type: object onConditions: - description: RetryOn allows setting envoy specific conditions - when a request should be automatically retried. + description: |- + RetryOn allows setting envoy specific conditions when a request should + be automatically retried. items: type: string type: array onConnectFailure: - description: RetryOnConnectFailure allows for connection - failure errors to trigger a retry. + description: |- + RetryOnConnectFailure allows for connection failure errors to trigger a + retry. type: boolean onStatusCodes: - description: RetryOnStatusCodes is a flat list of http response - status codes that are eligible for retry. This again should - be feasible in any reasonable proxy. + description: |- + RetryOnStatusCodes is a flat list of http response status codes that are + eligible for retry. This again should be feasible in any reasonable proxy. items: format: int32 type: integer type: array type: object timeouts: - description: HTTPRouteTimeouts defines timeouts that can be - configured for an HTTPRoute or GRPCRoute. + description: |- + HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute + or GRPCRoute. properties: idle: description: Idle specifies the total amount of time permitted @@ -515,44 +577,44 @@ spec: format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object request: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object @@ -566,8 +628,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-httproutes.yaml b/charts/consul/templates/crd-httproutes.yaml index c829bf1fc3..a782647534 100644 --- a/charts/consul/templates/crd-httproutes.yaml +++ b/charts/consul/templates/crd-httproutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,45 +41,67 @@ spec: description: HTTPRoute is the Schema for the HTTP Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + + + This is a Resource type. properties: hostnames: - description: "Hostnames are the hostnames for which this HTTPRoute - should respond to requests. \n This is only valid for north/south." + description: |- + Hostnames are the hostnames for which this HTTPRoute should respond to requests. + + + This is only valid for north/south. items: type: string type: array parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -90,36 +112,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -130,29 +157,42 @@ spec: type: object type: array rules: - description: Rules are a list of HTTP-based routing rules that this - route should use for constructing a routing table. + description: |- + Rules are a list of HTTP-based routing rules that this route should + use for constructing a routing table. items: - description: HTTPRouteRule specifies the routing rules used to determine - what upstream service an HTTP request is routed to. + description: |- + HTTPRouteRule specifies the routing rules used to determine what upstream + service an HTTP request is routed to. properties: backendRefs: - description: "BackendRefs defines the backend(s) where matching - requests should be sent. \n Failure behavior here depends - on how many BackendRefs are specified and how many are invalid. - \n If all entries in BackendRefs are invalid, and there are - also no filters specified in this route rule, all traffic - which matches this rule MUST receive a 500 status code. \n - See the HTTPBackendRef definition for the rules about what - makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef - is invalid, 500 status codes MUST be returned for requests - that would have otherwise been routed to an invalid backend. - If multiple backends are specified, and some are invalid, - the proportion of requests that would otherwise have been - routed to an invalid backend MUST receive a 500 status code. - \n For example, if two backends are specified with equal weights, - and one is invalid, 50 percent of traffic must receive a 500. - Implementations may choose how that 50 percent is determined." + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If all entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, all traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend MUST + receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. items: properties: backendRef: @@ -160,12 +200,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -180,36 +222,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -220,20 +266,20 @@ spec: type: object type: object filters: - description: Filters defined at this level should be executed - if and only if the request is being forwarded to the - backend defined here. + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema - for a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -243,17 +289,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -265,14 +311,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema - for a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -282,17 +328,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -304,8 +350,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -313,18 +360,19 @@ spec: type: object type: array weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -333,13 +381,14 @@ spec: items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema for - a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -349,16 +398,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -369,13 +420,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema for - a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -385,16 +437,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -405,8 +459,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -417,10 +472,10 @@ spec: items: properties: headers: - description: Headers specifies HTTP request header matchers. - Multiple match values are ANDed together, meaning, a - request must match all the specified headers to select - the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers to + select the route. items: properties: invert: @@ -428,21 +483,23 @@ spec: compat' type: boolean name: - description: "Name is the name of the HTTP Header - to be matched. Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent header - names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be - ignored. Due to the case-insensitivity of header - names, “foo” and “Foo” are considered equivalent. - \n When a header is repeated in an HTTP request, - it is implementation-specific behavior as to how - this is represented. Generally, proxies should - follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, with special - handling for “Set-Cookie”." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first entry + with an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, “foo” and “Foo” are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. Generally, + proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for “Set-Cookie”. type: string type: description: Type specifies how to match against @@ -463,14 +520,14 @@ spec: type: object type: array method: - description: Method specifies HTTP method matcher. When - specified, this route will be matched only if the request - has the specified method. + description: |- + Method specifies HTTP method matcher. When specified, this route will be + matched only if the request has the specified method. type: string path: - description: Path specifies a HTTP request path matcher. - If this field is not specified, a default prefix match - on the “/” path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the “/” path is provided. properties: type: description: Type specifies how to match against the @@ -487,31 +544,33 @@ spec: type: string type: object queryParams: - description: QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified query + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match values + are ANDed together, meaning, a request must match all the specified query parameters to select the route. items: properties: name: - description: "Name is the name of the HTTP query - param to be matched. This must be an exact string - match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent query - param names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST - be ignored. \n If a query param is repeated in - an HTTP request, the behavior is purposely left - undefined, since different data planes have different - capabilities. However, it is recommended that - implementations should match against the first - value of the param if the data plane supports - it, as this behavior is expected in other load - balancing contexts outside of the Gateway API. - \n Users SHOULD NOT route traffic based on repeated - query params to guard themselves against potential - differences in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is purposely + left undefined, since different data planes have different capabilities. + However, it is recommended that implementations should match against the + first value of the param if the data plane supports it, as this behavior + is expected in other load balancing contexts outside of the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. type: string type: description: Type specifies how to match against @@ -534,8 +593,9 @@ spec: retries: properties: number: - description: Number is the number of times to retry the - request when a retryable result occurs. + description: |- + Number is the number of times to retry the request when a retryable + result occurs. properties: value: description: The uint32 value. @@ -543,27 +603,30 @@ spec: type: integer type: object onConditions: - description: RetryOn allows setting envoy specific conditions - when a request should be automatically retried. + description: |- + RetryOn allows setting envoy specific conditions when a request should + be automatically retried. items: type: string type: array onConnectFailure: - description: RetryOnConnectFailure allows for connection - failure errors to trigger a retry. + description: |- + RetryOnConnectFailure allows for connection failure errors to trigger a + retry. type: boolean onStatusCodes: - description: RetryOnStatusCodes is a flat list of http response - status codes that are eligible for retry. This again should - be feasible in any reasonable proxy. + description: |- + RetryOnStatusCodes is a flat list of http response status codes that are + eligible for retry. This again should be feasible in any reasonable proxy. items: format: int32 type: integer type: array type: object timeouts: - description: HTTPRouteTimeouts defines timeouts that can be - configured for an HTTPRoute or GRPCRoute. + description: |- + HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute + or GRPCRoute. properties: idle: description: Idle specifies the total amount of time permitted @@ -571,44 +634,44 @@ spec: format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object request: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object @@ -622,8 +685,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-ingressgateways.yaml b/charts/consul/templates/crd-ingressgateways.yaml index dcbc543525..53649c8667 100644 --- a/charts/consul/templates/crd-ingressgateways.yaml +++ b/charts/consul/templates/crd-ingressgateways.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: IngressGateway is the Schema for the ingressgateways API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -59,64 +64,68 @@ spec: description: Defaults is default configuration for all upstream services properties: maxConcurrentRequests: - description: The maximum number of concurrent requests that will - be allowed at a single point in time. Use this to limit HTTP/2 - traffic, since HTTP/2 has many requests per connection. + description: |- + The maximum number of concurrent requests that + will be allowed at a single point in time. Use this to limit HTTP/2 traffic, + since HTTP/2 has many requests per connection. format: int32 type: integer maxConnections: - description: The maximum number of connections a service instance - will be allowed to establish against the given upstream. Use - this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request - per connection. + description: |- + The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use this to limit + HTTP/1.1 traffic, since HTTP/1.1 has a request per connection. format: int32 type: integer maxPendingRequests: - description: The maximum number of requests that will be queued + description: |- + The maximum number of requests that will be queued while waiting for a connection to be established. format: int32 type: integer passiveHealthCheck: - description: PassiveHealthCheck configuration determines how upstream - proxy instances will be monitored for removal from the load - balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. The - real time is equal to the base time multiplied by the number - of times the host has been ejected and is capped by max_ejection_time - (Default 300s). Defaults to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance that - a host will be actually ejected when an outlier status is - detected through consecutive 5xx. This setting can be used - to disable ejection or to ramp it up slowly. Ex. Setting - this to 10 will make it a 10% chance that the host will - be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis sweeps. - Each sweep may remove hosts or return hosts to the pool. - Ex. setting this to "10s" will set the interval to 10 seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that can - be ejected due to outlier detection. Defaults to 10% but - will eject at least one host regardless of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive failures - that results in a host being removed from the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object type: object listeners: - description: Listeners declares what ports the ingress gateway should - listen on, and what services to associated to those ports. + description: |- + Listeners declares what ports the ingress gateway should listen on, and + what services to associated to those ports. items: description: IngressListener manages the configuration for a listener on a specific port. @@ -126,110 +135,119 @@ spec: should listen for traffic. type: integer protocol: - description: 'Protocol declares what type of traffic this listener - is expected to receive. Depending on the protocol, a listener - might support multiplexing services over a single port, or - additional discovery chain features. The current supported - values are: (tcp | http | http2 | grpc).' + description: |- + Protocol declares what type of traffic this listener is expected to + receive. Depending on the protocol, a listener might support multiplexing + services over a single port, or additional discovery chain features. The + current supported values are: (tcp | http | http2 | grpc). type: string services: - description: Services declares the set of services to which - the listener forwards traffic. For "tcp" protocol listeners, - only a single service is allowed. For "http" listeners, multiple - services can be declared. + description: |- + Services declares the set of services to which the listener forwards + traffic. + For "tcp" protocol listeners, only a single service is allowed. + For "http" listeners, multiple services can be declared. items: - description: IngressService manages configuration for services - that are exposed to ingress traffic. + description: |- + IngressService manages configuration for services that are exposed to + ingress traffic. properties: hosts: - description: "Hosts is a list of hostnames which should - be associated to this service on the defined listener. - Only allowed on layer 7 protocols, this will be used - to route traffic to the service by matching the Host - header of the HTTP request. \n If a host is provided - for a service that also has a wildcard specifier defined, - the host will override the wildcard-specifier-provided - \".*\" domain for that listener. \n This - cannot be specified when using the wildcard specifier, - \"*\", or when using a \"tcp\" listener." + description: |- + Hosts is a list of hostnames which should be associated to this service on + the defined listener. Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host header of the HTTP + request. + + + If a host is provided for a service that also has a wildcard specifier + defined, the host will override the wildcard-specifier-provided + ".*" domain for that listener. + + + This cannot be specified when using the wildcard specifier, "*", or when + using a "tcp" listener. items: type: string type: array maxConcurrentRequests: - description: The maximum number of concurrent requests - that will be allowed at a single point in time. Use - this to limit HTTP/2 traffic, since HTTP/2 has many - requests per connection. + description: |- + The maximum number of concurrent requests that + will be allowed at a single point in time. Use this to limit HTTP/2 traffic, + since HTTP/2 has many requests per connection. format: int32 type: integer maxConnections: - description: The maximum number of connections a service - instance will be allowed to establish against the given - upstream. Use this to limit HTTP/1.1 traffic, since - HTTP/1.1 has a request per connection. + description: |- + The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use this to limit + HTTP/1.1 traffic, since HTTP/1.1 has a request per connection. format: int32 type: integer maxPendingRequests: - description: The maximum number of requests that will - be queued while waiting for a connection to be established. + description: |- + The maximum number of requests that will be queued + while waiting for a connection to be established. format: int32 type: integer name: - description: "Name declares the service to which traffic - should be forwarded. \n This can either be a specific - service, or the wildcard specifier, \"*\". If the wildcard - specifier is provided, the listener must be of \"http\" - protocol and means that the listener will forward traffic - to all services. \n A name can be specified on multiple - listeners, and will be exposed on both of the listeners." + description: |- + Name declares the service to which traffic should be forwarded. + + + This can either be a specific service, or the wildcard specifier, + "*". If the wildcard specifier is provided, the listener must be of "http" + protocol and means that the listener will forward traffic to all services. + + + A name can be specified on multiple listeners, and will be exposed on both + of the listeners. type: string namespace: - description: Namespace is the namespace where the service - is located. Namespacing is a Consul Enterprise feature. + description: |- + Namespace is the namespace where the service is located. + Namespacing is a Consul Enterprise feature. type: string partition: - description: Partition is the admin-partition where the - service is located. Partitioning is a Consul Enterprise - feature. + description: |- + Partition is the admin-partition where the service is located. + Partitioning is a Consul Enterprise feature. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines - how upstream proxy instances will be monitored for removal - from the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected - for. The real time is equal to the base time multiplied - by the number of times the host has been ejected - and is capped by max_ejection_time (Default 300s). - Defaults to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance - that a host will be actually ejected when an outlier - status is detected through consecutive 5xx. This - setting can be used to disable ejection or to ramp - it up slowly. Ex. Setting this to 10 will make it - a 10% chance that the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis - sweeps. Each sweep may remove hosts or return hosts - to the pool. Ex. setting this to "10s" will set + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster - that can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive - failures that results in a host being removed from - the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -239,50 +257,52 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object responseHeaders: - description: HTTPHeaderModifiers is a set of rules for - HTTP header modification that should be performed by - proxies as the request passes through them. It can operate - on either request or response headers depending on the - context in which it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object tls: @@ -299,10 +319,9 @@ spec: from the SDS service. type: string clusterName: - description: ClusterName is the SDS cluster name - to connect to, to retrieve certificates. This - cluster must be specified in the Gateway's bootstrap - configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object type: object @@ -312,9 +331,9 @@ spec: description: TLS config for this listener. properties: cipherSuites: - description: Define a subset of cipher suites to restrict - Only applicable to connections negotiated via TLS 1.2 - or earlier. + description: |- + Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 or earlier. items: type: string type: array @@ -332,24 +351,23 @@ spec: service. type: string clusterName: - description: ClusterName is the SDS cluster name to - connect to, to retrieve certificates. This cluster - must be specified in the Gateway's bootstrap configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS - version supported. Must be greater than or equal to `TLSMinVersion`. - One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or - `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 - as a max version for incoming connections. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS - version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, - `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 - and newer will default to TLS 1.2 as a min version, while - older releases of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string required: - enabled @@ -360,8 +378,9 @@ spec: description: TLS holds the TLS configuration for this gateway. properties: cipherSuites: - description: Define a subset of cipher suites to restrict Only - applicable to connections negotiated via TLS 1.2 or earlier. + description: |- + Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 or earlier. items: type: string type: array @@ -378,24 +397,23 @@ spec: when fetching the certificate from the SDS service. type: string clusterName: - description: ClusterName is the SDS cluster name to connect - to, to retrieve certificates. This cluster must be specified - in the Gateway's bootstrap configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default - to TLS 1.2 as a min version, while older releases of Envoy default - to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string required: - enabled @@ -407,8 +425,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-jwtproviders.yaml b/charts/consul/templates/crd-jwtproviders.yaml index 94c9697b33..b52d77b180 100644 --- a/charts/consul/templates/crd-jwtproviders.yaml +++ b/charts/consul/templates/crd-jwtproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -26,14 +26,19 @@ spec: description: JWTProvider is the Schema for the jwtproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,62 +46,79 @@ spec: description: JWTProviderSpec defines the desired state of JWTProvider properties: audiences: - description: Audiences is the set of audiences the JWT is allowed - to access. If specified, all JWTs verified with this provider must - address at least one of these to be considered valid. + description: |- + Audiences is the set of audiences the JWT is allowed to access. + If specified, all JWTs verified with this provider must address + at least one of these to be considered valid. items: type: string type: array cacheConfig: - description: CacheConfig defines configuration for caching the validation - result for previously seen JWTs. Caching results can speed up verification - when individual tokens are expected to be handled multiple times. + description: |- + CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up + verification when individual tokens are expected to be handled + multiple times. properties: size: - description: "Size specifies the maximum number of JWT verification - results to cache. \n Defaults to 0, meaning that JWT caching - is disabled." + description: |- + Size specifies the maximum number of JWT verification + results to cache. + + + Defaults to 0, meaning that JWT caching is disabled. type: integer type: object clockSkewSeconds: - description: "ClockSkewSeconds specifies the maximum allowable time - difference from clock skew when validating the \"exp\" (Expiration) - and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + description: |- + ClockSkewSeconds specifies the maximum allowable time difference + from clock skew when validating the "exp" (Expiration) and "nbf" + (Not Before) claims. + + + Default value is 30 seconds. type: integer forwarding: description: Forwarding defines rules for forwarding verified JWTs to the backend. properties: headerName: - description: "HeaderName is a header name to use when forwarding - a verified JWT to the backend. The verified JWT could have been - extracted from any location (query param, header, or cookie). - \n The header value will be base64-URL-encoded, and will not - be padded unless PadForwardPayloadHeader is true." + description: |- + HeaderName is a header name to use when forwarding a verified + JWT to the backend. The verified JWT could have been extracted + from any location (query param, header, or cookie). + + + The header value will be base64-URL-encoded, and will not be + padded unless PadForwardPayloadHeader is true. type: string padForwardPayloadHeader: - description: "PadForwardPayloadHeader determines whether padding - should be added to the base64 encoded token forwarded with ForwardPayloadHeader. - \n Default value is false." + description: |- + PadForwardPayloadHeader determines whether padding should be added + to the base64 encoded token forwarded with ForwardPayloadHeader. + + + Default value is false. type: boolean type: object issuer: - description: Issuer is the entity that must have issued the JWT. This - value must match the "iss" claim of the token. + description: |- + Issuer is the entity that must have issued the JWT. + This value must match the "iss" claim of the token. type: string jsonWebKeySet: - description: JSONWebKeySet defines a JSON Web Key Set, its location - on disk, or the means with which to fetch a key set from a remote - server. + description: |- + JSONWebKeySet defines a JSON Web Key Set, its location on disk, or the + means with which to fetch a key set from a remote server. properties: local: description: Local specifies a local source for the key set. properties: filename: - description: Filename configures a location on disk where - the JWKS can be found. If specified, the file must be present - on the disk of ALL proxies with intentions referencing this - provider. + description: |- + Filename configures a location on disk where the JWKS can be + found. If specified, the file must be present on the disk of ALL + proxies with intentions referencing this provider. type: string jwks: description: JWKS contains a base64 encoded JWKS. @@ -107,62 +129,78 @@ spec: server. properties: cacheDuration: - description: "CacheDuration is the duration after which cached - keys should be expired. \n Default value is 5 minutes." + description: |- + CacheDuration is the duration after which cached keys + should be expired. + + + Default value is 5 minutes. type: string fetchAsynchronously: - description: "FetchAsynchronously indicates that the JWKS - should be fetched when a client request arrives. Client - requests will be paused until the JWKS is fetched. If false, - the proxy listener will wait for the JWKS to be fetched - before being activated. \n Default value is false." + description: |- + FetchAsynchronously indicates that the JWKS should be fetched + when a client request arrives. Client requests will be paused + until the JWKS is fetched. + If false, the proxy listener will wait for the JWKS to be + fetched before being activated. + + + Default value is false. type: boolean jwksCluster: description: JWKSCluster defines how the specified Remote JWKS URI is to be fetched. properties: connectTimeout: - description: The timeout for new network connections to - hosts in the cluster. If not set, a default value of - 5s will be used. + description: |- + The timeout for new network connections to hosts in the cluster. + If not set, a default value of 5s will be used. type: string discoveryType: - description: "DiscoveryType refers to the service discovery - type to use for resolving the cluster. \n This defaults - to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, - EDS or ORIGINAL_DST." + description: |- + DiscoveryType refers to the service discovery type to use for resolving the cluster. + + + This defaults to STRICT_DNS. + Other options include STATIC, LOGICAL_DNS, EDS or ORIGINAL_DST. type: string tlsCertificates: - description: "TLSCertificates refers to the data containing - certificate authority certificates to use in verifying - a presented peer certificate. If not specified and a - peer certificate is presented it will not be verified. - \n Must be either CaCertificateProviderInstance or TrustedCA." + description: |- + TLSCertificates refers to the data containing certificate authority certificates to use + in verifying a presented peer certificate. + If not specified and a peer certificate is presented it will not be verified. + + + Must be either CaCertificateProviderInstance or TrustedCA. properties: caCertificateProviderInstance: description: CaCertificateProviderInstance Certificate provider instance for fetching TLS certificates. properties: certificateName: - description: "CertificateName is used to specify - certificate instances or types. For example, - \"ROOTCA\" to specify a root-certificate (validation - context) or \"example.com\" to specify a certificate - for a particular domain. \n The default value - is the empty string." + description: |- + CertificateName is used to specify certificate instances or types. For example, "ROOTCA" to specify + a root-certificate (validation context) or "example.com" to specify a certificate for a + particular domain. + + + The default value is the empty string. type: string instanceName: - description: "InstanceName refers to the certificate - provider instance name. \n The default value - is \"default\"." + description: |- + InstanceName refers to the certificate provider instance name. + + + The default value is "default". type: string type: object trustedCA: - description: "TrustedCA defines TLS certificate data - containing certificate authority certificates to - use in verifying a presented peer certificate. \n - Exactly one of Filename, EnvironmentVariable, InlineString - or InlineBytes must be specified." + description: |- + TrustedCA defines TLS certificate data containing certificate authority certificates + to use in verifying a presented peer certificate. + + + Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified. properties: environmentVariable: type: string @@ -177,33 +215,47 @@ spec: type: object type: object requestTimeoutMs: - description: RequestTimeoutMs is the number of milliseconds - to time out when making a request for the JWKS. + description: |- + RequestTimeoutMs is the number of milliseconds to + time out when making a request for the JWKS. type: integer retryPolicy: - description: "RetryPolicy defines a retry policy for fetching - JWKS. \n There is no retry by default." + description: |- + RetryPolicy defines a retry policy for fetching JWKS. + + + There is no retry by default. properties: numRetries: - description: "NumRetries is the number of times to retry - fetching the JWKS. The retry strategy uses jittered - exponential backoff with a base interval of 1s and max - of 10s. \n Default value is 0." + description: |- + NumRetries is the number of times to retry fetching the JWKS. + The retry strategy uses jittered exponential backoff with + a base interval of 1s and max of 10s. + + + Default value is 0. type: integer retryPolicyBackOff: - description: "Retry's backoff policy. \n Defaults to Envoy's - backoff policy." + description: |- + Retry's backoff policy. + + + Defaults to Envoy's backoff policy. properties: baseInterval: - description: "BaseInterval to be used for the next - back off computation. \n The default value from - envoy is 1s." + description: |- + BaseInterval to be used for the next back off computation. + + + The default value from envoy is 1s. type: string maxInterval: - description: "MaxInternal to be used to specify the - maximum interval between retries. Optional but should - be greater or equal to BaseInterval. \n Defaults - to 10 times BaseInterval." + description: |- + MaxInternal to be used to specify the maximum interval between retries. + Optional but should be greater or equal to BaseInterval. + + + Defaults to 10 times BaseInterval. type: string type: object type: object @@ -214,15 +266,19 @@ spec: type: object type: object locations: - description: 'Locations where the JWT will be present in requests. - Envoy will check all of these locations to extract a JWT. If no - locations are specified Envoy will default to: 1. Authorization - header with Bearer schema: "Authorization: Bearer " 2. accessToken - query parameter.' + description: |- + Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. + If no locations are specified Envoy will default to: + 1. Authorization header with Bearer schema: + "Authorization: Bearer " + 2. accessToken query parameter. items: - description: "JWTLocation is a location where the JWT could be present - in requests. \n Only one of Header, QueryParam, or Cookie can - be specified." + description: |- + JWTLocation is a location where the JWT could be present in requests. + + + Only one of Header, QueryParam, or Cookie can be specified. properties: cookie: description: Cookie defines how to extract a JWT from an HTTP @@ -238,26 +294,31 @@ spec: request header. properties: forward: - description: "Forward defines whether the header with the - JWT should be forwarded after the token has been verified. - If false, the header will not be forwarded to the backend. - \n Default value is false." + description: |- + Forward defines whether the header with the JWT should be + forwarded after the token has been verified. If false, the + header will not be forwarded to the backend. + + + Default value is false. type: boolean name: description: Name is the name of the header containing the token. type: string valuePrefix: - description: 'ValuePrefix is an optional prefix that precedes - the token in the header value. For example, "Bearer " - is a standard value prefix for a header named "Authorization", - but the prefix is not part of the token itself: "Authorization: - Bearer "' + description: |- + ValuePrefix is an optional prefix that precedes the token in the + header value. + For example, "Bearer " is a standard value prefix for a header named + "Authorization", but the prefix is not part of the token itself: + "Authorization: Bearer " type: string type: object queryParam: - description: QueryParam defines how to extract a JWT from an - HTTP request query parameter. + description: |- + QueryParam defines how to extract a JWT from an HTTP request + query parameter. properties: name: description: Name is the name of the query param containing @@ -273,8 +334,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-meshconfigurations.yaml b/charts/consul/templates/crd-meshconfigurations.yaml index 21114d723f..36d644d381 100644 --- a/charts/consul/templates/crd-meshconfigurations.yaml +++ b/charts/consul/templates/crd-meshconfigurations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,20 +39,26 @@ spec: description: MeshConfiguration is the Schema for the Mesh Configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: MeshConfiguration is responsible for configuring the default - behavior of Mesh Gateways. This is a Resource type. + description: |- + MeshConfiguration is responsible for configuring the default behavior of Mesh Gateways. + This is a Resource type. type: object status: properties: @@ -60,8 +66,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-meshes.yaml b/charts/consul/templates/crd-meshes.yaml index f8ce4fc12e..f81e61a2c5 100644 --- a/charts/consul/templates/crd-meshes.yaml +++ b/charts/consul/templates/crd-meshes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: Mesh is the Schema for the mesh API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,9 +59,9 @@ spec: description: MeshSpec defines the desired state of Mesh. properties: allowEnablingPermissiveMutualTLS: - description: AllowEnablingPermissiveMutualTLS must be true in order - to allow setting MutualTLSMode=permissive in either service-defaults - or proxy-defaults. + description: |- + AllowEnablingPermissiveMutualTLS must be true in order to allow setting + MutualTLSMode=permissive in either service-defaults or proxy-defaults. type: boolean http: description: HTTP defines the HTTP configuration for the service mesh. @@ -71,80 +76,73 @@ spec: mesh. properties: peerThroughMeshGateways: - description: PeerThroughMeshGateways determines whether peering - traffic between control planes should flow through mesh gateways. - If enabled, Consul servers will advertise mesh gateway addresses - as their own. Additionally, mesh gateways will configure themselves - to expose the local servers using a peering-specific SNI. + description: |- + PeerThroughMeshGateways determines whether peering traffic between + control planes should flow through mesh gateways. If enabled, + Consul servers will advertise mesh gateway addresses as their own. + Additionally, mesh gateways will configure themselves to expose + the local servers using a peering-specific SNI. type: boolean type: object tls: description: TLS defines the TLS configuration for the service mesh. properties: incoming: - description: Incoming defines the TLS configuration for inbound - mTLS connections targeting the public listener on Connect and - TerminatingGateway proxy kinds. + description: |- + Incoming defines the TLS configuration for inbound mTLS connections targeting + the public listener on Connect and TerminatingGateway proxy kinds. properties: cipherSuites: - description: CipherSuites sets the default list of TLS cipher - suites to support when negotiating connections using TLS - 1.2 or earlier. If unspecified, Envoy will use a default - server cipher list. The list of supported cipher suites - can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 - and is dependent on underlying support in Envoy. Future - releases of Envoy may remove currently-supported but insecure - cipher suites, and future releases of Consul may add new - supported cipher suites if any are added to Envoy. + description: |- + CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. + If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in + https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy. + Future releases of Envoy may remove currently-supported but insecure cipher suites, + and future releases of Consul may add new supported cipher suites if any are added to Envoy. items: type: string type: array tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will - default to TLS 1.2 as a min version, while older releases - of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string type: object outgoing: - description: Outgoing defines the TLS configuration for outbound - mTLS connections dialing upstreams from Connect and IngressGateway - proxy kinds. + description: |- + Outgoing defines the TLS configuration for outbound mTLS connections dialing upstreams + from Connect and IngressGateway proxy kinds. properties: cipherSuites: - description: CipherSuites sets the default list of TLS cipher - suites to support when negotiating connections using TLS - 1.2 or earlier. If unspecified, Envoy will use a default - server cipher list. The list of supported cipher suites - can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 - and is dependent on underlying support in Envoy. Future - releases of Envoy may remove currently-supported but insecure - cipher suites, and future releases of Consul may add new - supported cipher suites if any are added to Envoy. + description: |- + CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. + If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in + https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy. + Future releases of Envoy may remove currently-supported but insecure cipher suites, + and future releases of Consul may add new supported cipher suites if any are added to Envoy. items: type: string type: array tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will - default to TLS 1.2 as a min version, while older releases - of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string type: object type: object @@ -153,13 +151,21 @@ spec: to proxies in "transparent" mode. Added in v1.10.0. properties: meshDestinationsOnly: - description: MeshDestinationsOnly determines whether sidecar proxies - operating in "transparent" mode can proxy traffic to IP addresses - not registered in Consul's catalog. If enabled, traffic will - only be proxied to upstreams with service registrations in the - catalog. + description: |- + MeshDestinationsOnly determines whether sidecar proxies operating in "transparent" mode can proxy traffic + to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied to upstreams + with service registrations in the catalog. type: boolean type: object + validateClusters: + description: |- + ValidateClusters controls whether the clusters the route table refers to are validated. The default value is + false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing + to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist, + the route table will not load. For more information, refer to + [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters) + for more details. + type: boolean type: object status: properties: @@ -167,8 +173,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-meshgateways.yaml b/charts/consul/templates/crd-meshgateways.yaml index 6202add695..553d0660fe 100644 --- a/charts/consul/templates/crd-meshgateways.yaml +++ b/charts/consul/templates/crd-meshgateways.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: MeshGateway is the Schema for the Mesh Gateway API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -94,8 +99,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-meshservices.yaml b/charts/consul/templates/crd-meshservices.yaml index a5d36fb966..1623749f63 100644 --- a/charts/consul/templates/crd-meshservices.yaml +++ b/charts/consul/templates/crd-meshservices.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -27,14 +27,19 @@ spec: Service Mesh service. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -45,9 +50,9 @@ spec: description: Name holds the service name for a Consul service. type: string peer: - description: Peer optionally specifies the name of the peer exporting - the Consul service. If not specified, the Consul service is assumed - to be in the local datacenter. + description: |- + Peer optionally specifies the name of the peer exporting the Consul service. + If not specified, the Consul service is assumed to be in the local datacenter. type: string type: object type: object diff --git a/charts/consul/templates/crd-peeringacceptors.yaml b/charts/consul/templates/crd-peeringacceptors.yaml index 2352ba7ad3..60b31d986a 100644 --- a/charts/consul/templates/crd-peeringacceptors.yaml +++ b/charts/consul/templates/crd-peeringacceptors.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: PeeringAcceptor is the Schema for the peeringacceptors API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -84,8 +89,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-peeringdialers.yaml b/charts/consul/templates/crd-peeringdialers.yaml index 09991d2091..562c760938 100644 --- a/charts/consul/templates/crd-peeringdialers.yaml +++ b/charts/consul/templates/crd-peeringdialers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: PeeringDialer is the Schema for the peeringdialers API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -84,8 +89,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-proxyconfigurations.yaml b/charts/consul/templates/crd-proxyconfigurations.yaml index 3d19d5ea4f..464fdfeaae 100644 --- a/charts/consul/templates/crd-proxyconfigurations.yaml +++ b/charts/consul/templates/crd-proxyconfigurations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ProxyConfiguration is the Schema for the TCP Routes API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,7 +61,8 @@ spec: description: This is a Resource type. properties: bootstrapConfig: - description: bootstrap_config is the configuration that requires proxies + description: |- + bootstrap_config is the configuration that requires proxies to be restarted to be applied. properties: dogstatsdUrl: @@ -91,7 +97,8 @@ spec: type: string type: object dynamicConfig: - description: dynamic_config is the configuration that could be changed + description: |- + dynamic_config is the configuration that could be changed dynamically (i.e. without needing restart). properties: accessLogs: @@ -99,17 +106,17 @@ spec: access logs properties: disableListenerLogs: - description: DisableListenerLogs turns off just listener logs - for connections rejected by Envoy because they don't have - a matching listener filter. + description: |- + DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't + have a matching listener filter. type: boolean enabled: description: Enabled turns off all access logging type: boolean jsonFormat: - description: The presence of one format string or the other - implies the access log string encoding. Defining both is - invalid. + description: |- + The presence of one format string or the other implies the access log string encoding. + Defining both is invalid. type: string path: description: Path is the output file to write logs @@ -173,122 +180,130 @@ spec: properties: connectTimeout: description: "A Duration represents a signed, fixed-length - span of time represented as a count of seconds and fractions - of seconds at nanosecond resolution. It is independent - of any calendar and concepts like \"day\" or \"month\". - It is related to Timestamp in that the difference between - two Timestamp values is a Duration and it can be added - or subtracted from a Timestamp. Range is approximately - +-10,000 years. \n # Examples \n Example 1: Compute Duration - from two Timestamps in pseudo code. \n Timestamp start - = ...; Timestamp end = ...; Duration duration = ...; \n - duration.seconds = end.seconds - start.seconds; duration.nanos - = end.nanos - start.nanos; \n if (duration.seconds < 0 - && duration.nanos > 0) { duration.seconds += 1; duration.nanos - -= 1000000000; } else if (duration.seconds > 0 && duration.nanos - < 0) { duration.seconds -= 1; duration.nanos += 1000000000; - } \n Example 2: Compute Timestamp from Timestamp + Duration - in pseudo code. \n Timestamp start = ...; Duration duration - = ...; Timestamp end = ...; \n end.seconds = start.seconds - + duration.seconds; end.nanos = start.nanos + duration.nanos; - \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += - 1000000000; } else if (end.nanos >= 1000000000) { end.seconds - += 1; end.nanos -= 1000000000; } \n Example 3: Compute - Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, - minutes=10) duration = Duration() duration.FromTimedelta(td) - \n # JSON Mapping \n In JSON format, the Duration type - is encoded as a string rather than an object, where the - string ends in the suffix \"s\" (indicating seconds) and - is preceded by the number of seconds, with nanoseconds - expressed as fractional seconds. For example, 3 seconds - with 0 nanoseconds should be encoded in JSON format as - \"3s\", while 3 seconds and 1 nanosecond should be expressed - in JSON format as \"3.000000001s\", and 3 seconds and - 1 microsecond should be expressed in JSON format as \"3.000001s\"." + span of time represented\nas a count of seconds and fractions + of seconds at nanosecond\nresolution. It is independent + of any calendar and concepts like \"day\"\nor \"month\". + It is related to Timestamp in that the difference between\ntwo + Timestamp values is a Duration and it can be added or + subtracted\nfrom a Timestamp. Range is approximately +-10,000 + years.\n\n\n# Examples\n\n\nExample 1: Compute Duration + from two Timestamps in pseudo code.\n\n\n\tTimestamp start + = ...;\n\tTimestamp end = ...;\n\tDuration duration = + ...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos + = end.nanos - start.nanos;\n\n\n\tif (duration.seconds + < 0 && duration.nanos > 0) {\n\t duration.seconds += + 1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds + > 0 && duration.nanos < 0) {\n\t duration.seconds -= + 1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample + 2: Compute Timestamp from Timestamp + Duration in pseudo + code.\n\n\n\tTimestamp start = ...;\n\tDuration duration + = ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds + + duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif + (end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos + += 1000000000;\n\t} else if (end.nanos >= 1000000000) + {\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample + 3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd + = datetime.timedelta(days=3, minutes=10)\n\tduration = + Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn + JSON format, the Duration type is encoded as a string + rather than an\nobject, where the string ends in the suffix + \"s\" (indicating seconds) and\nis preceded by the number + of seconds, with nanoseconds expressed as\nfractional + seconds. For example, 3 seconds with 0 nanoseconds should + be\nencoded in JSON format as \"3s\", while 3 seconds + and 1 nanosecond should\nbe expressed in JSON format as + \"3.000000001s\", and 3 seconds and 1\nmicrosecond should + be expressed in JSON format as \"3.000001s\"." format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object requestTimeout: description: "A Duration represents a signed, fixed-length - span of time represented as a count of seconds and fractions - of seconds at nanosecond resolution. It is independent - of any calendar and concepts like \"day\" or \"month\". - It is related to Timestamp in that the difference between - two Timestamp values is a Duration and it can be added - or subtracted from a Timestamp. Range is approximately - +-10,000 years. \n # Examples \n Example 1: Compute Duration - from two Timestamps in pseudo code. \n Timestamp start - = ...; Timestamp end = ...; Duration duration = ...; \n - duration.seconds = end.seconds - start.seconds; duration.nanos - = end.nanos - start.nanos; \n if (duration.seconds < 0 - && duration.nanos > 0) { duration.seconds += 1; duration.nanos - -= 1000000000; } else if (duration.seconds > 0 && duration.nanos - < 0) { duration.seconds -= 1; duration.nanos += 1000000000; - } \n Example 2: Compute Timestamp from Timestamp + Duration - in pseudo code. \n Timestamp start = ...; Duration duration - = ...; Timestamp end = ...; \n end.seconds = start.seconds - + duration.seconds; end.nanos = start.nanos + duration.nanos; - \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += - 1000000000; } else if (end.nanos >= 1000000000) { end.seconds - += 1; end.nanos -= 1000000000; } \n Example 3: Compute - Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, - minutes=10) duration = Duration() duration.FromTimedelta(td) - \n # JSON Mapping \n In JSON format, the Duration type - is encoded as a string rather than an object, where the - string ends in the suffix \"s\" (indicating seconds) and - is preceded by the number of seconds, with nanoseconds - expressed as fractional seconds. For example, 3 seconds - with 0 nanoseconds should be encoded in JSON format as - \"3s\", while 3 seconds and 1 nanosecond should be expressed - in JSON format as \"3.000000001s\", and 3 seconds and - 1 microsecond should be expressed in JSON format as \"3.000001s\"." + span of time represented\nas a count of seconds and fractions + of seconds at nanosecond\nresolution. It is independent + of any calendar and concepts like \"day\"\nor \"month\". + It is related to Timestamp in that the difference between\ntwo + Timestamp values is a Duration and it can be added or + subtracted\nfrom a Timestamp. Range is approximately +-10,000 + years.\n\n\n# Examples\n\n\nExample 1: Compute Duration + from two Timestamps in pseudo code.\n\n\n\tTimestamp start + = ...;\n\tTimestamp end = ...;\n\tDuration duration = + ...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos + = end.nanos - start.nanos;\n\n\n\tif (duration.seconds + < 0 && duration.nanos > 0) {\n\t duration.seconds += + 1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds + > 0 && duration.nanos < 0) {\n\t duration.seconds -= + 1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample + 2: Compute Timestamp from Timestamp + Duration in pseudo + code.\n\n\n\tTimestamp start = ...;\n\tDuration duration + = ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds + + duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif + (end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos + += 1000000000;\n\t} else if (end.nanos >= 1000000000) + {\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample + 3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd + = datetime.timedelta(days=3, minutes=10)\n\tduration = + Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn + JSON format, the Duration type is encoded as a string + rather than an\nobject, where the string ends in the suffix + \"s\" (indicating seconds) and\nis preceded by the number + of seconds, with nanoseconds expressed as\nfractional + seconds. For example, 3 seconds with 0 nanoseconds should + be\nencoded in JSON format as \"3s\", while 3 seconds + and 1 nanosecond should\nbe expressed in JSON format as + \"3.000000001s\", and 3 seconds and 1\nmicrosecond should + be expressed in JSON format as \"3.000001s\"." format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object type: object - description: local_connection is the configuration that should - be used to connect to the local application provided per-port. + description: |- + local_connection is the configuration that should be used + to connect to the local application provided per-port. The map keys should correspond to port names on the workload. type: object localWorkloadAddress: - description: "deprecated: local_workload_address, local_workload_port, - and local_workload_socket_path are deprecated and are only needed - for migration of existing resources. \n Deprecated: Marked as - deprecated in pbmesh/v2beta1/proxy_configuration.proto." + description: |- + deprecated: + local_workload_address, local_workload_port, and local_workload_socket_path + are deprecated and are only needed for migration of existing resources. + + + Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto. type: string localWorkloadPort: description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' @@ -326,26 +341,31 @@ spec: transparentProxy: properties: dialedDirectly: - description: dialed_directly indicates whether this proxy - should be dialed using original destination IP in the connection - rather than load balance between all endpoints. + description: |- + dialed_directly indicates whether this proxy should be dialed using original destination IP + in the connection rather than load balance between all endpoints. type: boolean outboundListenerPort: - description: outbound_listener_port is the port for the proxy's - outbound listener. This defaults to 15001. + description: |- + outbound_listener_port is the port for the proxy's outbound listener. + This defaults to 15001. format: int32 type: integer type: object type: object opaqueConfig: - description: "deprecated: prevent usage when using v2 APIs directly. - needed for backwards compatibility \n Deprecated: Marked as deprecated - in pbmesh/v2beta1/proxy_configuration.proto." + description: |- + deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility + + + Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto. type: object x-kubernetes-preserve-unknown-fields: true workloads: - description: Selection of workloads this proxy configuration should - apply to. These can be prefixes or specific workload names. + description: |- + Selection of workloads this proxy configuration should apply to. + These can be prefixes or specific workload names. properties: filter: type: string @@ -365,8 +385,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-proxydefaults.yaml b/charts/consul/templates/crd-proxydefaults.yaml index ce49c9149a..a5fa8178f3 100644 --- a/charts/consul/templates/crd-proxydefaults.yaml +++ b/charts/consul/templates/crd-proxydefaults.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ProxyDefaults is the Schema for the proxydefaults API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -60,37 +65,40 @@ spec: configuration. properties: disableListenerLogs: - description: DisableListenerLogs turns off just listener logs - for connections rejected by Envoy because they don't have a - matching listener filter. + description: |- + DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't + have a matching listener filter. type: boolean enabled: description: Enabled turns on all access logging type: boolean jsonFormat: - description: 'JSONFormat is a JSON-formatted string of an Envoy - access log format dictionary. See for more info on formatting: - https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries - Defining JSONFormat and TextFormat is invalid.' + description: |- + JSONFormat is a JSON-formatted string of an Envoy access log format dictionary. + See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid. type: string path: description: Path is the output file to write logs for file-type logging type: string textFormat: - description: 'TextFormat is a representation of Envoy access logs - format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings - Defining JSONFormat and TextFormat is invalid.' + description: |- + TextFormat is a representation of Envoy access logs format. + See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid. type: string type: - description: Type selects the output for logs one of "file", "stderr". - "stdout" + description: |- + Type selects the output for logs + one of "file", "stderr". "stdout" type: string type: object config: - description: Config is an arbitrary map of configuration values used - by Connect proxies. Any values that your proxy allows can be configured - globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + description: |- + Config is an arbitrary map of configuration values used by Connect proxies. + Any values that your proxy allows can be configured globally here. + Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting type: object x-kubernetes-preserve-unknown-fields: true envoyExtensions: @@ -114,9 +122,9 @@ spec: for Envoy. properties: checks: - description: Checks defines whether paths associated with Consul - checks will be exposed. This flag triggers exposing all HTTP - and GRPC check paths registered for the service. + description: |- + Checks defines whether paths associated with Consul checks will be exposed. + This flag triggers exposing all HTTP and GRPC check paths registered for the service. type: boolean paths: description: Paths is the list of paths exposed through the proxy. @@ -135,7 +143,8 @@ spec: ie. "/metrics". type: string protocol: - description: Protocol describes the upstream's service protocol. + description: |- + Protocol describes the upstream's service protocol. Valid values are "http" and "http2", defaults to "http". type: string type: object @@ -146,14 +155,14 @@ spec: failover. properties: mode: - description: Mode specifies the type of failover that will be - performed. Valid values are "sequential", "" (equivalent to - "sequential") and "order-by-locality". + description: |- + Mode specifies the type of failover that will be performed. Valid values are + "sequential", "" (equivalent to "sequential") and "order-by-locality". type: string regions: - description: Regions is the ordered list of the regions of the - failover targets. Valid values can be "us-west-1", "us-west-2", - and so on. + description: |- + Regions is the ordered list of the regions of the failover targets. + Valid values can be "us-west-1", "us-west-2", and so on. items: type: string type: array @@ -163,59 +172,62 @@ spec: for this service. properties: mode: - description: Mode is the mode that should be used for the upstream - connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object mode: - description: 'Mode can be one of "direct" or "transparent". "transparent" - represents that inbound and outbound application traffic is being - captured and redirected through the proxy. This mode does not enable - the traffic redirection itself. Instead it signals Consul to configure - Envoy as if traffic is already being redirected. "direct" represents - that the proxy''s listeners must be dialed directly by the local - application and other proxies. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound + application traffic is being captured and redirected through the proxy. This mode does not + enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if + traffic is already being redirected. "direct" represents that the proxy's listeners must be + dialed directly by the local application and other proxies. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. type: string mutualTLSMode: - description: 'MutualTLSMode controls whether mutual TLS is required - for all incoming connections when transparent proxy is enabled. - This can be set to "permissive" or "strict". "strict" is the default - which requires mutual TLS for incoming connections. In the insecure - "permissive" mode, connections to the sidecar proxy public listener - port require mutual TLS, but connections to the service port do - not require mutual TLS and are proxied to the application unmodified. - Note: Intentions are not enforced for non-mTLS connections. To keep - your services secure, we recommend using "strict" mode whenever - possible and enabling "permissive" mode only when necessary.' + description: |- + MutualTLSMode controls whether mutual TLS is required for all incoming + connections when transparent proxy is enabled. This can be set to + "permissive" or "strict". "strict" is the default which requires mutual + TLS for incoming connections. In the insecure "permissive" mode, + connections to the sidecar proxy public listener port require mutual + TLS, but connections to the service port do not require mutual TLS and + are proxied to the application unmodified. Note: Intentions are not + enforced for non-mTLS connections. To keep your services secure, we + recommend using "strict" mode whenever possible and enabling + "permissive" mode only when necessary. type: string prioritizeByLocality: - description: PrioritizeByLocality controls whether the locality of - services within the local partition will be used to prioritize connectivity. + description: |- + PrioritizeByLocality controls whether the locality of services within the + local partition will be used to prioritize connectivity. properties: mode: - description: 'Mode specifies the type of prioritization that will - be performed when selecting nodes in the local partition. Valid - values are: "" (default "none"), "none", and "failover".' + description: |- + Mode specifies the type of prioritization that will be performed + when selecting nodes in the local partition. + Valid values are: "" (default "none"), "none", and "failover". type: string type: object transparentProxy: - description: 'TransparentProxy controls configuration specific to - proxies in transparent mode. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + TransparentProxy controls configuration specific to proxies in transparent mode. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. properties: dialedDirectly: - description: DialedDirectly indicates whether transparent proxies - can dial this proxy instance directly. The discovery chain is - not considered when dialing a service instance directly. This - setting is useful when addressing stateful services, such as - a database cluster with a leader node. + description: |- + DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + The discovery chain is not considered when dialing a service instance directly. + This setting is useful when addressing stateful services, such as a database cluster with a leader node. type: boolean outboundListenerPort: - description: OutboundListenerPort is the port of the listener - where outbound application traffic is being redirected to. + description: |- + OutboundListenerPort is the port of the listener where outbound application + traffic is being redirected to. type: integer type: object type: object @@ -225,8 +237,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-registrations.yaml b/charts/consul/templates/crd-registrations.yaml index e1e45d3574..f126978e53 100644 --- a/charts/consul/templates/crd-registrations.yaml +++ b/charts/consul/templates/crd-registrations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -26,14 +26,19 @@ spec: description: Registration defines the resource for working with service registrations. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -48,8 +53,9 @@ spec: checkId: type: string definition: - description: HealthCheckDefinition is used to store the details - about a health check's execution. + description: |- + HealthCheckDefinition is used to store the details about + a health check's execution. properties: body: type: string @@ -193,7 +199,6 @@ spec: - warning type: object required: - - address - name - port type: object @@ -211,8 +216,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-routeauthfilters.yaml b/charts/consul/templates/crd-routeauthfilters.yaml index a51bf226cd..65403e657a 100644 --- a/charts/consul/templates/crd-routeauthfilters.yaml +++ b/charts/consul/templates/crd-routeauthfilters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: RouteAuthFilter is the Schema for the routeauthfilters API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -65,9 +70,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry with - this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -83,11 +88,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the given - path: - If the type at the path is a list then we - verify that this value is contained in the list. - \n - If the type at the path is a string then we - verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -117,46 +125,53 @@ spec: reason: Pending status: Unknown type: ResolvedRefs - description: "Conditions describe the current conditions of the Filter. - \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + description: |- + Conditions describe the current conditions of the Filter. + + + Known condition types are: + + + * "Accepted" + * "ResolvedRefs" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -170,11 +185,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/charts/consul/templates/crd-routeretryfilters.yaml b/charts/consul/templates/crd-routeretryfilters.yaml index 14b6062f60..d26dff9c56 100644 --- a/charts/consul/templates/crd-routeretryfilters.yaml +++ b/charts/consul/templates/crd-routeretryfilters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -39,14 +39,19 @@ spec: description: RouteRetryFilter is the Schema for the routeretryfilters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -75,8 +80,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-routetimeoutfilters.yaml b/charts/consul/templates/crd-routetimeoutfilters.yaml index 07ebfe9386..568b025204 100644 --- a/charts/consul/templates/crd-routetimeoutfilters.yaml +++ b/charts/consul/templates/crd-routetimeoutfilters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -40,14 +40,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -67,8 +72,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-samenessgroups.yaml b/charts/consul/templates/crd-samenessgroups.yaml index ea0ad7c8a0..29cd24f361 100644 --- a/charts/consul/templates/crd-samenessgroups.yaml +++ b/charts/consul/templates/crd-samenessgroups.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: SamenessGroup is the Schema for the samenessgroups API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,27 +61,25 @@ spec: description: SamenessGroupSpec defines the desired state of SamenessGroup. properties: defaultForFailover: - description: DefaultForFailover indicates that upstream requests to - members of the given sameness group will implicitly failover between - members of this sameness group. When DefaultForFailover is true, - the local partition must be a member of the sameness group or IncludeLocal - must be set to true. + description: |- + DefaultForFailover indicates that upstream requests to members of the given sameness group will implicitly failover between members of this sameness group. + When DefaultForFailover is true, the local partition must be a member of the sameness group or IncludeLocal must be set to true. type: boolean includeLocal: - description: IncludeLocal is used to include the local partition as - the first member of the sameness group. The local partition can - only be a member of a single sameness group. + description: |- + IncludeLocal is used to include the local partition as the first member of the sameness group. + The local partition can only be a member of a single sameness group. type: boolean members: - description: Members are the partitions and peers that are part of - the sameness group. If a member of a sameness group does not exist, - it will be ignored. + description: |- + Members are the partitions and peers that are part of the sameness group. + If a member of a sameness group does not exist, it will be ignored. items: properties: partition: - description: The partitions and peers that are part of the sameness - group. A sameness group member cannot define both peer and - partition at the same time. + description: |- + The partitions and peers that are part of the sameness group. + A sameness group member cannot define both peer and partition at the same time. type: string peer: type: string @@ -89,8 +92,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-servicedefaults.yaml b/charts/consul/templates/crd-servicedefaults.yaml index c7e2b5bb2b..a976d0989b 100644 --- a/charts/consul/templates/crd-servicedefaults.yaml +++ b/charts/consul/templates/crd-servicedefaults.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ServiceDefaults is the Schema for the servicedefaults API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,27 +61,29 @@ spec: description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. properties: balanceInboundConnections: - description: BalanceInboundConnections sets the strategy for allocating - inbound connections to the service across proxy threads. The only - supported value is exact_balance. By default, no connection balancing - is used. Refer to the Envoy Connection Balance config for details. + description: |- + BalanceInboundConnections sets the strategy for allocating inbound connections to the service across + proxy threads. The only supported value is exact_balance. By default, no connection balancing is used. + Refer to the Envoy Connection Balance config for details. type: string destination: - description: Destination is an address(es)/port combination that represents - an endpoint outside the mesh. This is only valid when the mesh is - configured in "transparent" mode. Destinations live outside of Consul's - catalog, and because of this, they do not require an artificial - node to be created. + description: |- + Destination is an address(es)/port combination that represents an endpoint + outside the mesh. This is only valid when the mesh is configured in "transparent" + mode. Destinations live outside of Consul's catalog, and because of this, they + do not require an artificial node to be created. properties: addresses: - description: Addresses is a list of IPs and/or hostnames that - can be dialed and routed through a terminating gateway. + description: |- + Addresses is a list of IPs and/or hostnames that can be dialed + and routed through a terminating gateway. items: type: string type: array port: - description: Port is the port that can be dialed on any of the - addresses in this Destination. + description: |- + Port is the port that can be dialed on any of the addresses in this + Destination. format: int32 type: integer type: object @@ -101,9 +108,9 @@ spec: for Envoy. properties: checks: - description: Checks defines whether paths associated with Consul - checks will be exposed. This flag triggers exposing all HTTP - and GRPC check paths registered for the service. + description: |- + Checks defines whether paths associated with Consul checks will be exposed. + This flag triggers exposing all HTTP and GRPC check paths registered for the service. type: boolean paths: description: Paths is the list of paths exposed through the proxy. @@ -122,99 +129,107 @@ spec: ie. "/metrics". type: string protocol: - description: Protocol describes the upstream's service protocol. + description: |- + Protocol describes the upstream's service protocol. Valid values are "http" and "http2", defaults to "http". type: string type: object type: array type: object externalSNI: - description: ExternalSNI is an optional setting that allows for the - TLS SNI value to be changed to a non-connect value when federating - with an external system. + description: |- + ExternalSNI is an optional setting that allows for the TLS SNI value + to be changed to a non-connect value when federating with an external system. type: string localConnectTimeoutMs: - description: LocalConnectTimeoutMs is the number of milliseconds allowed - to make connections to the local application instance before timing - out. Defaults to 5000. + description: |- + LocalConnectTimeoutMs is the number of milliseconds allowed to make connections to the local application + instance before timing out. Defaults to 5000. type: integer localRequestTimeoutMs: - description: LocalRequestTimeoutMs is the timeout for HTTP requests - to the local application instance in milliseconds. Applies to HTTP-based - protocols only. If not specified, inherits the Envoy default for + description: |- + LocalRequestTimeoutMs is the timeout for HTTP requests to the local application instance in milliseconds. + Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts (15s). type: integer maxInboundConnections: - description: MaxInboundConnections is the maximum number of concurrent - inbound connections to each service instance. Defaults to 0 (using - consul's default) if not set. + description: |- + MaxInboundConnections is the maximum number of concurrent inbound connections to + each service instance. Defaults to 0 (using consul's default) if not set. type: integer meshGateway: description: MeshGateway controls the default mesh gateway configuration for this service. properties: mode: - description: Mode is the mode that should be used for the upstream - connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object mode: - description: 'Mode can be one of "direct" or "transparent". "transparent" - represents that inbound and outbound application traffic is being - captured and redirected through the proxy. This mode does not enable - the traffic redirection itself. Instead it signals Consul to configure - Envoy as if traffic is already being redirected. "direct" represents - that the proxy''s listeners must be dialed directly by the local - application and other proxies. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound + application traffic is being captured and redirected through the proxy. This mode does not + enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if + traffic is already being redirected. "direct" represents that the proxy's listeners must be + dialed directly by the local application and other proxies. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. type: string mutualTLSMode: - description: 'MutualTLSMode controls whether mutual TLS is required - for all incoming connections when transparent proxy is enabled. - This can be set to "permissive" or "strict". "strict" is the default - which requires mutual TLS for incoming connections. In the insecure - "permissive" mode, connections to the sidecar proxy public listener - port require mutual TLS, but connections to the service port do - not require mutual TLS and are proxied to the application unmodified. - Note: Intentions are not enforced for non-mTLS connections. To keep - your services secure, we recommend using "strict" mode whenever - possible and enabling "permissive" mode only when necessary.' + description: |- + MutualTLSMode controls whether mutual TLS is required for all incoming + connections when transparent proxy is enabled. This can be set to + "permissive" or "strict". "strict" is the default which requires mutual + TLS for incoming connections. In the insecure "permissive" mode, + connections to the sidecar proxy public listener port require mutual + TLS, but connections to the service port do not require mutual TLS and + are proxied to the application unmodified. Note: Intentions are not + enforced for non-mTLS connections. To keep your services secure, we + recommend using "strict" mode whenever possible and enabling + "permissive" mode only when necessary. type: string protocol: - description: Protocol sets the protocol of the service. This is used - by Connect proxies for things like observability features and to - unlock usage of the service-splitter and service-router config entries - for a service. + description: |- + Protocol sets the protocol of the service. This is used by Connect proxies for + things like observability features and to unlock usage of the + service-splitter and service-router config entries for a service. type: string rateLimits: - description: RateLimits is rate limiting configuration that is applied - to inbound traffic for a service. Rate limiting is a Consul enterprise - feature. + description: |- + RateLimits is rate limiting configuration that is applied to + inbound traffic for a service. Rate limiting is a Consul enterprise feature. properties: instanceLevel: - description: InstanceLevel represents rate limit configuration + description: |- + InstanceLevel represents rate limit configuration that is applied per service instance. properties: requestsMaxBurst: - description: "RequestsMaxBurst is the maximum number of requests - that can be sent in a burst. Should be equal to or greater - than RequestsPerSecond. If unset, defaults to RequestsPerSecond. - \n Internally, this is the maximum size of the token bucket - used for rate limiting." + description: |- + RequestsMaxBurst is the maximum number of requests that can be sent + in a burst. Should be equal to or greater than RequestsPerSecond. + If unset, defaults to RequestsPerSecond. + + + Internally, this is the maximum size of the token bucket used for rate limiting. type: integer requestsPerSecond: - description: "RequestsPerSecond is the average number of requests - per second that can be made without being throttled. This - field is required if RequestsMaxBurst is set. The allowed - number of requests may exceed RequestsPerSecond up to the - value specified in RequestsMaxBurst. \n Internally, this - is the refill rate of the token bucket used for rate limiting." + description: |- + RequestsPerSecond is the average number of requests per second that can be + made without being throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed RequestsPerSecond up to + the value specified in RequestsMaxBurst. + + + Internally, this is the refill rate of the token bucket used for rate limiting. type: integer routes: - description: Routes is a list of rate limits applied to specific - routes. For a given request, the first matching route will - be applied, if any. Overrides any top-level configuration. + description: |- + Routes is a list of rate limits applied to specific routes. + For a given request, the first matching route will be applied, if any. + Overrides any top-level configuration. items: properties: pathExact: @@ -230,94 +245,94 @@ spec: PathPrefix, or PathRegex must be specified. type: string requestsMaxBurst: - description: RequestsMaxBurst is the maximum number - of requests that can be sent in a burst. Should be - equal to or greater than RequestsPerSecond. If unset, - defaults to RequestsPerSecond. Internally, this is - the maximum size of the token bucket used for rate - limiting. + description: |- + RequestsMaxBurst is the maximum number of requests that can be sent + in a burst. Should be equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is the maximum size of the token + bucket used for rate limiting. type: integer requestsPerSecond: - description: RequestsPerSecond is the average number - of requests per second that can be made without being - throttled. This field is required if RequestsMaxBurst - is set. The allowed number of requests may exceed + description: |- + RequestsPerSecond is the average number of requests per + second that can be made without being throttled. This field is required + if RequestsMaxBurst is set. The allowed number of requests may exceed RequestsPerSecond up to the value specified in RequestsMaxBurst. - Internally, this is the refill rate of the token bucket - used for rate limiting. + Internally, this is the refill rate of the token bucket used for rate limiting. type: integer type: object type: array type: object type: object transparentProxy: - description: 'TransparentProxy controls configuration specific to - proxies in transparent mode. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + TransparentProxy controls configuration specific to proxies in transparent mode. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. properties: dialedDirectly: - description: DialedDirectly indicates whether transparent proxies - can dial this proxy instance directly. The discovery chain is - not considered when dialing a service instance directly. This - setting is useful when addressing stateful services, such as - a database cluster with a leader node. + description: |- + DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + The discovery chain is not considered when dialing a service instance directly. + This setting is useful when addressing stateful services, such as a database cluster with a leader node. type: boolean outboundListenerPort: - description: OutboundListenerPort is the port of the listener - where outbound application traffic is being redirected to. + description: |- + OutboundListenerPort is the port of the listener where outbound application + traffic is being redirected to. type: integer type: object upstreamConfig: - description: UpstreamConfig controls default configuration settings - that apply across all upstreams, and per-upstream configuration - overrides. Note that per-upstream configuration applies across all - federated datacenters to the pairing of source and upstream destination - services. + description: |- + UpstreamConfig controls default configuration settings that apply across all upstreams, + and per-upstream configuration overrides. Note that per-upstream configuration applies + across all federated datacenters to the pairing of source and upstream destination services. properties: defaults: - description: Defaults contains default configuration for all upstreams - of a given service. The name field must be empty. + description: |- + Defaults contains default configuration for all upstreams of a given + service. The name field must be empty. properties: connectTimeoutMs: - description: ConnectTimeoutMs is the number of milliseconds - to timeout making a new connection to this upstream. Defaults - to 5000 (5 seconds) if not set. + description: |- + ConnectTimeoutMs is the number of milliseconds to timeout making a new + connection to this upstream. Defaults to 5000 (5 seconds) if not set. type: integer envoyClusterJSON: - description: 'EnvoyClusterJSON is a complete override ("escape - hatch") for the upstream''s cluster. The Connect client - TLS certificate and context will be injected overriding - any TLS settings present. Note: This escape hatch is NOT - compatible with the discovery chain and will be ignored - if a discovery chain is active.' + description: |- + EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's + cluster. The Connect client TLS certificate and context will be injected + overriding any TLS settings present. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string envoyListenerJSON: - description: 'EnvoyListenerJSON is a complete override ("escape - hatch") for the upstream''s listener. Note: This escape - hatch is NOT compatible with the discovery chain and will - be ignored if a discovery chain is active.' + description: |- + EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's + listener. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string limits: - description: Limits are the set of limits that are applied - to the proxy for a specific upstream of a service instance. + description: |- + Limits are the set of limits that are applied to the proxy for a specific upstream of a + service instance. properties: maxConcurrentRequests: - description: MaxConcurrentRequests is the maximum number - of in-flight requests that will be allowed to the upstream - cluster at a point in time. This is mostly applicable - to HTTP/2 clusters since all HTTP/1.1 requests are limited - by MaxConnections. + description: |- + MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed + to the upstream cluster at a point in time. This is mostly applicable to HTTP/2 + clusters since all HTTP/1.1 requests are limited by MaxConnections. type: integer maxConnections: - description: MaxConnections is the maximum number of connections - the local proxy can make to the upstream service. + description: |- + MaxConnections is the maximum number of connections the local proxy can + make to the upstream service. type: integer maxPendingRequests: - description: MaxPendingRequests is the maximum number - of requests that will be queued waiting for an available - connection. This is mostly applicable to HTTP/1.1 clusters - since all HTTP/2 requests are streamed over a single + description: |- + MaxPendingRequests is the maximum number of requests that will be queued + waiting for an available connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over a single connection. type: integer type: object @@ -326,8 +341,9 @@ spec: are configured and used. properties: mode: - description: Mode is the mode that should be used for - the upstream connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object name: @@ -343,42 +359,40 @@ spec: config entry. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines how - upstream proxy instances will be monitored for removal from - the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied by - the number of times the host has been ejected and is - capped by max_ejection_time (Default 300s). Defaults - to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance that - a host will be actually ejected when an outlier status - is detected through consecutive 5xx. This setting can - be used to disable ejection or to ramp it up slowly. - Ex. Setting this to 10 will make it a 10% chance that - the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis sweeps. - Each sweep may remove hosts or return hosts to the pool. - Ex. setting this to "10s" will set the interval to 10 - seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults to - 10% but will eject at least one host regardless of the - value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive failures - that results in a host being removed from the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -387,59 +401,61 @@ spec: config entry. type: string protocol: - description: Protocol describes the upstream's service protocol. - Valid values are "tcp", "http" and "grpc". Anything else - is treated as tcp. This enables protocol aware features - like per-request metrics and connection pooling, tracing, + description: |- + Protocol describes the upstream's service protocol. Valid values are "tcp", + "http" and "grpc". Anything else is treated as tcp. This enables protocol + aware features like per-request metrics and connection pooling, tracing, routing etc. type: string type: object overrides: - description: Overrides is a slice of per-service configuration. - The name field is required. + description: |- + Overrides is a slice of per-service configuration. The name field is + required. items: properties: connectTimeoutMs: - description: ConnectTimeoutMs is the number of milliseconds - to timeout making a new connection to this upstream. Defaults - to 5000 (5 seconds) if not set. + description: |- + ConnectTimeoutMs is the number of milliseconds to timeout making a new + connection to this upstream. Defaults to 5000 (5 seconds) if not set. type: integer envoyClusterJSON: - description: 'EnvoyClusterJSON is a complete override ("escape - hatch") for the upstream''s cluster. The Connect client - TLS certificate and context will be injected overriding - any TLS settings present. Note: This escape hatch is NOT - compatible with the discovery chain and will be ignored - if a discovery chain is active.' + description: |- + EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's + cluster. The Connect client TLS certificate and context will be injected + overriding any TLS settings present. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string envoyListenerJSON: - description: 'EnvoyListenerJSON is a complete override ("escape - hatch") for the upstream''s listener. Note: This escape - hatch is NOT compatible with the discovery chain and will - be ignored if a discovery chain is active.' + description: |- + EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's + listener. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string limits: - description: Limits are the set of limits that are applied - to the proxy for a specific upstream of a service instance. + description: |- + Limits are the set of limits that are applied to the proxy for a specific upstream of a + service instance. properties: maxConcurrentRequests: - description: MaxConcurrentRequests is the maximum number - of in-flight requests that will be allowed to the - upstream cluster at a point in time. This is mostly - applicable to HTTP/2 clusters since all HTTP/1.1 requests - are limited by MaxConnections. + description: |- + MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed + to the upstream cluster at a point in time. This is mostly applicable to HTTP/2 + clusters since all HTTP/1.1 requests are limited by MaxConnections. type: integer maxConnections: - description: MaxConnections is the maximum number of - connections the local proxy can make to the upstream - service. + description: |- + MaxConnections is the maximum number of connections the local proxy can + make to the upstream service. type: integer maxPendingRequests: - description: MaxPendingRequests is the maximum number - of requests that will be queued waiting for an available - connection. This is mostly applicable to HTTP/1.1 - clusters since all HTTP/2 requests are streamed over - a single connection. + description: |- + MaxPendingRequests is the maximum number of requests that will be queued + waiting for an available connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over a single + connection. type: integer type: object meshGateway: @@ -447,8 +463,9 @@ spec: are configured and used. properties: mode: - description: Mode is the mode that should be used for - the upstream connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object name: @@ -464,43 +481,40 @@ spec: config entry. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines - how upstream proxy instances will be monitored for removal - from the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected and - is capped by max_ejection_time (Default 300s). Defaults - to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance - that a host will be actually ejected when an outlier - status is detected through consecutive 5xx. This setting - can be used to disable ejection or to ramp it up slowly. - Ex. Setting this to 10 will make it a 10% chance that - the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis - sweeps. Each sweep may remove hosts or return hosts - to the pool. Ex. setting this to "10s" will set the - interval to 10 seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive - failures that results in a host being removed from - the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -509,10 +523,10 @@ spec: config entry. type: string protocol: - description: Protocol describes the upstream's service protocol. - Valid values are "tcp", "http" and "grpc". Anything else - is treated as tcp. This enables protocol aware features - like per-request metrics and connection pooling, tracing, + description: |- + Protocol describes the upstream's service protocol. Valid values are "tcp", + "http" and "grpc". Anything else is treated as tcp. This enables protocol + aware features like per-request metrics and connection pooling, tracing, routing etc. type: string type: object @@ -525,8 +539,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-serviceintentions.yaml b/charts/consul/templates/crd-serviceintentions.yaml index 75299f016e..72159ec187 100644 --- a/charts/consul/templates/crd-serviceintentions.yaml +++ b/charts/consul/templates/crd-serviceintentions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ServiceIntentions is the Schema for the serviceintentions API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -60,16 +65,16 @@ spec: the authorization granted to. properties: name: - description: Name is the destination of all intentions defined - in this config entry. This may be set to the wildcard character - (*) to match all services that don't otherwise have intentions - defined. + description: |- + Name is the destination of all intentions defined in this config entry. + This may be set to the wildcard character (*) to match + all services that don't otherwise have intentions defined. type: string namespace: - description: Namespace specifies the namespace the config entry - will apply to. This may be set to the wildcard character (*) - to match all services in all namespaces that don't otherwise - have intentions defined. + description: |- + Namespace specifies the namespace the config entry will apply to. + This may be set to the wildcard character (*) to match all services + in all namespaces that don't otherwise have intentions defined. type: string type: object jwt: @@ -82,9 +87,9 @@ spec: items: properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry with - this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -98,11 +103,10 @@ spec: type: string type: array value: - description: Value is the expected value at the given - path. If the type at the path is a list then we - verify that this value is contained in the list. - If the type at the path is a string then we verify - that this value matches. + description: |- + Value is the expected value at the given path. If the type at the path + is a list then we verify that this value is contained in the list. If + the type at the path is a string then we verify that this value matches. type: string type: object type: array @@ -110,25 +114,25 @@ spec: type: array type: object sources: - description: Sources is the list of all intention sources and the - authorization granted to those sources. The order of this list does - not matter, but out of convenience Consul will always store this - reverse sorted by intention precedence, as that is the order that - they will be evaluated at enforcement time. + description: |- + Sources is the list of all intention sources and the authorization granted to those sources. + The order of this list does not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that they will be evaluated at enforcement time. items: properties: action: - description: Action is required for an L4 intention, and should - be set to one of "allow" or "deny" for the action that should - be taken if this intention matches a request. + description: |- + Action is required for an L4 intention, and should be set to one of + "allow" or "deny" for the action that should be taken if this intention matches a request. type: string description: description: Description for the intention. This is not used by Consul, but is presented in API responses to assist tooling. type: string name: - description: Name is the source of the intention. This is the - name of a Consul service. The service doesn't need to be registered. + description: |- + Name is the source of the intention. This is the name of a + Consul service. The service doesn't need to be registered. type: string namespace: description: Namespace is the namespace for the Name parameter. @@ -140,31 +144,28 @@ spec: description: Peer is the peer name for the Name parameter. type: string permissions: - description: Permissions is the list of all additional L7 attributes - that extend the intention match criteria. Permission precedence - is applied top to bottom. For any given request the first - permission to match in the list is terminal and stops further - evaluation. As with L4 intentions, traffic that fails to match - any of the provided permissions in this intention will be - subject to the default intention behavior is defined by the - default ACL policy. This should be omitted for an L4 intention + description: |- + Permissions is the list of all additional L7 attributes that extend the intention match criteria. + Permission precedence is applied top to bottom. For any given request the first permission to match + in the list is terminal and stops further evaluation. As with L4 intentions, traffic that fails to + match any of the provided permissions in this intention will be subject to the default intention + behavior is defined by the default ACL policy. This should be omitted for an L4 intention as it is mutually exclusive with the Action field. items: properties: action: - description: Action is one of "allow" or "deny" for the - action that should be taken if this permission matches - a request. + description: |- + Action is one of "allow" or "deny" for the action that + should be taken if this permission matches a request. type: string http: description: HTTP is a set of HTTP-specific authorization criteria. properties: header: - description: Header is a set of criteria that can - match on HTTP request headers. If more than one - is configured all must match for the overall match - to apply. + description: |- + Header is a set of criteria that can match on HTTP request headers. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -198,10 +199,9 @@ spec: type: object type: array methods: - description: Methods is a list of HTTP methods for - which this match applies. If unspecified all HTTP - methods are matched. If provided the names must - be a valid method. + description: |- + Methods is a list of HTTP methods for which this match applies. If unspecified + all HTTP methods are matched. If provided the names must be a valid method. items: type: string type: array @@ -228,9 +228,9 @@ spec: items: properties: name: - description: Name is the name of the JWT provider. - There MUST be a corresponding "jwt-provider" - config entry with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional @@ -244,12 +244,10 @@ spec: type: string type: array value: - description: Value is the expected value - at the given path. If the type at the - path is a list then we verify that this - value is contained in the list. If the - type at the path is a string then we - verify that this value matches. + description: |- + Value is the expected value at the given path. If the type at the path + is a list then we verify that this value is contained in the list. If + the type at the path is a string then we verify that this value matches. type: string type: object type: array @@ -271,8 +269,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-serviceresolvers.yaml b/charts/consul/templates/crd-serviceresolvers.yaml index 6d89125216..9367d6db2c 100644 --- a/charts/consul/templates/crd-serviceresolvers.yaml +++ b/charts/consul/templates/crd-serviceresolvers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ServiceResolver is the Schema for the serviceresolvers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,12 +61,14 @@ spec: description: ServiceResolverSpec defines the desired state of ServiceResolver. properties: connectTimeout: - description: ConnectTimeout is the timeout for establishing new network - connections to this service. + description: |- + ConnectTimeout is the timeout for establishing new network connections + to this service. type: string defaultSubset: - description: DefaultSubset is the subset to use when no explicit subset - is requested. If empty the unnamed subset is used. + description: |- + DefaultSubset is the subset to use when no explicit subset is requested. + If empty the unnamed subset is used. type: string failover: additionalProperties: @@ -73,22 +80,22 @@ spec: type: string type: array namespace: - description: Namespace is the namespace to resolve the requested - service from to form the failover group of instances. If empty - the current namespace is used. + description: |- + Namespace is the namespace to resolve the requested service from to form + the failover group of instances. If empty the current namespace is used. type: string policy: description: Policy specifies the exact mechanism used for failover. properties: mode: - description: Mode specifies the type of failover that will - be performed. Valid values are "sequential", "" (equivalent - to "sequential") and "order-by-locality". + description: |- + Mode specifies the type of failover that will be performed. Valid values are + "sequential", "" (equivalent to "sequential") and "order-by-locality". type: string regions: - description: Regions is the ordered list of the regions - of the failover targets. Valid values can be "us-west-1", - "us-west-2", and so on. + description: |- + Regions is the ordered list of the regions of the failover targets. + Valid values can be "us-west-1", "us-west-2", and so on. items: type: string type: array @@ -98,13 +105,15 @@ spec: to try during failover. type: string service: - description: Service is the service to resolve instead of the - default as the failover group of instances during failover. + description: |- + Service is the service to resolve instead of the default as the failover + group of instances during failover. type: string serviceSubset: - description: ServiceSubset is the named subset of the requested - service to resolve as the failover group of instances. If - empty the default subset for the requested service is used. + description: |- + ServiceSubset is the named subset of the requested service to resolve as + the failover group of instances. If empty the default subset for the + requested service is used. type: string targets: description: Targets specifies a fixed list of failover targets @@ -138,21 +147,25 @@ spec: type: object type: array type: object - description: Failover controls when and how to reroute traffic to - an alternate pool of service instances. The map is keyed by the - service subset it applies to and the special string "*" is a wildcard - that applies to any subset not otherwise specified here. + description: |- + Failover controls when and how to reroute traffic to an alternate pool of + service instances. + The map is keyed by the service subset it applies to and the special + string "*" is a wildcard that applies to any subset not otherwise + specified here. type: object loadBalancer: - description: LoadBalancer determines the load balancing policy and - configuration for services issuing requests to this upstream service. + description: |- + LoadBalancer determines the load balancing policy and configuration for services + issuing requests to this upstream service. properties: hashPolicies: - description: HashPolicies is a list of hash policies to use for - hashing load balancing algorithms. Hash policies are evaluated - individually and combined such that identical lists result in - the same hash. If no hash policies are present, or none are - successfully evaluated, then a random backend host will be selected. + description: |- + HashPolicies is a list of hash policies to use for hashing load balancing algorithms. + Hash policies are evaluated individually and combined such that identical lists + result in the same hash. + If no hash policies are present, or none are successfully evaluated, + then a random backend host will be selected. items: properties: cookieConfig: @@ -172,26 +185,27 @@ spec: type: string type: object field: - description: Field is the attribute type to hash on. Must - be one of "header", "cookie", or "query_parameter". Cannot - be specified along with sourceIP. + description: |- + Field is the attribute type to hash on. + Must be one of "header", "cookie", or "query_parameter". + Cannot be specified along with sourceIP. type: string fieldValue: - description: FieldValue is the value to hash. ie. header - name, cookie name, URL query parameter name Cannot be - specified along with sourceIP. + description: |- + FieldValue is the value to hash. + ie. header name, cookie name, URL query parameter name + Cannot be specified along with sourceIP. type: string sourceIP: - description: SourceIP determines whether the hash should - be of the source IP rather than of a field and field value. + description: |- + SourceIP determines whether the hash should be of the source IP rather than of a field and field value. Cannot be specified along with field or fieldValue. type: boolean terminal: - description: Terminal will short circuit the computation - of the hash when multiple hash policies are present. If - a hash is computed when a Terminal policy is evaluated, - then that hash will be used and subsequent hash policies - will be ignored. + description: |- + Terminal will short circuit the computation of the hash when multiple hash policies are present. + If a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies will be ignored. type: boolean type: object type: array @@ -226,39 +240,44 @@ spec: type: object type: object prioritizeByLocality: - description: PrioritizeByLocality controls whether the locality of - services within the local partition will be used to prioritize connectivity. + description: |- + PrioritizeByLocality controls whether the locality of services within the + local partition will be used to prioritize connectivity. properties: mode: - description: 'Mode specifies the type of prioritization that will - be performed when selecting nodes in the local partition. Valid - values are: "" (default "none"), "none", and "failover".' + description: |- + Mode specifies the type of prioritization that will be performed + when selecting nodes in the local partition. + Valid values are: "" (default "none"), "none", and "failover". type: string type: object redirect: - description: Redirect when configured, all attempts to resolve the - service this resolver defines will be substituted for the supplied - redirect EXCEPT when the redirect has already been applied. When - substituting the supplied redirect, all other fields besides Kind, - Name, and Redirect will be ignored. + description: |- + Redirect when configured, all attempts to resolve the service this + resolver defines will be substituted for the supplied redirect + EXCEPT when the redirect has already been applied. + When substituting the supplied redirect, all other fields besides + Kind, Name, and Redirect will be ignored. properties: datacenter: - description: Datacenter is the datacenter to resolve the service - from instead of the current one. + description: |- + Datacenter is the datacenter to resolve the service from instead of the + current one. type: string namespace: - description: Namespace is the Consul namespace to resolve the - service from instead of the current namespace. If empty the - current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string partition: - description: Partition is the Consul partition to resolve the - service from instead of the current partition. If empty the - current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string peer: - description: Peer is the name of the cluster peer to resolve the - service from instead of the current one. + description: |- + Peer is the name of the cluster peer to resolve the service from instead + of the current one. type: string samenessGroup: description: SamenessGroup is the name of the sameness group to @@ -269,37 +288,41 @@ spec: service. type: string serviceSubset: - description: ServiceSubset is a named subset of the given service - to resolve instead of one defined as that service's DefaultSubset - If empty the default subset is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead + of one defined as that service's DefaultSubset If empty the default + subset is used. type: string type: object requestTimeout: - description: RequestTimeout is the timeout for receiving an HTTP response - from this service before the connection is terminated. + description: |- + RequestTimeout is the timeout for receiving an HTTP response from this + service before the connection is terminated. type: string subsets: additionalProperties: properties: filter: - description: Filter is the filter expression to be used for - selecting instances of the requested service. If empty all - healthy instances are returned. This expression can filter - on the same selectors as the Health API endpoint. + description: |- + Filter is the filter expression to be used for selecting instances of the + requested service. If empty all healthy instances are returned. This + expression can filter on the same selectors as the Health API endpoint. type: string onlyPassing: - description: OnlyPassing specifies the behavior of the resolver's - health check interpretation. If this is set to false, instances - with checks in the passing as well as the warning states will - be considered healthy. If this is set to true, only instances - with checks in the passing state will be considered healthy. + description: |- + OnlyPassing specifies the behavior of the resolver's health check + interpretation. If this is set to false, instances with checks in the + passing as well as the warning states will be considered healthy. If this + is set to true, only instances with checks in the passing state will be + considered healthy. type: boolean type: object - description: Subsets is map of subset name to subset definition for - all usable named subsets of this service. The map key is the name - of the subset and all names must be valid DNS subdomain elements. - This may be empty, in which case only the unnamed default subset - will be usable. + description: |- + Subsets is map of subset name to subset definition for all usable named + subsets of this service. The map key is the name of the subset and all + names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset will + be usable. type: object type: object status: @@ -308,8 +331,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-servicerouters.yaml b/charts/consul/templates/crd-servicerouters.yaml index c7924081fd..4d62149682 100644 --- a/charts/consul/templates/crd-servicerouters.yaml +++ b/charts/consul/templates/crd-servicerouters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ServiceRouter is the Schema for the servicerouters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,10 +61,11 @@ spec: description: ServiceRouterSpec defines the desired state of ServiceRouter. properties: routes: - description: Routes are the list of routes to consider when processing - L7 requests. The first route to match in the list is terminal and - stops further evaluation. Traffic that fails to match any of the - provided routes will be routed to the default service. + description: |- + Routes are the list of routes to consider when processing L7 requests. + The first route to match in the list is terminal and stops further + evaluation. Traffic that fails to match any of the provided routes will + be routed to the default service. items: properties: destination: @@ -67,13 +73,14 @@ spec: request(s) to a service. properties: idleTimeout: - description: IdleTimeout is total amount of time permitted + description: |- + IdleTimeout is total amount of time permitted for the request stream to be idle. type: string namespace: - description: Namespace is the Consul namespace to resolve - the service from instead of the current namespace. If - empty the current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string numRetries: description: NumRetries is the number of times to retry @@ -81,13 +88,14 @@ spec: format: int32 type: integer partition: - description: Partition is the Consul partition to resolve - the service from instead of the current partition. If - empty the current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string prefixRewrite: - description: PrefixRewrite defines how to rewrite the HTTP - request path before proxying it to its final destination. + description: |- + PrefixRewrite defines how to rewrite the HTTP request path before proxying + it to its final destination. This requires that either match.http.pathPrefix or match.http.pathExact be configured on this route. type: string @@ -97,61 +105,63 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object requestTimeout: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. type: string responseHeaders: - description: HTTPHeaderModifiers is a set of rules for HTTP - header modification that should be performed by proxies - as the request passes through them. It can operate on - either request or response headers depending on the context - in which it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object retryOn: - description: 'RetryOn is a flat list of conditions for Consul - to retry requests based on the response from an upstream - service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + description: |- + RetryOn is a flat list of conditions for Consul to retry requests based on the response from an upstream service. + Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon items: type: string type: array @@ -167,20 +177,21 @@ spec: type: integer type: array service: - description: Service is the service to resolve instead of - the default service. If empty then the default service - name is used. + description: |- + Service is the service to resolve instead of the default service. + If empty then the default service name is used. type: string serviceSubset: - description: ServiceSubset is a named subset of the given - service to resolve instead of the one defined as that - service's DefaultSubset. If empty, the default subset - is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead + of the one defined as that service's DefaultSubset. + If empty, the default subset is used. type: string type: object match: - description: Match is a set of criteria that can match incoming - L7 requests. If empty or omitted it acts as a catch-all. + description: |- + Match is a set of criteria that can match incoming L7 requests. + If empty or omitted it acts as a catch-all. properties: http: description: HTTP is a set of http-specific match criteria. @@ -190,9 +201,9 @@ spec: PathPrefix matches to ignore upper/lower casing. type: boolean header: - description: Header is a set of criteria that can match - on HTTP request headers. If more than one is configured - all must match for the overall match to apply. + description: |- + Header is a set of criteria that can match on HTTP request headers. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -227,9 +238,9 @@ spec: type: object type: array methods: - description: Methods is a list of HTTP methods for which - this match applies. If unspecified all http methods - are matched. + description: |- + Methods is a list of HTTP methods for which this match applies. + If unspecified all http methods are matched. items: type: string type: array @@ -246,10 +257,9 @@ spec: on the HTTP request path. type: string queryParam: - description: QueryParam is a set of criteria that can - match on HTTP query parameters. If more than one is - configured all must match for the overall match to - apply. + description: |- + QueryParam is a set of criteria that can match on HTTP query parameters. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -261,8 +271,9 @@ spec: to match on. type: string present: - description: Present will match if the query parameter - with the given name is present with any value. + description: |- + Present will match if the query parameter with the given name is present + with any value. type: boolean regex: description: Regex will match if the query parameter @@ -283,8 +294,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-servicesplitters.yaml b/charts/consul/templates/crd-servicesplitters.yaml index 8d5ed58023..704ad5df98 100644 --- a/charts/consul/templates/crd-servicesplitters.yaml +++ b/charts/consul/templates/crd-servicesplitters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,14 +41,19 @@ spec: description: ServiceSplitter is the Schema for the servicesplitters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,20 +61,20 @@ spec: description: ServiceSplitterSpec defines the desired state of ServiceSplitter. properties: splits: - description: Splits defines how much traffic to send to which set - of service instances during a traffic split. The sum of weights - across all splits must add up to 100. + description: |- + Splits defines how much traffic to send to which set of service instances during a traffic split. + The sum of weights across all splits must add up to 100. items: properties: namespace: - description: Namespace is the Consul namespace to resolve the - service from instead of the current namespace. If empty the - current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string partition: - description: Partition is the Consul partition to resolve the - service from instead of the current partition. If empty the - current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string requestHeaders: description: Allow HTTP header manipulation to be configured. @@ -77,50 +82,52 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that should - be appended to the request or response (i.e. allowing - duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that should - be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that should - be added to the request or response, overwriting any existing - header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object responseHeaders: - description: HTTPHeaderModifiers is a set of rules for HTTP - header modification that should be performed by proxies as - the request passes through them. It can operate on either - request or response headers depending on the context in which - it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that should - be appended to the request or response (i.e. allowing - duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that should - be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that should - be added to the request or response, overwriting any existing - header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object service: @@ -128,13 +135,13 @@ spec: default. type: string serviceSubset: - description: ServiceSubset is a named subset of the given service - to resolve instead of one defined as that service's DefaultSubset. - If empty the default subset is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead of one defined + as that service's DefaultSubset. If empty the default subset is used. type: string weight: - description: Weight is a value between 0 and 100 reflecting - what portion of traffic should be directed to this split. + description: |- + Weight is a value between 0 and 100 reflecting what portion of traffic should be directed to this split. The smallest representable weight is 1/10000 or .01%. type: number type: object @@ -146,8 +153,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-tcproutes-external.yaml b/charts/consul/templates/crd-tcproutes-external.yaml index b5bc7be13c..a57a329a56 100644 --- a/charts/consul/templates/crd-tcproutes-external.yaml +++ b/charts/consul/templates/crd-tcproutes-external.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/consul/templates/crd-tcproutes.yaml b/charts/consul/templates/crd-tcproutes.yaml index c0e87a9c3c..a71d31206c 100644 --- a/charts/consul/templates/crd-tcproutes.yaml +++ b/charts/consul/templates/crd-tcproutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -41,39 +41,58 @@ spec: description: TCPRoute is the Schema for the TCP Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + + + This is a Resource type. properties: parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -84,36 +103,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -128,13 +152,13 @@ spec: items: properties: backendRefs: - description: BackendRefs defines the backend(s) where matching - requests should be sent. If unspecified or invalid (refers - to a non-existent resource or a Service with no endpoints), - the underlying implementation MUST actively reject connection - attempts to this backend. Connection rejections must respect - weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + If unspecified or invalid (refers to a non-existent resource or a Service + with no endpoints), the underlying implementation MUST actively reject + connection attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of connections, + then 80% of connections must be rejected instead. items: properties: backendRef: @@ -142,12 +166,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -162,36 +188,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -202,18 +232,19 @@ spec: type: object type: object weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -227,8 +258,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-terminatinggateways.yaml b/charts/consul/templates/crd-terminatinggateways.yaml index cd53122e9d..5d78a50ca6 100644 --- a/charts/consul/templates/crd-terminatinggateways.yaml +++ b/charts/consul/templates/crd-terminatinggateways.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -42,14 +42,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -64,22 +69,23 @@ spec: gateway. properties: caFile: - description: CAFile is the optional path to a CA certificate - to use for TLS connections from the gateway to the linked - service. + description: |- + CAFile is the optional path to a CA certificate to use for TLS connections + from the gateway to the linked service. type: string certFile: - description: CertFile is the optional path to a client certificate - to use for TLS connections from the gateway to the linked - service. + description: |- + CertFile is the optional path to a client certificate to use for TLS connections + from the gateway to the linked service. type: string disableAutoHostRewrite: description: DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. type: boolean keyFile: - description: KeyFile is the optional path to a private key to - use for TLS connections from the gateway to the linked service. + description: |- + KeyFile is the optional path to a private key to use for TLS connections + from the gateway to the linked service. type: string name: description: Name is the name of the service, as defined in @@ -101,8 +107,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/crd-trafficpermissions.yaml b/charts/consul/templates/crd-trafficpermissions.yaml index 87727f4fbf..2a0b069dbc 100644 --- a/charts/consul/templates/crd-trafficpermissions.yaml +++ b/charts/consul/templates/crd-trafficpermissions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -42,32 +42,43 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: TrafficPermissions authorizes traffic between workloads in + a Consul service mesh. properties: action: - description: "Action can be either allow or deny for the entire object. - It will default to allow. \n If action is allow, we will allow the - connection if one of the rules in Rules matches, in other words, - we will deny all requests except for the ones that match Rules. - If Consul is in default allow mode, then allow actions have no effect - without a deny permission as everything is allowed by default. \n - If action is deny, we will deny the connection if one of the rules - in Rules match, in other words, we will allow all requests except - for the ones that match Rules. If Consul is default deny mode, then - deny permissions have no effect without an allow permission as everything - is denied by default. \n Action unspecified is reserved for compatibility - with the addition of future actions." + description: |- + Action can be either allow or deny for the entire object. It will default to allow. + Deny actions are available only in Consul Enterprise. + + + If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny + all requests except for the ones that match Rules. If Consul is in default allow mode, then allow + actions have no effect without a deny permission as everything is allowed by default. + + + If action is deny, we will deny the connection if one of the rules in Rules match, in other words, + we will allow all requests except for the ones that match Rules. If Consul is default deny mode, + then deny permissions have no effect without an allow permission as everything is denied by default. + + + Action unspecified is reserved for compatibility with the addition of future actions. enum: - ACTION_ALLOW - ACTION_DENY @@ -75,7 +86,8 @@ spec: format: int32 type: string destination: - description: Destination is a configuration of the destination proxies + description: |- + Destination is a configuration of the destination proxies where these traffic permissions should apply. properties: identityName: @@ -88,9 +100,9 @@ spec: description: Permissions is a list of permissions to match on. properties: destinationRules: - description: DestinationRules is a list of rules to apply for - matching sources in this Permission. These rules are specific - to the request or connection that is going to the destination(s) + description: |- + DestinationRules is a list of rules to apply for matching sources in this Permission. + These rules are specific to the request or connection that is going to the destination(s) selected by the TrafficPermissions resource. items: description: DestinationRule contains rules rules to apply @@ -132,8 +144,8 @@ spec: pathRegex: type: string portNames: - description: PortNames is a list of workload ports - to apply this rule to. The ports specified here + description: |- + PortNames is a list of workload ports to apply this rule to. The ports specified here must be the ports used in the connection. items: type: string @@ -160,8 +172,9 @@ spec: type: object type: array methods: - description: Methods is the list of HTTP methods. If no - methods are specified, this rule will apply to all methods. + description: |- + Methods is the list of HTTP methods. If no methods are specified, + this rule will apply to all methods. items: type: string type: array @@ -180,17 +193,18 @@ spec: sources: description: Sources is a list of sources in this traffic permission. items: - description: Source represents the source identity. To specify - any of the wildcard sources, the specific fields need to - be omitted. For example, for a wildcard namespace, identity_name - should be omitted. + description: |- + Source represents the source identity. + To specify any of the wildcard sources, the specific fields need to be omitted. + For example, for a wildcard namespace, identity_name should be omitted. properties: exclude: description: Exclude is a list of sources to exclude from this source. items: - description: ExcludeSource is almost the same as source - but it prevents the addition of matching sources. + description: |- + ExcludeSource is almost the same as source but it prevents the addition of + matching sources. properties: identityName: type: string @@ -225,8 +239,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/charts/consul/templates/gateway-cleanup-serviceaccount.yaml b/charts/consul/templates/gateway-cleanup-serviceaccount.yaml index f50eb72d97..52c340f69d 100644 --- a/charts/consul/templates/gateway-cleanup-serviceaccount.yaml +++ b/charts/consul/templates/gateway-cleanup-serviceaccount.yaml @@ -10,4 +10,10 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: gateway-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} {{- end }} diff --git a/charts/consul/templates/gateway-resources-job.yaml b/charts/consul/templates/gateway-resources-job.yaml index b5e7b056cc..ff53129eb3 100644 --- a/charts/consul/templates/gateway-resources-job.yaml +++ b/charts/consul/templates/gateway-resources-job.yaml @@ -69,7 +69,8 @@ spec: - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} {{- end }} {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} - - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.tolerations | nindent 14 -}} {{- end }} {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} - -service-annotations @@ -89,13 +90,10 @@ spec: {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} - -metrics-port={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} {{- end }} + {{- with .Values.connectInject.apiGateway.managedGatewayClass.resourceJob.resources }} resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "50Mi" - cpu: "50m" + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config mountPath: /consul/config diff --git a/charts/consul/templates/gateway-resources-serviceaccount.yaml b/charts/consul/templates/gateway-resources-serviceaccount.yaml index 4611dc38e1..db3a44984f 100644 --- a/charts/consul/templates/gateway-resources-serviceaccount.yaml +++ b/charts/consul/templates/gateway-resources-serviceaccount.yaml @@ -10,4 +10,10 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: gateway-resources +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} {{- end }} diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index 0301331b9b..71cddcaf84 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -54,13 +54,10 @@ spec: {{ template "consul.imagePullPolicy" . }} name: webhook-cert-manager {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- with .Values.webhookCertManager.resources }} resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 100m - memory: 50Mi + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config mountPath: /bootstrap/config diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index cfe64337d9..5463fbded7 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -34,7 +34,7 @@ load _helpers #-------------------------------------------------------------------- # rules -@test "connectInject/ClusterRole: sets get, list, and watch access to endpoints, services, namespaces and nodes in all api groups" { +@test "connectInject/ClusterRole: sets get, list, watch, delete, create, and update access to secrets, serviceaccounts and services in core api group" { cd `chart_dir` local object=$(helm template \ -s templates/connect-inject-clusterrole.yaml \ @@ -44,12 +44,50 @@ load _helpers . | tee /dev/stderr | yq -r '.rules[2]' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.resources[| index("endpoints")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '.resources[| index("secrets")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources[| index("serviceaccounts")' | tee /dev/stderr) [ "${actual}" != null ] local actual=$(echo $object | yq -r '.resources[| index("services")' | tee /dev/stderr) [ "${actual}" != null ] + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("delete")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("create")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "connectInject/ClusterRole: sets get, list, and watch access to endpoints, namespaces and nodes in core api group" { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[3]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[| index("endpoints")' | tee /dev/stderr) + [ "${actual}" != null ] + local actual=$(echo $object | yq -r '.resources[| index("namespaces")' | tee /dev/stderr) [ "${actual}" != null ] @@ -77,7 +115,7 @@ load _helpers --set 'client.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -r '.rules[4]' | tee /dev/stderr) + yq -r '.rules[5]' | tee /dev/stderr) local actual=$(echo $object | yq -r '.resources[| index("pods")' | tee /dev/stderr) [ "${actual}" != null ] @@ -106,7 +144,7 @@ load _helpers --set 'client.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -r '.rules[5]' | tee /dev/stderr) + yq -r '.rules[6]' | tee /dev/stderr) local actual=$(echo $object | yq -r '.resources[| index("leases")' | tee /dev/stderr) [ "${actual}" != null ] @@ -197,7 +235,7 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | - yq -r '.rules[6]' | tee /dev/stderr) + yq -r '.rules[7]' | tee /dev/stderr) local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) [ "${actual}" = "mutatingwebhookconfigurations" ] @@ -227,7 +265,7 @@ load _helpers -s templates/connect-inject-clusterrole.yaml \ --set 'global.openshift.enabled=true' \ . | tee /dev/stderr | - yq '.rules[13].resourceNames | index("restricted-v2")' | tee /dev/stderr) + yq '.rules[14].resourceNames | index("restricted-v2")' | tee /dev/stderr) [ "${object}" == 0 ] } @@ -238,7 +276,7 @@ load _helpers --set 'global.openshift.enabled=true' \ --set 'connectInject.apiGateway.managedGatewayClass.openshiftSCCName=fakescc' \ . | tee /dev/stderr | - yq '.rules[13].resourceNames | index("fakescc")' | tee /dev/stderr) + yq '.rules[14].resourceNames | index("fakescc")' | tee /dev/stderr) [ "${object}" == 0 ] } diff --git a/charts/consul/test/unit/crd-tcproutes-external.bats b/charts/consul/test/unit/crd-tcproutes-external.bats index c91eb15e6b..d0aeaa75b3 100644 --- a/charts/consul/test/unit/crd-tcproutes-external.bats +++ b/charts/consul/test/unit/crd-tcproutes-external.bats @@ -16,15 +16,18 @@ load _helpers assert_empty helm template \ -s templates/crd-tcproutes-external.yaml \ --set 'connectInject.enabled=false' \ - . + . } -@test "tcproutes/CustomResourceDefinition: disabled with connectInject.apiGateway.manageExternalCRDs=false" { +@test "tcproutes/CustomResourceDefinition: enabled with connectInject.apiGateway.manageExternalCRDs=true and connectInject.apiGateway.manageNonStandardCRDs=false" { cd `chart_dir` - assert_empty helm template \ + local actual=$(helm template \ -s templates/crd-tcproutes-external.yaml \ - --set 'connectInject.apiGateway.manageExternalCRDs=false' \ - . + --set 'connectInject.apiGateway.manageExternalCRDs=true' \ + --set 'connectInject.apiGateway.manageNonStandardCRDs=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] } @test "tcproutes/CustomResourceDefinition: disabled with connectInject.apiGateway.manageExternalCRDs=false and connectInject.apiGateway.manageNonStandardCRDs=false" { @@ -33,15 +36,16 @@ load _helpers -s templates/crd-tcproutes-external.yaml \ --set 'connectInject.apiGateway.manageExternalCRDs=false' \ --set 'connectInject.apiGateway.manageNonStandardCRDs=false' \ - . + . } -@test "tcproutes/CustomResourceDefinition: enabled with connectInject.apiGateway.manageNonStandardCRDs=true" { +@test "tcproutes/CustomResourceDefinition: enabled with connectInject.apiGateway.manageExternalCRDs=false and connectInject.apiGateway.manageNonStandardCRDs=true" { cd `chart_dir` local actual=$(helm template \ -s templates/crd-tcproutes-external.yaml \ + --set 'connectInject.apiGateway.manageExternalCRDs=false' \ --set 'connectInject.apiGateway.manageNonStandardCRDs=true' \ . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) + yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/gateway-cleanup-serviceaccount.bats b/charts/consul/test/unit/gateway-cleanup-serviceaccount.bats index 50d01b99e9..62b4ecf320 100644 --- a/charts/consul/test/unit/gateway-cleanup-serviceaccount.bats +++ b/charts/consul/test/unit/gateway-cleanup-serviceaccount.bats @@ -21,3 +21,25 @@ target=templates/gateway-cleanup-serviceaccount.yaml . } +#-------------------------------------------------------------------- +# global.imagePullSecrets + +@test "gatewaycleanup/ServiceAccount: can set image pull secrets" { + cd `chart_dir` + local object=$(helm template \ + -s templates/gateway-cleanup-serviceaccount.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.imagePullSecrets[0].name=my-secret' \ + --set 'global.imagePullSecrets[1].name=my-secret2' \ + . | tee /dev/stderr) + + local actual=$(echo "$object" | + yq -r '.imagePullSecrets[0].name' | tee /dev/stderr) + [ "${actual}" = "my-secret" ] + + local actual=$(echo "$object" | + yq -r '.imagePullSecrets[1].name' | tee /dev/stderr) + [ "${actual}" = "my-secret2" ] +} + + diff --git a/charts/consul/test/unit/gateway-resources-job.bats b/charts/consul/test/unit/gateway-resources-job.bats index 32173838fe..fd64acac02 100644 --- a/charts/consul/test/unit/gateway-resources-job.bats +++ b/charts/consul/test/unit/gateway-resources-job.bats @@ -71,7 +71,6 @@ target=templates/gateway-resources-job.yaml --set 'connectInject.apiGateway.managedGatewayClass.deployment.minInstances=1' \ --set 'connectInject.apiGateway.managedGatewayClass.deployment.maxInstances=3' \ --set 'connectInject.apiGateway.managedGatewayClass.nodeSelector=foo: bar' \ - --set 'connectInject.apiGateway.managedGatewayClass.tolerations=- key: bar' \ --set 'connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations=- bingo' \ --set 'connectInject.apiGateway.managedGatewayClass.serviceType=Foo' \ --set 'connectInject.apiGateway.managedGatewayClass.openshiftSCCName=hello' \ @@ -90,23 +89,11 @@ target=templates/gateway-resources-job.yaml local actual=$(echo "$spec" | jq 'any(index("-service-type=Foo"))') [ "${actual}" = "true" ] - local actual=$(echo "$spec" | jq '.[12]') - [ "${actual}" = "\"-node-selector\"" ] - - local actual=$(echo "$spec" | jq '.[13]') - [ "${actual}" = "\"foo: bar\"" ] - - local actual=$(echo "$spec" | jq '.[14] | ."-tolerations=- key"') - [ "${actual}" = "\"bar\"" ] - - local actual=$(echo "$spec" | jq '.[15]') - [ "${actual}" = "\"-service-annotations\"" ] - - local actual=$(echo "$spec" | jq '.[16]') - [ "${actual}" = "\"- bingo\"" ] + local actual=$(echo $spec | yq 'contains(["-node-selector", "foo: bar"])') + [ "${actual}" = "true" ] - local actual=$(echo "$spec" | jq '.[17]') - [ "${actual}" = "\"-service-type=Foo\"" ] + local actual=$(echo $spec | yq 'contains(["-service-annotations", "- bingo"])') + [ "${actual}" = "true" ] } @test "apiGateway/GatewayClassConfig: custom configuration openshift enabled" { @@ -138,3 +125,26 @@ target=templates/gateway-resources-job.yaml tee /dev/stderr) [ "${actual}" = "{}" ] } + + +#-------------------------------------------------------------------- +# tolerations + +@test "apiGateway/GatewayClassConfig: tolerations" { + cd `chart_dir` + local tolerations=$(helm template \ + -s $target \ + --set 'connectInject.apiGateway.managedGatewayClass.tolerations=- "operator": "Equal" \ +"effect": "NoSchedule" \ +"key": "node" \ +"value": "clients" \ +- "operator": "Equal" \ +"effect": "NoSchedule" \ +"key": "node2" \ +"value": "clients2"' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) + + local actual=$(echo $tolerations | yq 'contains(["tolerations","- \"operator\": \"Equal\" \n\"effect\": \"NoSchedule\" \n\"key\": \"node\" \n\"value\": \"clients\" \n- \"operator\": \"Equal\" \n\"effect\": \"NoSchedule\" \n\"key\": \"node2\" \n\"value\": \"clients2\"" ])') + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/charts/consul/test/unit/gateway-resources-serviceaccount.bats b/charts/consul/test/unit/gateway-resources-serviceaccount.bats index 90011e226b..60c1d06ded 100644 --- a/charts/consul/test/unit/gateway-resources-serviceaccount.bats +++ b/charts/consul/test/unit/gateway-resources-serviceaccount.bats @@ -21,3 +21,23 @@ target=templates/gateway-resources-serviceaccount.yaml . } +#-------------------------------------------------------------------- +# global.imagePullSecrets + +@test "gatewayresources/ServiceAccount: can set image pull secrets" { + cd `chart_dir` + local object=$(helm template \ + -s templates/gateway-resources-serviceaccount.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.imagePullSecrets[0].name=my-secret' \ + --set 'global.imagePullSecrets[1].name=my-secret2' \ + . | tee /dev/stderr) + + local actual=$(echo "$object" | + yq -r '.imagePullSecrets[0].name' | tee /dev/stderr) + [ "${actual}" = "my-secret" ] + + local actual=$(echo "$object" | + yq -r '.imagePullSecrets[1].name' | tee /dev/stderr) + [ "${actual}" = "my-secret2" ] +} diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 866fb29830..840f953497 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -66,7 +66,7 @@ global: # image: "hashicorp/consul-enterprise:1.10.0-ent" # ``` # @default: hashicorp/consul: - image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev + image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.19-dev # Array of objects containing image pull secret names that will be applied to each service account. # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. @@ -86,7 +86,7 @@ global: # image that is used for functionality such as catalog sync. # This can be overridden per component. # @default: hashicorp/consul-k8s-control-plane: - imageK8S: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev + imageK8S: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.5-dev # The image pull policy used globally for images controlled by Consul (consul, consul-dataplane, consul-k8s, consul-telemetry-collector). # One of "IfNotPresent", "Always", "Never", and "". Refer to https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -793,7 +793,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev + imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.5-dev # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -2456,6 +2456,35 @@ connectInject: # will be the 80 + the number defined below. mapPrivilegedContainerPorts: 0 + # This value contains settings related to the gateway_resources_job that runs on helm install + resourceJob: + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + # Configuration for the ServiceAccount created for the api-gateway component serviceAccount: # This value defines additional annotations for the client service account. This should be formatted as a multi-line @@ -2698,6 +2727,7 @@ connectInject: # By default, we exclude kube-system since usually users won't # want those pods injected and local-path-storage and openebs so that # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # We also exclude gmp-system and gke-managed-cim namespaces that are used by GKE for managing the cluster. # Note that this exclusion is only supported in Kubernetes v1.21.1+. # # Example: @@ -2712,7 +2742,7 @@ connectInject: matchExpressions: - key: "kubernetes.io/metadata.name" operator: "NotIn" - values: ["kube-system","local-path-storage","openebs"] + values: ["kube-system","local-path-storage","openebs","gmp-system","gke-managed-cim"] # List of k8s namespaces to allow Connect sidecar # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, @@ -3466,6 +3496,33 @@ webhookCertManager: # @type: string nodeSelector: null + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "50Mi" + cpu: "100m" + # Configures a demo Prometheus installation. prometheus: # When true, the Helm chart will install a demo Prometheus server instance diff --git a/cli/go.mod b/cli/go.mod index 2429e34b6d..6b032aa352 100644 --- a/cli/go.mod +++ b/cli/go.mod @@ -1,8 +1,8 @@ module github.com/hashicorp/consul-k8s/cli -go 1.21 +go 1.22 -toolchain go1.21.4 +toolchain go1.22.5 replace github.com/hashicorp/consul-k8s/version => ../version @@ -13,7 +13,7 @@ require ( github.com/google/go-cmp v0.6.0 github.com/hashicorp/consul-k8s/charts v0.0.0-00010101000000-000000000000 github.com/hashicorp/consul-k8s/version v0.0.0 - github.com/hashicorp/consul/troubleshoot v0.6.1 + github.com/hashicorp/consul/troubleshoot v0.7.1 github.com/hashicorp/go-hclog v1.5.0 github.com/hashicorp/hcp-sdk-go v0.62.1-0.20230913154003-cf69c0370c54 github.com/kr/text v0.2.0 @@ -24,11 +24,11 @@ require ( github.com/stretchr/testify v1.8.4 golang.org/x/text v0.14.0 helm.sh/helm/v3 v3.14.4 - k8s.io/api v0.29.0 + k8s.io/api v0.29.8 k8s.io/apiextensions-apiserver v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/cli-runtime v0.29.0 - k8s.io/client-go v0.29.0 + k8s.io/apimachinery v0.29.8 + k8s.io/cli-runtime v0.29.8 + k8s.io/client-go v0.29.8 k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/yaml v1.3.0 ) @@ -56,10 +56,10 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/cli v25.0.1+incompatible // indirect + github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v25.0.5+incompatible // indirect - github.com/docker/docker-credential-helpers v0.7.0 // indirect + github.com/docker/docker v27.1.1+incompatible // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect @@ -96,8 +96,8 @@ require ( github.com/gorilla/websocket v1.5.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect - github.com/hashicorp/consul/api v1.29.1 // indirect - github.com/hashicorp/consul/envoyextensions v0.7.0 // indirect + github.com/hashicorp/consul/api v1.29.4 // indirect + github.com/hashicorp/consul/envoyextensions v0.7.3 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect diff --git a/cli/go.sum b/cli/go.sum index fc73cc7e77..98635ec2a1 100644 --- a/cli/go.sum +++ b/cli/go.sum @@ -100,14 +100,14 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU= -github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v25.0.5+incompatible h1:UmQydMduGkrD5nQde1mecF/YnSbTOaPeFIeP5C4W+DE= -github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= -github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= +github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -288,16 +288,16 @@ github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/hashicorp/consul/api v1.29.1 h1:UEwOjYJrd3lG1x5w7HxDRMGiAUPrb3f103EoeKuuEcc= -github.com/hashicorp/consul/api v1.29.1/go.mod h1:lumfRkY/coLuqMICkI7Fh3ylMG31mQSRZyef2c5YvJI= -github.com/hashicorp/consul/envoyextensions v0.7.0 h1:DiZcA2tCgwD3tAoixBML3pYAPCKWLnOrKzzt843YTrU= -github.com/hashicorp/consul/envoyextensions v0.7.0/go.mod h1:oZlopILhl2oaJhcs2szKlFcdVYBWzjqEYaG4SSQdBjY= -github.com/hashicorp/consul/proto-public v0.6.1 h1:+uzH3olCrksXYWAYHKqK782CtK9scfqH+Unlw3UHhCg= -github.com/hashicorp/consul/proto-public v0.6.1/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= +github.com/hashicorp/consul/api v1.29.4 h1:P6slzxDLBOxUSj3fWo2o65VuKtbtOXFi7TSSgtXutuE= +github.com/hashicorp/consul/api v1.29.4/go.mod h1:HUlfw+l2Zy68ceJavv2zAyArl2fqhGWnMycyt56sBgg= +github.com/hashicorp/consul/envoyextensions v0.7.3 h1:5Gn1Hj135NYNRBmB3IdwhkxIHQgEJPjXYPZcA+05rNY= +github.com/hashicorp/consul/envoyextensions v0.7.3/go.mod h1:tya/kHsOBGaeAS9inAfUFJIEJ812c125cQD4MrLTt2s= +github.com/hashicorp/consul/proto-public v0.6.2 h1:+DA/3g/IiKlJZb88NBn0ZgXrxJp2NlvCZdEyl+qxvL0= +github.com/hashicorp/consul/proto-public v0.6.2/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg= github.com/hashicorp/consul/sdk v0.16.1/go.mod h1:fSXvwxB2hmh1FMZCNl6PwX0Q/1wdWtHJcZ7Ea5tns0s= -github.com/hashicorp/consul/troubleshoot v0.6.1 h1:Nmk0fXjpgmMhEEzeBdV6+OcoD3bUJtKCP1ONo4vZPaw= -github.com/hashicorp/consul/troubleshoot v0.6.1/go.mod h1:Yenla7oy9UpI9vZr7puDLnfIFwYcmd1XBy4q2nAhea8= +github.com/hashicorp/consul/troubleshoot v0.7.1 h1:IQYxC1qsV3jO74VZDyPi283Ufi84/mXSMm53U8dsN2M= +github.com/hashicorp/consul/troubleshoot v0.7.1/go.mod h1:U+fpb8yE3iGJTahAY1VGda4aYUDhaa0IZu+sIgGvcwk= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -758,8 +758,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -824,18 +824,18 @@ helm.sh/helm/v3 v3.14.4 h1:6FSpEfqyDalHq3kUr4gOMThhgY55kXUEjdQoyODYnrM= helm.sh/helm/v3 v3.14.4/go.mod h1:Tje7LL4gprZpuBNTbG34d1Xn5NmRT3OWfBRwpOSer9I= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/api v0.29.8 h1:ZBKg9clWnIGtQ5yGhNwMw2zyyrsIAQaXhZACcYNflQE= +k8s.io/api v0.29.8/go.mod h1:XlGIpmpzKGrtVca7GlgNryZJ19SvQdI808NN7fy1SgQ= k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/apimachinery v0.29.8 h1:uBHc9WuKiTHClIspJqtR84WNpG0aOGn45HWqxgXkk8Y= +k8s.io/apimachinery v0.29.8/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o= k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM= -k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4= -k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/cli-runtime v0.29.8 h1:kVErAPf1v7MOwNO6rBYnf2i4kQ2668Y9pHGO5C1/wSo= +k8s.io/cli-runtime v0.29.8/go.mod h1:c00Fk85K05DtEknMAi1t7ao1MR4nmQ9YlvC+QluvNoY= +k8s.io/client-go v0.29.8 h1:QMRKcIzqE/qawknXcsi51GdIAYN8UP39S/M5KnFu/J0= +k8s.io/client-go v0.29.8/go.mod h1:ZzrAAVrqO2jVXMb8My/jTke8n0a/mIynnA3y/1y1UB0= k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile index 42a36e872f..2ff51d8c4b 100644 --- a/control-plane/Dockerfile +++ b/control-plane/Dockerfile @@ -18,7 +18,7 @@ # either). ARG GOLANG_VERSION FROM golang:${GOLANG_VERSION}-alpine3.19 as go-discover -RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f +RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@275a71457aa412bf20df9f9b77c380667164a5e6 # dev copies the binary from a local build # ----------------------------------- @@ -136,7 +136,7 @@ FROM release-default AS release-default-fips # We don't rebuild the software because we want the exact checksums and # binary signatures to match the software and our builds aren't fully # reproducible currently. -FROM registry.access.redhat.com/ubi9-minimal:9.3 as ubi +FROM registry.access.redhat.com/ubi9-minimal:9.4 as ubi ARG PRODUCT_NAME ARG PRODUCT_VERSION diff --git a/control-plane/api-gateway/binding/cleanup.go b/control-plane/api-gateway/binding/cleanup.go index 4b517a1813..4fe11382d0 100644 --- a/control-plane/api-gateway/binding/cleanup.go +++ b/control-plane/api-gateway/binding/cleanup.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + package binding import ( diff --git a/control-plane/api-gateway/binding/cleanup_test.go b/control-plane/api-gateway/binding/cleanup_test.go index 78897fcb87..76fcd60ef9 100644 --- a/control-plane/api-gateway/binding/cleanup_test.go +++ b/control-plane/api-gateway/binding/cleanup_test.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + package binding import ( diff --git a/control-plane/api-gateway/binding/validation.go b/control-plane/api-gateway/binding/validation.go index 02ca210294..c260d57baf 100644 --- a/control-plane/api-gateway/binding/validation.go +++ b/control-plane/api-gateway/binding/validation.go @@ -165,6 +165,13 @@ func validateGateway(gateway gwv1beta1.Gateway, pods []corev1.Pod, consulGateway return result } +func stringOrEmtpy(s *gwv1beta1.SectionName) string { + if s == nil { + return "" + } + return string(*s) +} + func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.GatewayPolicy, resources *common.ResourceMap) gatewayPolicyValidationResults { results := make(gatewayPolicyValidationResults, 0, len(policies)) @@ -175,7 +182,7 @@ func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.Gate exists := listenerExistsForPolicy(gateway, policy) if !exists { - result.resolvedRefsErrs = append(result.resolvedRefsErrs, errorForMissingListener(policy.Spec.TargetRef.Name, string(*policy.Spec.TargetRef.SectionName))) + result.resolvedRefsErrs = append(result.resolvedRefsErrs, errorForMissingListener(policy.Spec.TargetRef.Name, stringOrEmtpy(policy.Spec.TargetRef.SectionName))) } missingJWTProviders := make(map[string]struct{}) @@ -211,6 +218,10 @@ func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.Gate } func listenerExistsForPolicy(gateway gwv1beta1.Gateway, policy v1alpha1.GatewayPolicy) bool { + if policy.Spec.TargetRef.SectionName == nil { + return false + } + return gateway.Name == policy.Spec.TargetRef.Name && slices.ContainsFunc(gateway.Spec.Listeners, func(l gwv1beta1.Listener) bool { return l.Name == *policy.Spec.TargetRef.SectionName }) } diff --git a/control-plane/api-gateway/common/helm_config.go b/control-plane/api-gateway/common/helm_config.go index d551757c5b..175cef56ba 100644 --- a/control-plane/api-gateway/common/helm_config.go +++ b/control-plane/api-gateway/common/helm_config.go @@ -19,6 +19,8 @@ type HelmConfig struct { ImageDataplane string // ImageConsulK8S is the Consul Kubernetes Control Plane image to use in gateway deployments. ImageConsulK8S string + // ImagePullSecrets reference one or more Secret(s) that contain the credentials to pull images from private image repos. + ImagePullSecrets []v1.LocalObjectReference // GlobalImagePullPolicy is the pull policy to use for all images used in gateway deployments. GlobalImagePullPolicy string ConsulDestinationNamespace string diff --git a/control-plane/api-gateway/common/translation_test.go b/control-plane/api-gateway/common/translation_test.go index e841464b9a..2dffa29349 100644 --- a/control-plane/api-gateway/common/translation_test.go +++ b/control-plane/api-gateway/common/translation_test.go @@ -15,7 +15,7 @@ import ( "testing" "time" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/google/go-cmp/cmp" @@ -1353,10 +1353,10 @@ func TestTranslator_ToHTTPRoute(t *testing.T) { Namespace: "k8s-ns", }, Spec: v1alpha1.RouteRetryFilterSpec{ - NumRetries: pointer.Uint32(3), + NumRetries: ptr.To(uint32(3)), RetryOn: []string{"cancelled"}, RetryOnStatusCodes: []uint32{500, 502}, - RetryOnConnectFailure: pointer.Bool(false), + RetryOnConnectFailure: ptr.To(false), }, }, @@ -1370,10 +1370,10 @@ func TestTranslator_ToHTTPRoute(t *testing.T) { Namespace: "other-namespace-even-though-same-name", }, Spec: v1alpha1.RouteRetryFilterSpec{ - NumRetries: pointer.Uint32(3), + NumRetries: ptr.To(uint32(3)), RetryOn: []string{"don't"}, RetryOnStatusCodes: []uint32{404}, - RetryOnConnectFailure: pointer.Bool(true), + RetryOnConnectFailure: ptr.To(true), }, }, diff --git a/control-plane/api-gateway/gatekeeper/dataplane.go b/control-plane/api-gateway/gatekeeper/dataplane.go index f4b6e25a88..fb488509c1 100644 --- a/control-plane/api-gateway/gatekeeper/dataplane.go +++ b/control-plane/api-gateway/gatekeeper/dataplane.go @@ -9,7 +9,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" @@ -113,7 +113,7 @@ func consulDataplaneContainer(metrics common.MetricsConfig, config common.HelmCo // If running in vanilla K8s, run as root to allow binding to privileged ports; // otherwise, allow the user to be assigned by OpenShift. container.SecurityContext = &corev1.SecurityContext{ - ReadOnlyRootFilesystem: pointer.Bool(true), + ReadOnlyRootFilesystem: ptr.To(true), // Drop any Linux capabilities you'd get as root other than NET_BIND_SERVICE. Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netBindCapability}, @@ -121,7 +121,7 @@ func consulDataplaneContainer(metrics common.MetricsConfig, config common.HelmCo }, } if !config.EnableOpenShift { - container.SecurityContext.RunAsUser = pointer.Int64(0) + container.SecurityContext.RunAsUser = ptr.To(int64(0)) } return container, nil diff --git a/control-plane/api-gateway/gatekeeper/deployment.go b/control-plane/api-gateway/gatekeeper/deployment.go index 61ef1fd318..9519a42d74 100644 --- a/control-plane/api-gateway/gatekeeper/deployment.go +++ b/control-plane/api-gateway/gatekeeper/deployment.go @@ -88,7 +88,7 @@ func (g *Gatekeeper) deleteDeployment(ctx context.Context, gwName types.Namespac } func (g *Gatekeeper) deployment(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig, currentReplicas *int32) (*appsv1.Deployment, error) { - initContainer, err := initContainer(config, gateway.Name, gateway.Namespace) + initContainer, err := g.initContainer(config, gateway.Name, gateway.Namespace) if err != nil { return nil, err } diff --git a/control-plane/api-gateway/gatekeeper/gatekeeper.go b/control-plane/api-gateway/gatekeeper/gatekeeper.go index 538444303f..79766219dc 100644 --- a/control-plane/api-gateway/gatekeeper/gatekeeper.go +++ b/control-plane/api-gateway/gatekeeper/gatekeeper.go @@ -106,7 +106,9 @@ func (g *Gatekeeper) namespacedName(gateway gwv1beta1.Gateway) types.NamespacedN } func (g *Gatekeeper) serviceAccountName(gateway gwv1beta1.Gateway, config common.HelmConfig) string { - if config.AuthMethod == "" && !config.EnableOpenShift { + // We only create a ServiceAccount if it's needed for RBAC or image pull secrets; + // otherwise, we clean up if one was previously created. + if config.AuthMethod == "" && !config.EnableOpenShift && len(config.ImagePullSecrets) == 0 { return "" } return gateway.Name diff --git a/control-plane/api-gateway/gatekeeper/gatekeeper_test.go b/control-plane/api-gateway/gatekeeper/gatekeeper_test.go index cf8c325364..0c60aa610b 100644 --- a/control-plane/api-gateway/gatekeeper/gatekeeper_test.go +++ b/control-plane/api-gateway/gatekeeper/gatekeeper_test.go @@ -29,6 +29,13 @@ import ( "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" ) +const ( + designatedOpenShiftUIDRange = "1000700000/100000" + designatedOpenShiftGIDRange = "1000700000/100000" + expectedOpenShiftInitContainerUID = 1000799999 + expectedOpenShiftInitContainerGID = 1000799999 +) + var ( createdAtLabelKey = "gateway.consul.hashicorp.com/created" createdAtLabelValue = "101010" @@ -190,12 +197,13 @@ func TestUpsert(t *testing.T) { }, }, helmConfig: common.HelmConfig{ - ImageDataplane: dataplaneImage, + ImageDataplane: dataplaneImage, + ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}}, }, initialResources: resources{}, finalResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "1"), }, roles: []*rbac.Role{}, secrets: []*corev1.Secret{ @@ -217,7 +225,9 @@ func TestUpsert(t *testing.T) { }, }, "1", false, false), }, - serviceAccounts: []*corev1.ServiceAccount{}, + serviceAccounts: []*corev1.ServiceAccount{ + configureServiceAccount(name, namespace, labels, "1", []corev1.LocalObjectReference{{Name: "my-secret"}}), + }, }, }, "create a new gateway deployment with managed Service": { @@ -272,7 +282,6 @@ func TestUpsert(t *testing.T) { }, }, "1", false, false), }, - serviceAccounts: []*corev1.ServiceAccount{}, }, }, "create a new gateway deployment with managed Service and ACLs": { @@ -300,13 +309,14 @@ func TestUpsert(t *testing.T) { }, }, helmConfig: common.HelmConfig{ - AuthMethod: "method", - ImageDataplane: dataplaneImage, + AuthMethod: "method", + ImageDataplane: dataplaneImage, + ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}}, }, initialResources: resources{}, finalResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "1"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", false), @@ -334,7 +344,7 @@ func TestUpsert(t *testing.T) { }, "1", false, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", []corev1.LocalObjectReference{{Name: "my-secret"}}), }, }, }, @@ -444,7 +454,7 @@ func TestUpsert(t *testing.T) { }, initialResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "1"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", false), @@ -465,12 +475,12 @@ func TestUpsert(t *testing.T) { }, "1", true, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, finalResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "2"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "2"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", false), @@ -498,7 +508,7 @@ func TestUpsert(t *testing.T) { }, "2", false, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, ignoreTimestampOnService: true, @@ -535,7 +545,7 @@ func TestUpsert(t *testing.T) { }, initialResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "1"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", false), @@ -561,12 +571,12 @@ func TestUpsert(t *testing.T) { }, "1", true, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, finalResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "2"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "2"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", false), @@ -588,7 +598,7 @@ func TestUpsert(t *testing.T) { }, "2", false, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, ignoreTimestampOnService: true, @@ -929,10 +939,26 @@ func TestUpsert(t *testing.T) { EnableOpenShift: true, ImageDataplane: "hashicorp/consul-dataplane", }, - initialResources: resources{}, + initialResources: resources{ + namespaces: []*corev1.Namespace{ + { + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Namespace", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: designatedOpenShiftUIDRange, + constants.AnnotationOpenShiftGroups: designatedOpenShiftGIDRange, + }, + }, + }, + }, + }, finalResources: resources{ deployments: []*appsv1.Deployment{ - configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"), + configureDeployment(name, namespace, labels, 3, nil, nil, name, "1"), }, roles: []*rbac.Role{ configureRole(name, namespace, labels, "1", true), @@ -943,7 +969,7 @@ func TestUpsert(t *testing.T) { secrets: []*corev1.Secret{}, services: []*corev1.Service{}, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, }, @@ -1288,7 +1314,7 @@ func TestDelete(t *testing.T) { }, "1", true, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, finalResources: resources{ @@ -1354,7 +1380,7 @@ func TestDelete(t *testing.T) { }, "1", true, false), }, serviceAccounts: []*corev1.ServiceAccount{ - configureServiceAccount(name, namespace, labels, "1"), + configureServiceAccount(name, namespace, labels, "1", nil), }, }, finalResources: resources{ @@ -1452,6 +1478,9 @@ func validateResourcesExist(t *testing.T, client client.Client, helmConfig commo require.Equal(t, expected.Spec.Template.ObjectMeta.Annotations, actual.Spec.Template.ObjectMeta.Annotations) require.Equal(t, expected.Spec.Template.ObjectMeta.Labels, actual.Spec.Template.Labels) + // Ensure the service account is assigned + require.Equal(t, expected.Spec.Template.Spec.ServiceAccountName, actual.Spec.Template.Spec.ServiceAccountName) + // Ensure there is an init container hasInitContainer := false for _, container := range actual.Spec.Template.Spec.InitContainers { @@ -1463,6 +1492,16 @@ func validateResourcesExist(t *testing.T, client client.Client, helmConfig commo assert.Equal(t, helmConfig.InitContainerResources.Limits, container.Resources.Limits) assert.Equal(t, helmConfig.InitContainerResources.Requests, container.Resources.Requests) } + + require.NotNil(t, container.SecurityContext.RunAsUser) + require.NotNil(t, container.SecurityContext.RunAsGroup) + if helmConfig.EnableOpenShift { + assert.EqualValues(t, *container.SecurityContext.RunAsUser, expectedOpenShiftInitContainerUID) + assert.EqualValues(t, *container.SecurityContext.RunAsGroup, expectedOpenShiftInitContainerGID) + } else { + assert.EqualValues(t, *container.SecurityContext.RunAsUser, initContainersUserAndGroupID) + assert.EqualValues(t, *container.SecurityContext.RunAsGroup, initContainersUserAndGroupID) + } } } assert.True(t, hasInitContainer) @@ -1651,7 +1690,7 @@ func validateResourcesAreDeleted(t *testing.T, k8sClient client.Client, resource return nil } -func configureDeployment(name, namespace string, labels map[string]string, replicas int32, nodeSelector map[string]string, tolerations []corev1.Toleration, serviceAccoutName, resourceVersion string) *appsv1.Deployment { +func configureDeployment(name, namespace string, labels map[string]string, replicas int32, nodeSelector map[string]string, tolerations []corev1.Toleration, serviceAccountName, resourceVersion string) *appsv1.Deployment { return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ APIVersion: "apps/v1", @@ -1704,7 +1743,7 @@ func configureDeployment(name, namespace string, labels map[string]string, repli }, NodeSelector: nodeSelector, Tolerations: tolerations, - ServiceAccountName: serviceAccoutName, + ServiceAccountName: serviceAccountName, }, }, }, @@ -1853,7 +1892,7 @@ func configureService(name, namespace string, labels, annotations map[string]str return &service } -func configureServiceAccount(name, namespace string, labels map[string]string, resourceVersion string) *corev1.ServiceAccount { +func configureServiceAccount(name, namespace string, labels map[string]string, resourceVersion string, pullSecrets []corev1.LocalObjectReference) *corev1.ServiceAccount { return &corev1.ServiceAccount{ TypeMeta: metav1.TypeMeta{ APIVersion: "v1", @@ -1874,6 +1913,7 @@ func configureServiceAccount(name, namespace string, labels map[string]string, r }, }, }, + ImagePullSecrets: pullSecrets, } } diff --git a/control-plane/api-gateway/gatekeeper/init.go b/control-plane/api-gateway/gatekeeper/init.go index b30bafc240..e8a17dc8ea 100644 --- a/control-plane/api-gateway/gatekeeper/init.go +++ b/control-plane/api-gateway/gatekeeper/init.go @@ -5,15 +5,18 @@ package gatekeeper import ( "bytes" + "context" + "fmt" "strconv" "strings" "text/template" corev1 "k8s.io/api/core/v1" - - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" + ctrlCommon "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/namespaces" ) @@ -33,9 +36,9 @@ type initContainerCommandData struct { LogJSON bool } -// containerInit returns the init container spec for connect-init that polls for the service and the connect proxy service to be registered +// initContainer returns the init container spec for connect-init that polls for the service and the connect proxy service to be registered // so that it can save the proxy service id to the shared volume and boostrap Envoy with the proxy-id. -func initContainer(config common.HelmConfig, name, namespace string) (corev1.Container, error) { +func (g *Gatekeeper) initContainer(config common.HelmConfig, name, namespace string) (corev1.Container, error) { data := initContainerCommandData{ AuthMethod: config.AuthMethod, LogLevel: config.LogLevel, @@ -175,16 +178,41 @@ func initContainer(config common.HelmConfig, name, namespace string) (corev1.Con container.Resources = *config.InitContainerResources } + uid := int64(initContainersUserAndGroupID) + gid := int64(initContainersUserAndGroupID) + + // In Openshift we let Openshift set the UID and GID + if config.EnableOpenShift { + ns := &corev1.Namespace{} + err := g.Client.Get(context.Background(), client.ObjectKey{Name: namespace}, ns) + if err != nil { + g.Log.Error(err, "error fetching namespace metadata for deployment") + return corev1.Container{}, fmt.Errorf("error getting namespace metadata for deployment: %s", err) + } + + // We need to get the userID for the init container. We do not care about what is already defined on the pod + // for gateways, as there is no application container that could have taken a UID. + uid, err = ctrlCommon.GetConnectInitUID(*ns, corev1.Pod{}, config.ImageDataplane, config.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err + } + + gid, err = ctrlCommon.GetConnectInitGroupID(*ns, corev1.Pod{}, config.ImageDataplane, config.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err + } + } + container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(initContainersUserAndGroupID), - RunAsGroup: pointer.Int64(initContainersUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - Privileged: pointer.Bool(false), + RunAsUser: ptr.To(uid), + RunAsGroup: ptr.To(gid), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - AllowPrivilegeEscalation: pointer.Bool(false), - ReadOnlyRootFilesystem: pointer.Bool(true), + AllowPrivilegeEscalation: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), } return container, nil diff --git a/control-plane/api-gateway/gatekeeper/ownership.go b/control-plane/api-gateway/gatekeeper/ownership.go index babf5aa812..9822dc226a 100644 --- a/control-plane/api-gateway/gatekeeper/ownership.go +++ b/control-plane/api-gateway/gatekeeper/ownership.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + package gatekeeper import ( diff --git a/control-plane/api-gateway/gatekeeper/rolebinding.go b/control-plane/api-gateway/gatekeeper/rolebinding.go index 1a60e752c8..f315b78402 100644 --- a/control-plane/api-gateway/gatekeeper/rolebinding.go +++ b/control-plane/api-gateway/gatekeeper/rolebinding.go @@ -10,12 +10,13 @@ import ( "k8s.io/apimachinery/pkg/types" gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" - "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" - "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" rbac "k8s.io/api/rbac/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ctrl "sigs.k8s.io/controller-runtime" + + "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" + "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" ) func (g *Gatekeeper) upsertRoleBinding(ctx context.Context, gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig) error { @@ -65,7 +66,7 @@ func (g *Gatekeeper) deleteRoleBinding(ctx context.Context, gwName types.Namespa func (g *Gatekeeper) roleBinding(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig) *rbac.RoleBinding { // Create resources for reference. This avoids bugs if naming patterns change. - serviceAccount := g.serviceAccount(gateway) + serviceAccount := g.serviceAccount(gateway, config) role := g.role(gateway, gcc, config) return &rbac.RoleBinding{ diff --git a/control-plane/api-gateway/gatekeeper/secret.go b/control-plane/api-gateway/gatekeeper/secret.go index dfef33c23d..65ee4c0a8b 100644 --- a/control-plane/api-gateway/gatekeeper/secret.go +++ b/control-plane/api-gateway/gatekeeper/secret.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + package gatekeeper import ( diff --git a/control-plane/api-gateway/gatekeeper/serviceaccount.go b/control-plane/api-gateway/gatekeeper/serviceaccount.go index d1c5c9883a..64dc0b75dd 100644 --- a/control-plane/api-gateway/gatekeeper/serviceaccount.go +++ b/control-plane/api-gateway/gatekeeper/serviceaccount.go @@ -7,18 +7,20 @@ import ( "context" "errors" - "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" - "k8s.io/apimachinery/pkg/types" - gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" - corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + + "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" ) func (g *Gatekeeper) upsertServiceAccount(ctx context.Context, gateway gwv1beta1.Gateway, config common.HelmConfig) error { - if config.AuthMethod == "" && !config.EnableOpenShift { + // We only create a ServiceAccount if it's needed for RBAC or image pull secrets; + // otherwise, we clean up if one was previously created. + if config.AuthMethod == "" && !config.EnableOpenShift && len(config.ImagePullSecrets) == 0 { return g.deleteServiceAccount(ctx, types.NamespacedName{Namespace: gateway.Namespace, Name: gateway.Name}) } @@ -47,15 +49,12 @@ func (g *Gatekeeper) upsertServiceAccount(ctx context.Context, gateway gwv1beta1 } // Create the ServiceAccount. - serviceAccount = g.serviceAccount(gateway) + serviceAccount = g.serviceAccount(gateway, config) if err := ctrl.SetControllerReference(&gateway, serviceAccount, g.Client.Scheme()); err != nil { return err } - if err := g.Client.Create(ctx, serviceAccount); err != nil { - return err - } - return nil + return g.Client.Create(ctx, serviceAccount) } func (g *Gatekeeper) deleteServiceAccount(ctx context.Context, gwName types.NamespacedName) error { @@ -69,12 +68,13 @@ func (g *Gatekeeper) deleteServiceAccount(ctx context.Context, gwName types.Name return nil } -func (g *Gatekeeper) serviceAccount(gateway gwv1beta1.Gateway) *corev1.ServiceAccount { +func (g *Gatekeeper) serviceAccount(gateway gwv1beta1.Gateway, config common.HelmConfig) *corev1.ServiceAccount { return &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: gateway.Name, Namespace: gateway.Namespace, Labels: common.LabelsForGateway(&gateway), }, + ImagePullSecrets: config.ImagePullSecrets, } } diff --git a/control-plane/api/auth/v2beta1/zz_generated.deepcopy.go b/control-plane/api/auth/v2beta1/zz_generated.deepcopy.go index 3aa46646cb..a9d58051ba 100644 --- a/control-plane/api/auth/v2beta1/zz_generated.deepcopy.go +++ b/control-plane/api/auth/v2beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. diff --git a/control-plane/api/mesh/v2beta1/zz_generated.deepcopy.go b/control-plane/api/mesh/v2beta1/zz_generated.deepcopy.go index d4ca224b61..5bc97e8a36 100644 --- a/control-plane/api/mesh/v2beta1/zz_generated.deepcopy.go +++ b/control-plane/api/mesh/v2beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. diff --git a/control-plane/api/multicluster/v2/zz_generated.deepcopy.go b/control-plane/api/multicluster/v2/zz_generated.deepcopy.go index c52d2bfe81..85fd610521 100644 --- a/control-plane/api/multicluster/v2/zz_generated.deepcopy.go +++ b/control-plane/api/multicluster/v2/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. diff --git a/control-plane/api/v1alpha1/ingressgateway_types_test.go b/control-plane/api/v1alpha1/ingressgateway_types_test.go index 9250d4b0c6..54cfa64190 100644 --- a/control-plane/api/v1alpha1/ingressgateway_types_test.go +++ b/control-plane/api/v1alpha1/ingressgateway_types_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/api/common" ) @@ -77,8 +77,8 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), BaseEjectionTime: &metav1.Duration{ Duration: 10 * time.Second, }, @@ -185,9 +185,9 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), - BaseEjectionTime: pointer.Duration(10 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), + BaseEjectionTime: ptr.To(10 * time.Second), }, }, Listeners: []capi.IngressListener{ @@ -356,8 +356,8 @@ func TestIngressGateway_ToConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), BaseEjectionTime: &metav1.Duration{ Duration: 10 * time.Second, }, @@ -464,9 +464,9 @@ func TestIngressGateway_ToConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), - BaseEjectionTime: pointer.Duration(10 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), + BaseEjectionTime: ptr.To(10 * time.Second), }, }, Listeners: []capi.IngressListener{ diff --git a/control-plane/api/v1alpha1/mesh_types.go b/control-plane/api/v1alpha1/mesh_types.go index 162132a47a..4d8a14358b 100644 --- a/control-plane/api/v1alpha1/mesh_types.go +++ b/control-plane/api/v1alpha1/mesh_types.go @@ -60,6 +60,13 @@ type MeshSpec struct { HTTP *MeshHTTPConfig `json:"http,omitempty"` // Peering defines the peering configuration for the service mesh. Peering *PeeringMeshConfig `json:"peering,omitempty"` + // ValidateClusters controls whether the clusters the route table refers to are validated. The default value is + // false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing + // to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist, + // the route table will not load. For more information, refer to + // [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters) + // for more details. + ValidateClusters bool `json:"validateClusters,omitempty"` } // TransparentProxyMeshConfig controls configuration specific to proxies in "transparent" mode. Added in v1.10.0. @@ -200,6 +207,7 @@ func (in *Mesh) ToConsul(datacenter string) capi.ConfigEntry { TLS: in.Spec.TLS.toConsul(), HTTP: in.Spec.HTTP.toConsul(), Peering: in.Spec.Peering.toConsul(), + ValidateClusters: in.Spec.ValidateClusters, Meta: meta(datacenter), } } diff --git a/control-plane/api/v1alpha1/mesh_types_test.go b/control-plane/api/v1alpha1/mesh_types_test.go index f2ea714f60..f5e7ede187 100644 --- a/control-plane/api/v1alpha1/mesh_types_test.go +++ b/control-plane/api/v1alpha1/mesh_types_test.go @@ -48,6 +48,7 @@ func TestMesh_MatchesConsul(t *testing.T) { TransparentProxy: TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + ValidateClusters: true, AllowEnablingPermissiveMutualTLS: true, TLS: &MeshTLSConfig{ Incoming: &MeshDirectionalTLSConfig{ @@ -73,6 +74,7 @@ func TestMesh_MatchesConsul(t *testing.T) { TransparentProxy: capi.TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + ValidateClusters: true, AllowEnablingPermissiveMutualTLS: true, TLS: &capi.MeshTLSConfig{ Incoming: &capi.MeshDirectionalTLSConfig{ @@ -150,6 +152,7 @@ func TestMesh_ToConsul(t *testing.T) { TransparentProxy: TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + ValidateClusters: true, AllowEnablingPermissiveMutualTLS: true, TLS: &MeshTLSConfig{ Incoming: &MeshDirectionalTLSConfig{ @@ -175,6 +178,7 @@ func TestMesh_ToConsul(t *testing.T) { TransparentProxy: capi.TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + ValidateClusters: true, AllowEnablingPermissiveMutualTLS: true, TLS: &capi.MeshTLSConfig{ Incoming: &capi.MeshDirectionalTLSConfig{ diff --git a/control-plane/api/v1alpha1/registration_types.go b/control-plane/api/v1alpha1/registration_types.go index f3190aef87..e3dd8ba0f0 100644 --- a/control-plane/api/v1alpha1/registration_types.go +++ b/control-plane/api/v1alpha1/registration_types.go @@ -74,7 +74,7 @@ type Service struct { Tags []string `json:"tags,omitempty"` Meta map[string]string `json:"meta,omitempty"` Port int `json:"port"` - Address string `json:"address"` + Address string `json:"address,omitempty"` SocketPath string `json:"socketPath,omitempty"` TaggedAddresses map[string]ServiceAddress `json:"taggedAddresses,omitempty"` Weights Weights `json:"weights,omitempty"` diff --git a/control-plane/api/v1alpha1/servicedefaults_types_test.go b/control-plane/api/v1alpha1/servicedefaults_types_test.go index 7cfe606385..0287999d1a 100644 --- a/control-plane/api/v1alpha1/servicedefaults_types_test.go +++ b/control-plane/api/v1alpha1/servicedefaults_types_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/api/common" ) @@ -90,8 +90,8 @@ func TestServiceDefaults_ToConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), BaseEjectionTime: &metav1.Duration{ Duration: 10 * time.Second, }, @@ -119,8 +119,8 @@ func TestServiceDefaults_ToConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(20), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(20)), BaseEjectionTime: &metav1.Duration{ Duration: 20 * time.Second, }, @@ -147,8 +147,8 @@ func TestServiceDefaults_ToConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(30), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(30)), BaseEjectionTime: &metav1.Duration{ Duration: 30 * time.Second, }, @@ -245,9 +245,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), - BaseEjectionTime: pointer.Duration(10 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), + BaseEjectionTime: ptr.To(10 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "local", @@ -270,9 +270,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(20), - BaseEjectionTime: pointer.Duration(20 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(20)), + BaseEjectionTime: ptr.To(20 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "remote", @@ -294,9 +294,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(30), - BaseEjectionTime: pointer.Duration(30 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(30)), + BaseEjectionTime: ptr.To(30 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "remote", @@ -525,8 +525,8 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), BaseEjectionTime: &metav1.Duration{ Duration: 10 * time.Second, }, @@ -553,8 +553,8 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(20), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(20)), BaseEjectionTime: &metav1.Duration{ Duration: 20 * time.Second, }, @@ -579,8 +579,8 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { Duration: 2 * time.Second, }, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(30), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(30)), BaseEjectionTime: &metav1.Duration{ Duration: 30 * time.Second, }, @@ -672,9 +672,9 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(20), - EnforcingConsecutive5xx: pointer.Uint32(100), - MaxEjectionPercent: pointer.Uint32(10), - BaseEjectionTime: pointer.Duration(10 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(100)), + MaxEjectionPercent: ptr.To(uint32(10)), + BaseEjectionTime: ptr.To(10 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "local", @@ -696,9 +696,9 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(20), - BaseEjectionTime: pointer.Duration(20 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(20)), + BaseEjectionTime: ptr.To(20 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "remote", @@ -720,9 +720,9 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) { PassiveHealthCheck: &capi.PassiveHealthCheck{ Interval: 2 * time.Second, MaxFailures: uint32(10), - EnforcingConsecutive5xx: pointer.Uint32(60), - MaxEjectionPercent: pointer.Uint32(30), - BaseEjectionTime: pointer.Duration(30 * time.Second), + EnforcingConsecutive5xx: ptr.To(uint32(60)), + MaxEjectionPercent: ptr.To(uint32(30)), + BaseEjectionTime: ptr.To(30 * time.Second), }, MeshGateway: capi.MeshGatewayConfig{ Mode: "remote", diff --git a/control-plane/api/v1alpha1/terminatinggateway_types.go b/control-plane/api/v1alpha1/terminatinggateway_types.go index d439e635fe..ca2d688011 100644 --- a/control-plane/api/v1alpha1/terminatinggateway_types.go +++ b/control-plane/api/v1alpha1/terminatinggateway_types.go @@ -22,6 +22,13 @@ const ( terminatingGatewayKubeKind = "terminatinggateway" ) +const ( + TerminatingGatewayFailedToSetACLs string = "FailedToSetACLs" +) + +// Condition Type. +const ConsulACLStatus ConditionType = "ConsulACLsSynced" + func init() { SchemeBuilder.Register(&TerminatingGateway{}, &TerminatingGatewayList{}) } @@ -80,10 +87,21 @@ type LinkedService struct { // SNI is the optional name to specify during the TLS handshake with a linked service. SNI string `json:"sni,omitempty"` - //DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. + // DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. DisableAutoHostRewrite bool `json:"disableAutoHostRewrite,omitempty"` } +func (l LinkedService) NamespaceName() string { + return defaultIfEmpty(l.Namespace) + "." + l.Name +} + +func defaultIfEmpty(s string) string { + if s == "" { + return "default" + } + return s +} + func (in *TerminatingGateway) GetObjectMeta() metav1.ObjectMeta { return in.ObjectMeta } @@ -131,15 +149,41 @@ func (in *TerminatingGateway) KubernetesName() string { } func (in *TerminatingGateway) SetSyncedCondition(status corev1.ConditionStatus, reason, message string) { - in.Status.Conditions = Conditions{ - { - Type: ConditionSynced, - Status: status, - LastTransitionTime: metav1.Now(), - Reason: reason, - Message: message, - }, + cond := Condition{ + Type: ConditionSynced, + Status: status, + LastTransitionTime: metav1.Now(), + Reason: reason, + Message: message, + } + + for idx, c := range in.Status.Conditions { + if c.Type == ConditionSynced { + in.Status.Conditions[idx] = cond + return + } + } + + in.Status.Conditions = append(in.Status.Conditions, cond) +} + +func (in *TerminatingGateway) SetACLStatusConditon(status corev1.ConditionStatus, reason, message string) { + cond := Condition{ + Type: ConsulACLStatus, + Status: status, + LastTransitionTime: metav1.Now(), + Reason: reason, + Message: message, } + + for idx, c := range in.Status.Conditions { + if c.Type == ConsulACLStatus { + in.Status.Conditions[idx] = cond + return + } + } + + in.Status.Conditions = append(in.Status.Conditions, cond) } func (in *TerminatingGateway) SetLastSyncedTime(time *metav1.Time) { diff --git a/control-plane/api/v1alpha1/zz_generated.deepcopy.go b/control-plane/api/v1alpha1/zz_generated.deepcopy.go index a8aed9b1ff..968606b296 100644 --- a/control-plane/api/v1alpha1/zz_generated.deepcopy.go +++ b/control-plane/api/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. @@ -908,7 +907,8 @@ func (in *HealthCheckDefinition) DeepCopyInto(out *HealthCheckDefinition) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } diff --git a/control-plane/catalog/registration/cache.go b/control-plane/catalog/registration/cache.go index e556ab7a77..9fce1dde54 100644 --- a/control-plane/catalog/registration/cache.go +++ b/control-plane/catalog/registration/cache.go @@ -5,9 +5,6 @@ package registration import ( "context" - "errors" - "fmt" - "slices" "strings" "sync" @@ -16,27 +13,45 @@ import ( "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" "github.com/hashicorp/consul-k8s/control-plane/consul" capi "github.com/hashicorp/consul/api" + "sigs.k8s.io/controller-runtime/pkg/client" ) const NotInServiceMeshFilter = "ServiceMeta[\"managed-by\"] != \"consul-k8s-endpoints-controller\"" type RegistrationCache struct { + // we include the context here so that we can use it for cancellation of `run` invocations that are scheduled after the cache is started + // this occurs when registering services in a new namespace as we have an invocation of `run` per namespace that is registered + ctx context.Context + ConsulClientConfig *consul.Config ConsulServerConnMgr consul.ServerConnectionManager - serviceMtx *sync.Mutex - Services map[string]*v1alpha1.Registration - synced chan struct{} - UpdateChan chan string + k8sClient client.Client + + serviceMtx *sync.Mutex + Services map[string]*v1alpha1.Registration + + namespaces mapset.Set[string] + + synced chan struct{} + UpdateChan chan string + + namespacesEnabled bool + partitionsEnabled bool } -func NewRegistrationCache(consulClientConfig *consul.Config, consulServerConnMgr consul.ServerConnectionManager) *RegistrationCache { +func NewRegistrationCache(ctx context.Context, consulClientConfig *consul.Config, consulServerConnMgr consul.ServerConnectionManager, k8sClient client.Client, namespacesEnabled, partitionsEnabled bool) *RegistrationCache { return &RegistrationCache{ + ctx: ctx, ConsulClientConfig: consulClientConfig, ConsulServerConnMgr: consulServerConnMgr, + k8sClient: k8sClient, serviceMtx: &sync.Mutex{}, Services: make(map[string]*v1alpha1.Registration), UpdateChan: make(chan string), synced: make(chan struct{}), + namespaces: mapset.NewSet[string](), + namespacesEnabled: namespacesEnabled, + partitionsEnabled: partitionsEnabled, } } @@ -50,22 +65,22 @@ func (c *RegistrationCache) waitSynced(ctx context.Context) { } } -func (c *RegistrationCache) run(ctx context.Context, log logr.Logger) { +func (c *RegistrationCache) run(log logr.Logger, namespace string) { once := &sync.Once{} - opts := &capi.QueryOptions{Filter: NotInServiceMeshFilter} + opts := &capi.QueryOptions{Filter: NotInServiceMeshFilter, Namespace: namespace} for { select { - case <-ctx.Done(): + case <-c.ctx.Done(): return default: - client, err := consul.NewClientFromConnMgr(c.ConsulClientConfig, c.ConsulServerConnMgr) + consulClient, err := consul.NewClientFromConnMgr(c.ConsulClientConfig, c.ConsulServerConnMgr) if err != nil { log.Error(err, "error initializing consul client") continue } - entries, meta, err := client.Catalog().Services(opts.WithContext(ctx)) + entries, meta, err := consulClient.Catalog().Services(opts.WithContext(c.ctx)) if err != nil { // if we timeout we don't care about the error message because it's expected to happen on long polls // any other error we want to alert on @@ -77,20 +92,53 @@ func (c *RegistrationCache) run(ctx context.Context, log logr.Logger) { continue } - diffs := mapset.NewSet[string]() + servicesToRemove := mapset.NewSet[string]() + servicesToAdd := mapset.NewSet[string]() c.serviceMtx.Lock() + + // Remove any services in the cache that are no longer in consul for svc := range c.Services { if _, ok := entries[svc]; !ok { - diffs.Add(svc) + servicesToRemove.Add(svc) + } + } + + // Add any services to the cache that are in consul but not in the cache (we expect to hit this loop on a reboot) + for svc := range entries { + if _, ok := c.Services[svc]; !ok && svc != "consul" { + servicesToAdd.Add(svc) } } c.serviceMtx.Unlock() - for _, svc := range diffs.ToSlice() { + for _, svc := range servicesToRemove.ToSlice() { log.Info("consul deregistered service", "svcName", svc) c.UpdateChan <- svc } + for _, svc := range servicesToAdd.ToSlice() { + log.Info("consul registered service", "svcName", svc) + registrationList := &v1alpha1.RegistrationList{} + + if err := c.k8sClient.List(context.Background(), registrationList, client.MatchingFields{registrationByServiceNameIndex: svc}); err != nil { + log.Error(err, "error listing registrations", "svcName", svc) + } + + found := false + for _, reg := range registrationList.Items { + if reg.Spec.Service.Name == svc { + found = true + c.set(svc, ®) + } + } + + if !found { + log.Info("registration not found in k8s", "svcName", svc) + } + } + + log.Info("synced registrations with consul") + opts.WaitIndex = meta.LastIndex once.Do(func() { log.Info("Initial sync complete") @@ -107,40 +155,18 @@ func (c *RegistrationCache) get(svcName string) (*v1alpha1.Registration, bool) { return val, ok } -func (c *RegistrationCache) aclsEnabled() bool { - return c.ConsulClientConfig.APIClientConfig.Token != "" || c.ConsulClientConfig.APIClientConfig.TokenFile != "" -} - -func (c *RegistrationCache) registerService(log logr.Logger, reg *v1alpha1.Registration) error { - client, err := consul.NewClientFromConnMgr(c.ConsulClientConfig, c.ConsulServerConnMgr) - if err != nil { - return err - } - - regReq, err := reg.ToCatalogRegistration() - if err != nil { - return err - } - - _, err = client.Catalog().Register(regReq, nil) - if err != nil { - log.Error(err, "error registering service", "svcName", regReq.Service.Service) - return err - } - +func (c *RegistrationCache) set(name string, reg *v1alpha1.Registration) { c.serviceMtx.Lock() defer c.serviceMtx.Unlock() - c.Services[reg.Spec.Service.Name] = reg - - log.Info("Successfully registered service", "svcName", regReq.Service.Service) - - return nil + c.Services[name] = reg } -func (c *RegistrationCache) updateTermGWACLRole(log logr.Logger, registration *v1alpha1.Registration, termGWsToUpdate []v1alpha1.TerminatingGateway) error { - if len(termGWsToUpdate) == 0 { - log.Info("terminating gateway not found") - return nil +func (c *RegistrationCache) registerService(log logr.Logger, reg *v1alpha1.Registration) error { + if svc, ok := c.get(reg.Spec.Service.Name); ok { + if reg.EqualExceptStatus(svc) { + log.Info("service already registered", "svcName", reg.Spec.Service.Name) + return nil + } } client, err := consul.NewClientFromConnMgr(c.ConsulClientConfig, c.ConsulServerConnMgr) @@ -148,63 +174,25 @@ func (c *RegistrationCache) updateTermGWACLRole(log logr.Logger, registration *v return err } - roles, _, err := client.ACL().RoleList(nil) + regReq, err := reg.ToCatalogRegistration() if err != nil { - log.Error(err, "error reading role list") return err } - policy := &capi.ACLPolicy{ - Name: servicePolicyName(registration.Spec.Service.Name), - Description: "Write policy for terminating gateways for external service", - Rules: fmt.Sprintf(`service %q { policy = "write" }`, registration.Spec.Service.Name), - Datacenters: []string{registration.Spec.Datacenter}, - Namespace: registration.Spec.Service.Namespace, - Partition: registration.Spec.Service.Partition, - } - - existingPolicy, _, err := client.ACL().PolicyReadByName(policy.Name, nil) + _, err = client.Catalog().Register(regReq, &capi.WriteOptions{Namespace: reg.Spec.Service.Namespace}) if err != nil { - log.Error(err, "error reading policy") + log.Error(err, "error registering service", "svcName", regReq.Service.Service) return err } - if existingPolicy == nil { - policy, _, err = client.ACL().PolicyCreate(policy, nil) - if err != nil { - return fmt.Errorf("error creating policy: %w", err) - } - } else { - policy = existingPolicy + if !c.namespaces.Contains(reg.Spec.Service.Namespace) && !emptyOrDefault(reg.Spec.Service.Namespace) { + c.namespaces.Add(reg.Spec.Service.Namespace) + go c.run(log, reg.Spec.Service.Namespace) } - var mErr error - for _, termGW := range termGWsToUpdate { - var role *capi.ACLRole - for _, r := range roles { - if strings.HasSuffix(r.Name, fmt.Sprintf("-%s-acl-role", termGW.Name)) { - role = r - break - } - } - - if role == nil { - log.Info("terminating gateway role not found", "terminatingGatewayName", termGW.Name) - mErr = errors.Join(mErr, fmt.Errorf("terminating gateway role not found for %q", termGW.Name)) - continue - } - - role.Policies = append(role.Policies, &capi.ACLRolePolicyLink{Name: policy.Name, ID: policy.ID}) - - _, _, err = client.ACL().RoleUpdate(role, nil) - if err != nil { - log.Error(err, "error updating role", "roleName", role.Name) - mErr = errors.Join(mErr, fmt.Errorf("error updating role %q", role.Name)) - continue - } - } + log.Info("Successfully registered service", "svcName", regReq.Service.Service) - return mErr + return nil } func (c *RegistrationCache) deregisterService(log logr.Logger, reg *v1alpha1.Registration) error { @@ -228,72 +216,6 @@ func (c *RegistrationCache) deregisterService(log logr.Logger, reg *v1alpha1.Reg return nil } -func (c *RegistrationCache) removeTermGWACLRole(log logr.Logger, registration *v1alpha1.Registration, termGWsToUpdate []v1alpha1.TerminatingGateway) error { - if len(termGWsToUpdate) == 0 { - log.Info("terminating gateway not found") - return nil - } - - client, err := consul.NewClientFromConnMgr(c.ConsulClientConfig, c.ConsulServerConnMgr) - if err != nil { - return err - } - - roles, _, err := client.ACL().RoleList(nil) - if err != nil { - return err - } - - var mErr error - for _, termGW := range termGWsToUpdate { - var role *capi.ACLRole - for _, r := range roles { - if strings.HasSuffix(r.Name, fmt.Sprintf("-%s-acl-role", termGW.Name)) { - role = r - break - } - } - - if role == nil { - log.Info("terminating gateway role not found", "terminatingGatewayName", termGW.Name) - mErr = errors.Join(mErr, fmt.Errorf("terminating gateway role not found for %q", termGW.Name)) - continue - } - - var policyID string - - expectedPolicyName := servicePolicyName(registration.Spec.Service.Name) - role.Policies = slices.DeleteFunc(role.Policies, func(i *capi.ACLRolePolicyLink) bool { - if i.Name == expectedPolicyName { - policyID = i.ID - return true - } - return false - }) - - if policyID == "" { - log.Info("policy not found on terminating gateway role", "policyName", expectedPolicyName, "terminatingGatewayName", termGW.Name) - continue - } - - _, _, err = client.ACL().RoleUpdate(role, nil) - if err != nil { - log.Error(err, "error updating role", "roleName", role.Name) - mErr = errors.Join(mErr, fmt.Errorf("error updating role %q", role.Name)) - continue - } - - _, err = client.ACL().PolicyDelete(policyID, nil) - if err != nil { - log.Error(err, "error deleting service policy", "policyID", policyID, "policyName", expectedPolicyName) - mErr = errors.Join(mErr, fmt.Errorf("error deleting service ACL policy %q", policyID)) - continue - } - } - - return mErr -} - -func servicePolicyName(name string) string { - return fmt.Sprintf("%s-write-policy", name) +func emptyOrDefault(s string) bool { + return s == "" || s == "default" } diff --git a/control-plane/catalog/registration/registrations_controller.go b/control-plane/catalog/registration/registrations_controller.go index eabcaae979..712aa02522 100644 --- a/control-plane/catalog/registration/registrations_controller.go +++ b/control-plane/catalog/registration/registrations_controller.go @@ -44,12 +44,12 @@ type RegistrationsController struct { Log logr.Logger } -// +kubebuilder:rbac:groups=consul.hashicorp.com,resources=servicerouters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=consul.hashicorp.com,resources=servicerouters/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=consul.hashicorp.com,resources=registration,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=consul.hashicorp.com,resources=registration/status,verbs=get;update;patch func (r *RegistrationsController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.V(1).WithValues("registration", req.NamespacedName) - log.Info("Reconciling Registaration") + log.Info("Reconciling Registration") registration := &v1alpha1.Registration{} // get the registration @@ -60,18 +60,6 @@ func (r *RegistrationsController) Reconcile(ctx context.Context, req ctrl.Reques return ctrl.Result{}, client.IgnoreNotFound(err) } - cachedRegistration, ok := r.Cache.get(registration.Spec.Service.Name) - if slices.ContainsFunc(registration.Status.Conditions, func(c v1alpha1.Condition) bool { return c.Type == ConditionDeregistered }) { - if ok && registration.EqualExceptStatus(cachedRegistration) { - log.Info("Registration is in sync") - // registration is already in sync so we do nothing, this happens when consul deregisters a service - // and we update the status to show that consul deregistered it - return ctrl.Result{}, nil - } - } - - log.Info("need to reconcile") - // deletion request if !registration.ObjectMeta.DeletionTimestamp.IsZero() { result := r.handleDeletion(ctx, log, registration) @@ -86,6 +74,19 @@ func (r *RegistrationsController) Reconcile(ctx context.Context, req ctrl.Reques return ctrl.Result{}, nil } + cachedRegistration, ok := r.Cache.get(registration.Spec.Service.Name) + if slices.ContainsFunc(registration.Status.Conditions, func(c v1alpha1.Condition) bool { return c.Type == ConditionDeregistered }) { + // registration is already in sync so we do nothing, this happens when consul deregisters a service + // and we update the status to show that consul deregistered it + if ok && registration.EqualExceptStatus(cachedRegistration) { + r.Cache.set(registration.Spec.Service.Name, registration) + log.Info("Registration is in sync") + return ctrl.Result{}, nil + } + } + + log.Info("need to reconcile") + // registration request result := r.handleRegistration(ctx, log, registration) err := r.UpdateStatus(ctx, log, registration, result) @@ -113,7 +114,6 @@ func (c *RegistrationsController) watchForDeregistrations(ctx context.Context) { continue } for _, reg := range regList.Items { - err := c.UpdateStatus(context.Background(), c.Log, ®, Result{Registering: false, ConsulDeregistered: true}) if err != nil { c.Log.Error(err, "failed to update Registration status", "name", reg.Name, "namespace", reg.Namespace) @@ -143,48 +143,9 @@ func (r *RegistrationsController) handleRegistration(ctx context.Context, log lo return result } - if r.Cache.aclsEnabled() { - termGWsToUpdate, err := r.terminatingGatewaysToUpdate(ctx, log, registration) - if err != nil { - result.Sync = err - result.ACLUpdate = fmt.Errorf("%w: %s", ErrUpdatingACLRoles, err) - return result - } - - err = r.Cache.updateTermGWACLRole(log, registration, termGWsToUpdate) - if err != nil { - result.Sync = err - result.ACLUpdate = fmt.Errorf("%w: %s", ErrUpdatingACLRoles, err) - return result - } - } return result } -func (r *RegistrationsController) terminatingGatewaysToUpdate(ctx context.Context, log logr.Logger, registration *v1alpha1.Registration) ([]v1alpha1.TerminatingGateway, error) { - termGWList := &v1alpha1.TerminatingGatewayList{} - err := r.Client.List(ctx, termGWList) - if err != nil { - log.Error(err, "error listing terminating gateways") - return nil, err - } - - termGWsToUpdate := make([]v1alpha1.TerminatingGateway, 0, len(termGWList.Items)) - for _, termGW := range termGWList.Items { - if slices.ContainsFunc(termGW.Spec.Services, termGWContainsService(registration)) { - termGWsToUpdate = append(termGWsToUpdate, termGW) - } - } - - return termGWsToUpdate, nil -} - -func termGWContainsService(registration *v1alpha1.Registration) func(v1alpha1.LinkedService) bool { - return func(svc v1alpha1.LinkedService) bool { - return svc.Name == registration.Spec.Service.Name - } -} - func (r *RegistrationsController) handleDeletion(ctx context.Context, log logr.Logger, registration *v1alpha1.Registration) Result { log.Info("Deregistering service") result := Result{Registering: false} @@ -195,22 +156,6 @@ func (r *RegistrationsController) handleDeletion(ctx context.Context, log logr.L return result } - if r.Cache.aclsEnabled() { - termGWsToUpdate, err := r.terminatingGatewaysToUpdate(ctx, log, registration) - if err != nil { - result.Sync = err - result.ACLUpdate = fmt.Errorf("%w: %s", ErrRemovingACLRoles, err) - return result - } - - err = r.Cache.removeTermGWACLRole(log, registration, termGWsToUpdate) - if err != nil { - result.Sync = err - result.ACLUpdate = fmt.Errorf("%w: %s", ErrRemovingACLRoles, err) - return result - } - } - patch := r.RemoveFinalizersPatch(registration, RegistrationFinalizer) err = r.Patch(ctx, registration, patch) if err != nil { @@ -233,10 +178,6 @@ func (r *RegistrationsController) UpdateStatus(ctx context.Context, log logr.Log registration.Status.Conditions = append(registration.Status.Conditions, deregistrationCondition(result)) } - if r.Cache.aclsEnabled() { - registration.Status.Conditions = append(registration.Status.Conditions, aclCondition(result)) - } - err := r.Status().Update(ctx, registration) if err != nil { return err @@ -250,7 +191,7 @@ func (r *RegistrationsController) Logger(name types.NamespacedName) logr.Logger func (r *RegistrationsController) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error { // setup the cache - go r.Cache.run(ctx, r.Log) + go r.Cache.run(r.Log, "") r.Cache.waitSynced(ctx) go r.watchForDeregistrations(ctx) diff --git a/control-plane/catalog/registration/registrations_controller_test.go b/control-plane/catalog/registration/registrations_controller_test.go index ccbe053d06..afe0e315c5 100644 --- a/control-plane/catalog/registration/registrations_controller_test.go +++ b/control-plane/catalog/registration/registrations_controller_test.go @@ -110,133 +110,6 @@ func TestReconcile_Success(tt *testing.T) { }, }, }, - "registering -- ACLs enabled and policy does not exist": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - }, - expectedFinalizers: []string{registration.RegistrationFinalizer}, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - }, - }, - "registering -- ACLs enabled and policy does exists": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - policyExists: true, - }, - expectedFinalizers: []string{registration.RegistrationFinalizer}, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionTrue, - Reason: "", - Message: "", - }, - }, - }, "deregistering": { registration: &v1alpha1.Registration{ TypeMeta: metav1.TypeMeta{ @@ -281,50 +154,6 @@ func TestReconcile_Success(tt *testing.T) { }, expectedConditions: []v1alpha1.Condition{}, }, - "deregistering - ACLs enabled": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - DeletionTimestamp: &deletionTime, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: false, - aclEnabled: true, - }, - expectedConditions: []v1alpha1.Condition{}, - }, } for name, tc := range cases { @@ -350,7 +179,7 @@ func TestReconcile_Success(tt *testing.T) { Client: fakeClient, Log: logrtest.NewTestLogger(t), Scheme: s, - Cache: registration.NewRegistrationCache(testClient.Cfg, testClient.Watcher), + Cache: registration.NewRegistrationCache(context.Background(), testClient.Cfg, testClient.Watcher, fakeClient, false, false), } _, err := controller.Reconcile(ctx, ctrl.Request{ @@ -436,243 +265,6 @@ func TestReconcile_Failure(tt *testing.T) { }, }, }, - "registering - terminating gateway acl role not found": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - temGWRoleMissing: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, - "registering - error reading policy": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - errOnPolicyRead: true, - policyExists: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, - "registering - policy does not exist - error creating policy": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - errOnPolicyWrite: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, - "registering - error updating role": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - registering: true, - aclEnabled: true, - errOnRoleUpdate: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionRegistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, "deregistering": { registration: &v1alpha1.Registration{ TypeMeta: metav1.TypeMeta{ @@ -727,124 +319,6 @@ func TestReconcile_Failure(tt *testing.T) { }, }, }, - "deregistering - ACLs enabled - terminating-gateway error updating role": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - DeletionTimestamp: &deletionTime, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - aclEnabled: true, - errOnRoleUpdate: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionDeregistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, - "deregistering - ACLs enabled - terminating-gateway error deleting policy": { - registration: &v1alpha1.Registration{ - TypeMeta: metav1.TypeMeta{ - Kind: "Registration", - APIVersion: "consul.hashicorp.com/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-registration", - Finalizers: []string{registration.RegistrationFinalizer}, - DeletionTimestamp: &deletionTime, - }, - Spec: v1alpha1.RegistrationSpec{ - ID: "node-id", - Node: "virtual-node", - Address: "127.0.0.1", - Datacenter: "dc1", - Service: v1alpha1.Service{ - ID: "service-id", - Name: "service-name", - Port: 8080, - Address: "127.0.0.1", - }, - }, - }, - terminatingGateways: []runtime.Object{ - &v1alpha1.TerminatingGateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: "terminating-gateway", - }, - Spec: v1alpha1.TerminatingGatewaySpec{ - Services: []v1alpha1.LinkedService{ - { - Name: "service-name", - }, - }, - }, - }, - }, - serverResponseConfig: serverResponseConfig{ - aclEnabled: true, - errOnPolicyDelete: true, - }, - expectedConditions: []v1alpha1.Condition{ - { - Type: v1alpha1.ConditionSynced, - Status: v1.ConditionFalse, - Reason: registration.SyncError, - }, - { - Type: registration.ConditionDeregistered, - Status: v1.ConditionTrue, - }, - { - Type: registration.ConditionACLsUpdated, - Status: v1.ConditionFalse, - Reason: registration.ConsulErrorACL, - }, - }, - }, } for name, tc := range cases { @@ -870,7 +344,7 @@ func TestReconcile_Failure(tt *testing.T) { Client: fakeClient, Log: logrtest.NewTestLogger(t), Scheme: s, - Cache: registration.NewRegistrationCache(testClient.Cfg, testClient.Watcher), + Cache: registration.NewRegistrationCache(context.Background(), testClient.Cfg, testClient.Watcher, fakeClient, false, false), } _, err := controller.Reconcile(ctx, ctrl.Request{ diff --git a/control-plane/catalog/registration/result.go b/control-plane/catalog/registration/result.go index 176855c330..0472db5563 100644 --- a/control-plane/catalog/registration/result.go +++ b/control-plane/catalog/registration/result.go @@ -17,7 +17,6 @@ const ( ConditionSynced = "Synced" ConditionRegistered = "Registered" ConditionDeregistered = "Deregistered" - ConditionACLsUpdated = "ACLsUpdated" ) // Status Reasons. @@ -25,7 +24,6 @@ const ( SyncError = "SyncError" ConsulErrorRegistration = "ConsulErrorRegistration" ConsulErrorDeregistration = "ConsulErrorDeregistration" - ConsulErrorACL = "ConsulErrorACL" ConsulDeregistration = "ConsulDeregistration" ) @@ -35,17 +33,16 @@ type Result struct { Sync error Registration error Deregistration error - ACLUpdate error Finalizer error } func (r Result) hasErrors() bool { - return r.Sync != nil || r.Registration != nil || r.ACLUpdate != nil || r.Finalizer != nil + return r.Sync != nil || r.Registration != nil || r.Finalizer != nil } func (r Result) errors() error { var err error - err = errors.Join(err, r.Sync, r.Registration, r.ACLUpdate, r.Finalizer) + err = errors.Join(err, r.Sync, r.Registration, r.Finalizer) return err } @@ -110,31 +107,3 @@ func deregistrationCondition(result Result) v1alpha1.Condition { LastTransitionTime: metav1.Now(), } } - -func aclCondition(result Result) v1alpha1.Condition { - if result.ACLUpdate != nil { - return v1alpha1.Condition{ - Type: ConditionACLsUpdated, - Status: corev1.ConditionFalse, - Reason: ConsulErrorACL, - Message: result.ACLUpdate.Error(), - LastTransitionTime: metav1.Now(), - } - } - - if result.ConsulDeregistered { - return v1alpha1.Condition{ - Type: ConditionACLsUpdated, - Status: corev1.ConditionFalse, - Reason: ConsulDeregistration, - Message: "Consul deregistered this service, acls were not removed", - LastTransitionTime: metav1.Now(), - } - } - - return v1alpha1.Condition{ - Type: ConditionACLsUpdated, - Status: corev1.ConditionTrue, - LastTransitionTime: metav1.Now(), - } -} diff --git a/control-plane/catalog/to-consul/resource_test.go b/control-plane/catalog/to-consul/resource_test.go index 3272849bd3..08b08ced2f 100644 --- a/control-plane/catalog/to-consul/resource_test.go +++ b/control-plane/catalog/to-consul/resource_test.go @@ -21,7 +21,7 @@ import ( "k8s.io/apimachinery/pkg/util/rand" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/fake" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) const nodeName1 = "ip-10-11-12-13.ec2.internal" @@ -778,23 +778,23 @@ func TestServiceResource_lbRegisterEndpoints(t *testing.T) { { Addresses: []string{"8.8.8.8"}, Conditions: discoveryv1.EndpointConditions{ - Ready: pointer.Bool(true), - Serving: pointer.Bool(true), - Terminating: pointer.Bool(false), + Ready: ptr.To(true), + Serving: ptr.To(true), + Terminating: ptr.To(false), }, TargetRef: &corev1.ObjectReference{Kind: "pod", Name: "foo", Namespace: metav1.NamespaceDefault}, NodeName: &node1.Name, - Zone: pointer.String("us-west-2a"), + Zone: ptr.To("us-west-2a"), }, }, Ports: []discoveryv1.EndpointPort{ { - Name: pointer.String("http"), - Port: pointer.Int32(8080), + Name: ptr.To("http"), + Port: ptr.To(int32(8080)), }, { - Name: pointer.String("rpc"), - Port: pointer.Int32(2000), + Name: ptr.To("rpc"), + Port: ptr.To(int32(2000)), }, }, }, @@ -926,23 +926,23 @@ func TestServiceResource_nodePort_singleEndpoint(t *testing.T) { { Addresses: []string{"1.2.3.4"}, Conditions: discoveryv1.EndpointConditions{ - Ready: pointer.Bool(true), - Serving: pointer.Bool(true), - Terminating: pointer.Bool(false), + Ready: ptr.To(true), + Serving: ptr.To(true), + Terminating: ptr.To(false), }, TargetRef: &corev1.ObjectReference{Kind: "pod", Name: "foo", Namespace: metav1.NamespaceDefault}, NodeName: &node1.Name, - Zone: pointer.String("us-west-2a"), + Zone: ptr.To("us-west-2a"), }, }, Ports: []discoveryv1.EndpointPort{ { - Name: pointer.String("http"), - Port: pointer.Int32(8080), + Name: ptr.To("http"), + Port: ptr.To(int32(8080)), }, { - Name: pointer.String("rpc"), - Port: pointer.Int32(2000), + Name: ptr.To("rpc"), + Port: ptr.To(int32(2000)), }, }, }, @@ -2141,33 +2141,33 @@ func createEndpointSlice(t *testing.T, client *fake.Clientset, serviceName strin { Addresses: []string{"1.1.1.1"}, Conditions: discoveryv1.EndpointConditions{ - Ready: pointer.Bool(true), - Serving: pointer.Bool(true), - Terminating: pointer.Bool(false), + Ready: ptr.To(true), + Serving: ptr.To(true), + Terminating: ptr.To(false), }, TargetRef: &targetRef, NodeName: &node1, - Zone: pointer.String("us-west-2a"), + Zone: ptr.To("us-west-2a"), }, { Addresses: []string{"2.2.2.2"}, Conditions: discoveryv1.EndpointConditions{ - Ready: pointer.Bool(true), - Serving: pointer.Bool(true), - Terminating: pointer.Bool(false), + Ready: ptr.To(true), + Serving: ptr.To(true), + Terminating: ptr.To(false), }, NodeName: &node2, - Zone: pointer.String("us-west-2b"), + Zone: ptr.To("us-west-2b"), }, }, Ports: []discoveryv1.EndpointPort{ { - Name: pointer.String("http"), - Port: pointer.Int32(8080), + Name: ptr.To("http"), + Port: ptr.To(int32(8080)), }, { - Name: pointer.String("rpc"), - Port: pointer.Int32(2000), + Name: ptr.To("rpc"), + Port: ptr.To(int32(2000)), }, }, }, diff --git a/control-plane/catalog/to-consul/syncer.go b/control-plane/catalog/to-consul/syncer.go index 9f1df18ba6..93d158fdaa 100644 --- a/control-plane/catalog/to-consul/syncer.go +++ b/control-plane/catalog/to-consul/syncer.go @@ -11,10 +11,11 @@ import ( "github.com/cenkalti/backoff" mapset "github.com/deckarep/golang-set" - "github.com/hashicorp/consul-k8s/control-plane/consul" - "github.com/hashicorp/consul-k8s/control-plane/namespaces" "github.com/hashicorp/consul/api" "github.com/hashicorp/go-hclog" + + "github.com/hashicorp/consul-k8s/control-plane/consul" + "github.com/hashicorp/consul-k8s/control-plane/namespaces" ) const ( @@ -173,10 +174,31 @@ func (s *ConsulSyncer) watchReapableServices(ctx context.Context) { // because we have no tracked services in our maps yet. <-s.initialSync + // Run immediately the first time, then wait for the retry period + waitCh := time.After(0) + waitBeforeRetry := s.SyncPeriod / 4 + + for { + select { + case <-waitCh: + s.deregisterRemovedServices(ctx) + waitCh = time.After(waitBeforeRetry) + case <-ctx.Done(): + return + } + } +} + +// deregisterRemovedServices queries the Consul catalog for all services and +// schedules for deregistration any that no longer have a corresponding k8s +// service. +// +// This function is very similar to [deregisterRemovedService] but handles the case +// where the ServiceWatcher has been terminated but the service hasn't been deregistered +// yet. +func (s *ConsulSyncer) deregisterRemovedServices(ctx context.Context) { opts := &api.QueryOptions{ AllowStale: true, - WaitIndex: 1, - WaitTime: 1 * time.Minute, Filter: fmt.Sprintf("\"%s\" in Tags", s.ConsulK8STag), } @@ -184,80 +206,59 @@ func (s *ConsulSyncer) watchReapableServices(ctx context.Context) { opts.Namespace = "*" } - // minWait is the minimum time to wait between scheduling service deletes. - // This prevents a lot of churn in services causing high CPU usage. - minWait := s.SyncPeriod / 4 - minWaitCh := time.After(0) - for { - // Create a new consul client. - consulClient, err := consul.NewClientFromConnMgr(s.ConsulClientConfig, s.ConsulServerConnMgr) - if err != nil { - s.Log.Error("failed to create Consul API client", "err", err) - return - } + consulClient, err := consul.NewClientFromConnMgr(s.ConsulClientConfig, s.ConsulServerConnMgr) + if err != nil { + s.Log.Error("failed to create Consul API client", "error", err) + return + } - var services *api.CatalogNodeServiceList - var meta *api.QueryMeta - err = backoff.Retry(func() error { - services, meta, err = consulClient.Catalog().NodeServiceList(s.ConsulNodeName, opts) - return err - }, backoff.WithContext(backoff.NewExponentialBackOff(), ctx)) + // Limit our backoff so that we don't try forever with a bad client + b := backoff.WithContext( + backoff.WithMaxRetries( + backoff.NewExponentialBackOff(), 5), ctx) + var services *api.CatalogNodeServiceList + err = backoff.Retry(func() error { + services, _, err = consulClient.Catalog().NodeServiceList(s.ConsulNodeName, opts) if err != nil { - s.Log.Warn("error querying services, will retry", "err", err) - } else { - s.Log.Debug("[watchReapableServices] services returned from catalog", - "services", services) - } - - // Wait our minimum time before continuing or retrying - select { - case <-minWaitCh: - if err != nil { - continue - } - - minWaitCh = time.After(minWait) - case <-ctx.Done(): - return + s.Log.Warn("error querying services, will retry", "error", err) + return err } - // Update our blocking index - opts.WaitIndex = meta.LastIndex - - // Lock so we can modify the stored state - s.lock.Lock() + return nil + }, b) + if err != nil { + return + } - // Go through the service array and find services that should be reaped - for _, service := range services.Services { - // Check that the namespace exists in the valid service names map - // before checking whether it contains the service - svcNs := service.Namespace - if !s.EnableNamespaces { - // Set namespace to empty when namespaces are not enabled. - svcNs = "" - } - if _, ok := s.serviceNames[svcNs]; ok { - // We only care if we don't know about this service at all. - if s.serviceNames[svcNs].Contains(service.Service) { - s.Log.Debug("[watchReapableServices] serviceNames contains service", - "namespace", svcNs, - "service-name", service.Service) - continue - } - } + // Lock so we can modify the stored state + s.lock.Lock() + defer s.lock.Unlock() - s.Log.Info("invalid service found, scheduling for delete", - "service-name", service.Service, "service-id", service.ID, "service-consul-namespace", svcNs) - if err = s.scheduleReapServiceLocked(service.Service, svcNs); err != nil { - s.Log.Info("error querying service for delete", - "service-name", service.Service, - "service-consul-namespace", svcNs, - "err", err) + // Go through the service array and find services that should be reaped + for _, service := range services.Services { + // Check that the namespace exists in the valid service names map + // before checking whether it contains the service + namespace := service.Namespace + if !s.EnableNamespaces { + // Set namespace to empty when namespaces are not enabled. + namespace = "" + } + if _, ok := s.serviceNames[namespace]; ok { + // We only care if we don't know about this service at all. + if s.serviceNames[namespace].Contains(service.Service) { + continue } } - s.lock.Unlock() + s.Log.Info("invalid service found, scheduling for delete", + "service-name", service.Service, "service-id", service.ID, "service-consul-namespace", namespace) + if err = s.scheduleReapServiceLocked(service.Service, namespace); err != nil { + s.Log.Info("error querying service for delete", + "service-name", service.Service, + "service-consul-namespace", namespace, + "err", err) + } } } @@ -267,72 +268,88 @@ func (s *ConsulSyncer) watchService(ctx context.Context, name, namespace string) s.Log.Info("starting service watcher", "service-name", name, "service-consul-namespace", namespace) defer s.Log.Info("stopping service watcher", "service-name", name, "service-consul-namespace", namespace) + // Run immediately the first time, then wait for the retry period + waitCh := time.After(0) + waitBeforeRetry := s.SyncPeriod / 4 + for { select { + // Wait for our poll period + case <-waitCh: + s.deregisterRemovedService(ctx, name, namespace) + waitCh = time.After(waitBeforeRetry) // Quit if our context is over case <-ctx.Done(): return - - // Wait for our poll period - case <-time.After(s.SyncPeriod): } - // Set up query options - queryOpts := &api.QueryOptions{ - AllowStale: true, - } - if s.EnableNamespaces { - // Sets the Consul namespace to query the catalog - queryOpts.Namespace = namespace - } + } +} - // Create a new consul client. - consulClient, err := consul.NewClientFromConnMgr(s.ConsulClientConfig, s.ConsulServerConnMgr) +// deregisterRemovedService checks to see if a given service in the catalog +// has been removed from k8s. If it has, then the service is deregistered from +// the Consul catalog. +// +// This function is very similar to [deregisterRemovedServices] but is scoped to a single +// service that is currently being watched. +func (s *ConsulSyncer) deregisterRemovedService(ctx context.Context, name, namespace string) { + opts := &api.QueryOptions{ + AllowStale: true, + } + if s.EnableNamespaces { + opts.Namespace = namespace + } + + consulClient, err := consul.NewClientFromConnMgr(s.ConsulClientConfig, s.ConsulServerConnMgr) + if err != nil { + s.Log.Error("failed to create Consul API client; will retry", "err", err) + return + } + + // Limit our backoff so that we don't try forever with a bad client + b := backoff.WithContext( + backoff.WithMaxRetries( + backoff.NewExponentialBackOff(), 5), ctx) + + var services []*api.CatalogService + err = backoff.Retry(func() error { + services, _, err = consulClient.Catalog().Service(name, s.ConsulK8STag, opts) if err != nil { - s.Log.Error("failed to create Consul API client; will retry", "err", err) - continue - } - // Wait for service changes - var services []*api.CatalogService - err = backoff.Retry(func() error { - services, _, err = consulClient.Catalog().Service(name, s.ConsulK8STag, queryOpts) + s.Log.Warn("error querying service, will retry", "error", err) return err - }, backoff.WithContext(backoff.NewExponentialBackOff(), ctx)) - if err != nil { - s.Log.Warn("error querying service, will retry", - "service-name", name, - "service-namespace", namespace, // will be "" if namespaces aren't enabled - "err", err) - continue } - // Lock so we can modify the set of actions to take - s.lock.Lock() + return nil + }, b) + if err != nil { + return + } - for _, svc := range services { - // Make sure the namespace exists before we run checks against it - if _, ok := s.serviceNames[namespace]; ok { - // If the service is valid and its info isn't nil, we don't deregister it - if s.serviceNames[namespace].Contains(svc.ServiceName) && s.namespaces[namespace][svc.ServiceID] != nil { - continue - } - } + // Lock so we can modify the set of actions to take + s.lock.Lock() + defer s.lock.Unlock() - s.deregs[svc.ServiceID] = &api.CatalogDeregistration{ - Node: svc.Node, - ServiceID: svc.ServiceID, - } - if s.EnableNamespaces { - s.deregs[svc.ServiceID].Namespace = namespace + for _, service := range services { + // Make sure the namespace exists before we run checks against it + if _, ok := s.serviceNames[namespace]; ok { + // If the service is valid and its info isn't nil, we don't deregister it + if s.serviceNames[namespace].Contains(service.ServiceName) && s.namespaces[namespace][service.ServiceID] != nil { + continue } - s.Log.Debug("[watchService] service being scheduled for deregistration", - "namespace", namespace, - "service name", svc.ServiceName, - "service id", svc.ServiceID, - "service dereg", s.deregs[svc.ServiceID]) } - s.lock.Unlock() + s.deregs[service.ServiceID] = &api.CatalogDeregistration{ + Node: service.Node, + ServiceID: service.ServiceID, + } + if s.EnableNamespaces { + s.deregs[service.ServiceID].Namespace = namespace + } + s.Log.Debug("[watchService] service being scheduled for deregistration", + "namespace", namespace, + "service name", service.ServiceName, + "service id", service.ServiceID, + "service dereg", s.deregs[service.ServiceID]) } } diff --git a/control-plane/cni/go.mod b/control-plane/cni/go.mod index e27eb9ab3f..4b020f0b42 100644 --- a/control-plane/cni/go.mod +++ b/control-plane/cni/go.mod @@ -9,24 +9,23 @@ require ( github.com/hashicorp/consul/sdk v0.16.1 github.com/hashicorp/go-hclog v1.5.0 github.com/stretchr/testify v1.8.4 - k8s.io/api v0.28.9 - k8s.io/apimachinery v0.28.9 - k8s.io/client-go v0.28.9 + k8s.io/api v0.29.8 + k8s.io/apimachinery v0.29.8 + k8s.io/client-go v0.29.8 ) require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/fatih/color v1.16.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/logr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.3.0 // indirect github.com/imdario/mergo v0.3.13 // indirect @@ -52,12 +51,14 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) -go 1.20 +go 1.21 + +toolchain go1.22.6 diff --git a/control-plane/cni/go.sum b/control-plane/cni/go.sum index 25d890cdd4..81071fa5b8 100644 --- a/control-plane/cni/go.sum +++ b/control-plane/cni/go.sum @@ -10,8 +10,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= -github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= @@ -19,9 +19,8 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -30,6 +29,7 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/ github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -50,13 +50,15 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg= @@ -75,6 +77,7 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -104,17 +107,20 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -189,6 +195,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -222,21 +229,21 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0= -k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw= -k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA= -k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= -k8s.io/client-go v0.28.9 h1:mmMvejwc/KDjMLmDpyaxkWNzlWRCJ6ht7Qsbsnwn39Y= -k8s.io/client-go v0.28.9/go.mod h1:GFDy3rUNId++WGrr0hRaBrs+y1eZz5JtVZODEalhRMo= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.29.8 h1:ZBKg9clWnIGtQ5yGhNwMw2zyyrsIAQaXhZACcYNflQE= +k8s.io/api v0.29.8/go.mod h1:XlGIpmpzKGrtVca7GlgNryZJ19SvQdI808NN7fy1SgQ= +k8s.io/apimachinery v0.29.8 h1:uBHc9WuKiTHClIspJqtR84WNpG0aOGn45HWqxgXkk8Y= +k8s.io/apimachinery v0.29.8/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= +k8s.io/client-go v0.29.8 h1:QMRKcIzqE/qawknXcsi51GdIAYN8UP39S/M5KnFu/J0= +k8s.io/client-go v0.29.8/go.mod h1:ZzrAAVrqO2jVXMb8My/jTke8n0a/mIynnA3y/1y1UB0= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/control-plane/config/crd/bases/auth.consul.hashicorp.com_trafficpermissions.yaml b/control-plane/config/crd/bases/auth.consul.hashicorp.com_trafficpermissions.yaml index ca29923851..8c8876ac67 100644 --- a/control-plane/config/crd/bases/auth.consul.hashicorp.com_trafficpermissions.yaml +++ b/control-plane/config/crd/bases/auth.consul.hashicorp.com_trafficpermissions.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: trafficpermissions.auth.consul.hashicorp.com spec: group: auth.consul.hashicorp.com @@ -38,32 +38,43 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: TrafficPermissions authorizes traffic between workloads in + a Consul service mesh. properties: action: - description: "Action can be either allow or deny for the entire object. - It will default to allow. \n If action is allow, we will allow the - connection if one of the rules in Rules matches, in other words, - we will deny all requests except for the ones that match Rules. - If Consul is in default allow mode, then allow actions have no effect - without a deny permission as everything is allowed by default. \n - If action is deny, we will deny the connection if one of the rules - in Rules match, in other words, we will allow all requests except - for the ones that match Rules. If Consul is default deny mode, then - deny permissions have no effect without an allow permission as everything - is denied by default. \n Action unspecified is reserved for compatibility - with the addition of future actions." + description: |- + Action can be either allow or deny for the entire object. It will default to allow. + Deny actions are available only in Consul Enterprise. + + + If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny + all requests except for the ones that match Rules. If Consul is in default allow mode, then allow + actions have no effect without a deny permission as everything is allowed by default. + + + If action is deny, we will deny the connection if one of the rules in Rules match, in other words, + we will allow all requests except for the ones that match Rules. If Consul is default deny mode, + then deny permissions have no effect without an allow permission as everything is denied by default. + + + Action unspecified is reserved for compatibility with the addition of future actions. enum: - ACTION_ALLOW - ACTION_DENY @@ -71,7 +82,8 @@ spec: format: int32 type: string destination: - description: Destination is a configuration of the destination proxies + description: |- + Destination is a configuration of the destination proxies where these traffic permissions should apply. properties: identityName: @@ -84,9 +96,9 @@ spec: description: Permissions is a list of permissions to match on. properties: destinationRules: - description: DestinationRules is a list of rules to apply for - matching sources in this Permission. These rules are specific - to the request or connection that is going to the destination(s) + description: |- + DestinationRules is a list of rules to apply for matching sources in this Permission. + These rules are specific to the request or connection that is going to the destination(s) selected by the TrafficPermissions resource. items: description: DestinationRule contains rules rules to apply @@ -128,8 +140,8 @@ spec: pathRegex: type: string portNames: - description: PortNames is a list of workload ports - to apply this rule to. The ports specified here + description: |- + PortNames is a list of workload ports to apply this rule to. The ports specified here must be the ports used in the connection. items: type: string @@ -156,8 +168,9 @@ spec: type: object type: array methods: - description: Methods is the list of HTTP methods. If no - methods are specified, this rule will apply to all methods. + description: |- + Methods is the list of HTTP methods. If no methods are specified, + this rule will apply to all methods. items: type: string type: array @@ -176,17 +189,18 @@ spec: sources: description: Sources is a list of sources in this traffic permission. items: - description: Source represents the source identity. To specify - any of the wildcard sources, the specific fields need to - be omitted. For example, for a wildcard namespace, identity_name - should be omitted. + description: |- + Source represents the source identity. + To specify any of the wildcard sources, the specific fields need to be omitted. + For example, for a wildcard namespace, identity_name should be omitted. properties: exclude: description: Exclude is a list of sources to exclude from this source. items: - description: ExcludeSource is almost the same as source - but it prevents the addition of matching sources. + description: |- + ExcludeSource is almost the same as source but it prevents the addition of + matching sources. properties: identityName: type: string @@ -221,8 +235,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_controlplanerequestlimits.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_controlplanerequestlimits.yaml index 49fc1ae135..44c9e79e2e 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_controlplanerequestlimits.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_controlplanerequestlimits.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: controlplanerequestlimits.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -32,14 +32,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -151,8 +156,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml index 22f816cb18..d10bbf6ae9 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: exportedservices.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ExportedServices is the Schema for the exportedservices API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,11 +57,13 @@ spec: description: ExportedServicesSpec defines the desired state of ExportedServices. properties: services: - description: Services is a list of services to be exported and the - list of partitions to expose them to. + description: |- + Services is a list of services to be exported and the list of partitions + to expose them to. items: - description: ExportedService manages the exporting of a service - in the local partition to other partitions. + description: |- + ExportedService manages the exporting of a service in the local partition to + other partitions. properties: consumers: description: Consumers is a list of downstream consumers of @@ -95,8 +102,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_gatewayclassconfigs.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_gatewayclassconfigs.yaml index 5f6e3a990b..36a6e75edc 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_gatewayclassconfigs.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_gatewayclassconfigs.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: gatewayclassconfigs.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -23,14 +23,19 @@ spec: for Consul API Gateway. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -77,19 +82,24 @@ spec: gateway. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -105,8 +115,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -115,11 +126,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -132,8 +143,9 @@ spec: description: Metrics defines how to configure the metrics for a gateway. properties: enabled: - description: Enable metrics for this class of gateways. If unspecified, - will inherit behavior from the global Helm configuration. + description: |- + Enable metrics for this class of gateways. If unspecified, will inherit + behavior from the global Helm configuration. type: boolean path: description: The path used for metrics. @@ -148,9 +160,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for the - pod to fit on a node. Selector which must match a node''s labels - for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object openshiftSCCName: description: The name of the OpenShift SecurityContextConstraints @@ -168,43 +181,43 @@ spec: - LoadBalancer type: string tolerations: - description: 'Tolerations allow the scheduler to schedule nodes with - matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + description: |- + Tolerations allow the scheduler to schedule nodes with matching taints. + More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_gatewaypolicies.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_gatewaypolicies.yaml index e12db4cf20..7c75ef44ce 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_gatewaypolicies.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_gatewaypolicies.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: gatewaypolicies.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: GatewayPolicy is the Schema for the gatewaypolicies API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,9 +68,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry - with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -81,11 +86,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the - given path: - If the type at the path is a list - then we verify that this value is contained - in the list. \n - If the type at the path is - a string then we verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -114,9 +122,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry - with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -132,11 +140,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the - given path: - If the type at the path is a list - then we verify that this value is contained - in the list. \n - If the type at the path is - a string then we verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -170,10 +181,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it may only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it may only apply to traffic originating from the same + namespace as the policy. maxLength: 253 minLength: 1 type: string @@ -196,46 +208,53 @@ spec: description: GatewayPolicyStatus defines the observed state of the gateway. properties: conditions: - description: "Conditions describe the current conditions of the Policy. - \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + description: |- + Conditions describe the current conditions of the Policy. + + + Known condition types are: + + + * "Accepted" + * "ResolvedRefs" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -249,11 +268,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml index 79450327cb..701ef754b5 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: ingressgateways.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: IngressGateway is the Schema for the ingressgateways API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,64 +60,68 @@ spec: description: Defaults is default configuration for all upstream services properties: maxConcurrentRequests: - description: The maximum number of concurrent requests that will - be allowed at a single point in time. Use this to limit HTTP/2 - traffic, since HTTP/2 has many requests per connection. + description: |- + The maximum number of concurrent requests that + will be allowed at a single point in time. Use this to limit HTTP/2 traffic, + since HTTP/2 has many requests per connection. format: int32 type: integer maxConnections: - description: The maximum number of connections a service instance - will be allowed to establish against the given upstream. Use - this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request - per connection. + description: |- + The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use this to limit + HTTP/1.1 traffic, since HTTP/1.1 has a request per connection. format: int32 type: integer maxPendingRequests: - description: The maximum number of requests that will be queued + description: |- + The maximum number of requests that will be queued while waiting for a connection to be established. format: int32 type: integer passiveHealthCheck: - description: PassiveHealthCheck configuration determines how upstream - proxy instances will be monitored for removal from the load - balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. The - real time is equal to the base time multiplied by the number - of times the host has been ejected and is capped by max_ejection_time - (Default 300s). Defaults to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance that - a host will be actually ejected when an outlier status is - detected through consecutive 5xx. This setting can be used - to disable ejection or to ramp it up slowly. Ex. Setting - this to 10 will make it a 10% chance that the host will - be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis sweeps. - Each sweep may remove hosts or return hosts to the pool. - Ex. setting this to "10s" will set the interval to 10 seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that can - be ejected due to outlier detection. Defaults to 10% but - will eject at least one host regardless of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive failures - that results in a host being removed from the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object type: object listeners: - description: Listeners declares what ports the ingress gateway should - listen on, and what services to associated to those ports. + description: |- + Listeners declares what ports the ingress gateway should listen on, and + what services to associated to those ports. items: description: IngressListener manages the configuration for a listener on a specific port. @@ -122,110 +131,119 @@ spec: should listen for traffic. type: integer protocol: - description: 'Protocol declares what type of traffic this listener - is expected to receive. Depending on the protocol, a listener - might support multiplexing services over a single port, or - additional discovery chain features. The current supported - values are: (tcp | http | http2 | grpc).' + description: |- + Protocol declares what type of traffic this listener is expected to + receive. Depending on the protocol, a listener might support multiplexing + services over a single port, or additional discovery chain features. The + current supported values are: (tcp | http | http2 | grpc). type: string services: - description: Services declares the set of services to which - the listener forwards traffic. For "tcp" protocol listeners, - only a single service is allowed. For "http" listeners, multiple - services can be declared. + description: |- + Services declares the set of services to which the listener forwards + traffic. + For "tcp" protocol listeners, only a single service is allowed. + For "http" listeners, multiple services can be declared. items: - description: IngressService manages configuration for services - that are exposed to ingress traffic. + description: |- + IngressService manages configuration for services that are exposed to + ingress traffic. properties: hosts: - description: "Hosts is a list of hostnames which should - be associated to this service on the defined listener. - Only allowed on layer 7 protocols, this will be used - to route traffic to the service by matching the Host - header of the HTTP request. \n If a host is provided - for a service that also has a wildcard specifier defined, - the host will override the wildcard-specifier-provided - \".*\" domain for that listener. \n This - cannot be specified when using the wildcard specifier, - \"*\", or when using a \"tcp\" listener." + description: |- + Hosts is a list of hostnames which should be associated to this service on + the defined listener. Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host header of the HTTP + request. + + + If a host is provided for a service that also has a wildcard specifier + defined, the host will override the wildcard-specifier-provided + ".*" domain for that listener. + + + This cannot be specified when using the wildcard specifier, "*", or when + using a "tcp" listener. items: type: string type: array maxConcurrentRequests: - description: The maximum number of concurrent requests - that will be allowed at a single point in time. Use - this to limit HTTP/2 traffic, since HTTP/2 has many - requests per connection. + description: |- + The maximum number of concurrent requests that + will be allowed at a single point in time. Use this to limit HTTP/2 traffic, + since HTTP/2 has many requests per connection. format: int32 type: integer maxConnections: - description: The maximum number of connections a service - instance will be allowed to establish against the given - upstream. Use this to limit HTTP/1.1 traffic, since - HTTP/1.1 has a request per connection. + description: |- + The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use this to limit + HTTP/1.1 traffic, since HTTP/1.1 has a request per connection. format: int32 type: integer maxPendingRequests: - description: The maximum number of requests that will - be queued while waiting for a connection to be established. + description: |- + The maximum number of requests that will be queued + while waiting for a connection to be established. format: int32 type: integer name: - description: "Name declares the service to which traffic - should be forwarded. \n This can either be a specific - service, or the wildcard specifier, \"*\". If the wildcard - specifier is provided, the listener must be of \"http\" - protocol and means that the listener will forward traffic - to all services. \n A name can be specified on multiple - listeners, and will be exposed on both of the listeners." + description: |- + Name declares the service to which traffic should be forwarded. + + + This can either be a specific service, or the wildcard specifier, + "*". If the wildcard specifier is provided, the listener must be of "http" + protocol and means that the listener will forward traffic to all services. + + + A name can be specified on multiple listeners, and will be exposed on both + of the listeners. type: string namespace: - description: Namespace is the namespace where the service - is located. Namespacing is a Consul Enterprise feature. + description: |- + Namespace is the namespace where the service is located. + Namespacing is a Consul Enterprise feature. type: string partition: - description: Partition is the admin-partition where the - service is located. Partitioning is a Consul Enterprise - feature. + description: |- + Partition is the admin-partition where the service is located. + Partitioning is a Consul Enterprise feature. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines - how upstream proxy instances will be monitored for removal - from the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected - for. The real time is equal to the base time multiplied - by the number of times the host has been ejected - and is capped by max_ejection_time (Default 300s). - Defaults to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance - that a host will be actually ejected when an outlier - status is detected through consecutive 5xx. This - setting can be used to disable ejection or to ramp - it up slowly. Ex. Setting this to 10 will make it - a 10% chance that the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis - sweeps. Each sweep may remove hosts or return hosts - to the pool. Ex. setting this to "10s" will set + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster - that can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive - failures that results in a host being removed from - the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -235,50 +253,52 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object responseHeaders: - description: HTTPHeaderModifiers is a set of rules for - HTTP header modification that should be performed by - proxies as the request passes through them. It can operate - on either request or response headers depending on the - context in which it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object tls: @@ -295,10 +315,9 @@ spec: from the SDS service. type: string clusterName: - description: ClusterName is the SDS cluster name - to connect to, to retrieve certificates. This - cluster must be specified in the Gateway's bootstrap - configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object type: object @@ -308,9 +327,9 @@ spec: description: TLS config for this listener. properties: cipherSuites: - description: Define a subset of cipher suites to restrict - Only applicable to connections negotiated via TLS 1.2 - or earlier. + description: |- + Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 or earlier. items: type: string type: array @@ -328,24 +347,23 @@ spec: service. type: string clusterName: - description: ClusterName is the SDS cluster name to - connect to, to retrieve certificates. This cluster - must be specified in the Gateway's bootstrap configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS - version supported. Must be greater than or equal to `TLSMinVersion`. - One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or - `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 - as a max version for incoming connections. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS - version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, - `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 - and newer will default to TLS 1.2 as a min version, while - older releases of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string required: - enabled @@ -356,8 +374,9 @@ spec: description: TLS holds the TLS configuration for this gateway. properties: cipherSuites: - description: Define a subset of cipher suites to restrict Only - applicable to connections negotiated via TLS 1.2 or earlier. + description: |- + Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 or earlier. items: type: string type: array @@ -374,24 +393,23 @@ spec: when fetching the certificate from the SDS service. type: string clusterName: - description: ClusterName is the SDS cluster name to connect - to, to retrieve certificates. This cluster must be specified - in the Gateway's bootstrap configuration. + description: |- + ClusterName is the SDS cluster name to connect to, to retrieve certificates. + This cluster must be specified in the Gateway's bootstrap configuration. type: string type: object tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default - to TLS 1.2 as a min version, while older releases of Envoy default - to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string required: - enabled @@ -403,8 +421,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_jwtproviders.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_jwtproviders.yaml index df234ae1eb..7fc78372cf 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_jwtproviders.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_jwtproviders.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtproviders.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -22,14 +22,19 @@ spec: description: JWTProvider is the Schema for the jwtproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -37,62 +42,79 @@ spec: description: JWTProviderSpec defines the desired state of JWTProvider properties: audiences: - description: Audiences is the set of audiences the JWT is allowed - to access. If specified, all JWTs verified with this provider must - address at least one of these to be considered valid. + description: |- + Audiences is the set of audiences the JWT is allowed to access. + If specified, all JWTs verified with this provider must address + at least one of these to be considered valid. items: type: string type: array cacheConfig: - description: CacheConfig defines configuration for caching the validation - result for previously seen JWTs. Caching results can speed up verification - when individual tokens are expected to be handled multiple times. + description: |- + CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up + verification when individual tokens are expected to be handled + multiple times. properties: size: - description: "Size specifies the maximum number of JWT verification - results to cache. \n Defaults to 0, meaning that JWT caching - is disabled." + description: |- + Size specifies the maximum number of JWT verification + results to cache. + + + Defaults to 0, meaning that JWT caching is disabled. type: integer type: object clockSkewSeconds: - description: "ClockSkewSeconds specifies the maximum allowable time - difference from clock skew when validating the \"exp\" (Expiration) - and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + description: |- + ClockSkewSeconds specifies the maximum allowable time difference + from clock skew when validating the "exp" (Expiration) and "nbf" + (Not Before) claims. + + + Default value is 30 seconds. type: integer forwarding: description: Forwarding defines rules for forwarding verified JWTs to the backend. properties: headerName: - description: "HeaderName is a header name to use when forwarding - a verified JWT to the backend. The verified JWT could have been - extracted from any location (query param, header, or cookie). - \n The header value will be base64-URL-encoded, and will not - be padded unless PadForwardPayloadHeader is true." + description: |- + HeaderName is a header name to use when forwarding a verified + JWT to the backend. The verified JWT could have been extracted + from any location (query param, header, or cookie). + + + The header value will be base64-URL-encoded, and will not be + padded unless PadForwardPayloadHeader is true. type: string padForwardPayloadHeader: - description: "PadForwardPayloadHeader determines whether padding - should be added to the base64 encoded token forwarded with ForwardPayloadHeader. - \n Default value is false." + description: |- + PadForwardPayloadHeader determines whether padding should be added + to the base64 encoded token forwarded with ForwardPayloadHeader. + + + Default value is false. type: boolean type: object issuer: - description: Issuer is the entity that must have issued the JWT. This - value must match the "iss" claim of the token. + description: |- + Issuer is the entity that must have issued the JWT. + This value must match the "iss" claim of the token. type: string jsonWebKeySet: - description: JSONWebKeySet defines a JSON Web Key Set, its location - on disk, or the means with which to fetch a key set from a remote - server. + description: |- + JSONWebKeySet defines a JSON Web Key Set, its location on disk, or the + means with which to fetch a key set from a remote server. properties: local: description: Local specifies a local source for the key set. properties: filename: - description: Filename configures a location on disk where - the JWKS can be found. If specified, the file must be present - on the disk of ALL proxies with intentions referencing this - provider. + description: |- + Filename configures a location on disk where the JWKS can be + found. If specified, the file must be present on the disk of ALL + proxies with intentions referencing this provider. type: string jwks: description: JWKS contains a base64 encoded JWKS. @@ -103,62 +125,78 @@ spec: server. properties: cacheDuration: - description: "CacheDuration is the duration after which cached - keys should be expired. \n Default value is 5 minutes." + description: |- + CacheDuration is the duration after which cached keys + should be expired. + + + Default value is 5 minutes. type: string fetchAsynchronously: - description: "FetchAsynchronously indicates that the JWKS - should be fetched when a client request arrives. Client - requests will be paused until the JWKS is fetched. If false, - the proxy listener will wait for the JWKS to be fetched - before being activated. \n Default value is false." + description: |- + FetchAsynchronously indicates that the JWKS should be fetched + when a client request arrives. Client requests will be paused + until the JWKS is fetched. + If false, the proxy listener will wait for the JWKS to be + fetched before being activated. + + + Default value is false. type: boolean jwksCluster: description: JWKSCluster defines how the specified Remote JWKS URI is to be fetched. properties: connectTimeout: - description: The timeout for new network connections to - hosts in the cluster. If not set, a default value of - 5s will be used. + description: |- + The timeout for new network connections to hosts in the cluster. + If not set, a default value of 5s will be used. type: string discoveryType: - description: "DiscoveryType refers to the service discovery - type to use for resolving the cluster. \n This defaults - to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, - EDS or ORIGINAL_DST." + description: |- + DiscoveryType refers to the service discovery type to use for resolving the cluster. + + + This defaults to STRICT_DNS. + Other options include STATIC, LOGICAL_DNS, EDS or ORIGINAL_DST. type: string tlsCertificates: - description: "TLSCertificates refers to the data containing - certificate authority certificates to use in verifying - a presented peer certificate. If not specified and a - peer certificate is presented it will not be verified. - \n Must be either CaCertificateProviderInstance or TrustedCA." + description: |- + TLSCertificates refers to the data containing certificate authority certificates to use + in verifying a presented peer certificate. + If not specified and a peer certificate is presented it will not be verified. + + + Must be either CaCertificateProviderInstance or TrustedCA. properties: caCertificateProviderInstance: description: CaCertificateProviderInstance Certificate provider instance for fetching TLS certificates. properties: certificateName: - description: "CertificateName is used to specify - certificate instances or types. For example, - \"ROOTCA\" to specify a root-certificate (validation - context) or \"example.com\" to specify a certificate - for a particular domain. \n The default value - is the empty string." + description: |- + CertificateName is used to specify certificate instances or types. For example, "ROOTCA" to specify + a root-certificate (validation context) or "example.com" to specify a certificate for a + particular domain. + + + The default value is the empty string. type: string instanceName: - description: "InstanceName refers to the certificate - provider instance name. \n The default value - is \"default\"." + description: |- + InstanceName refers to the certificate provider instance name. + + + The default value is "default". type: string type: object trustedCA: - description: "TrustedCA defines TLS certificate data - containing certificate authority certificates to - use in verifying a presented peer certificate. \n - Exactly one of Filename, EnvironmentVariable, InlineString - or InlineBytes must be specified." + description: |- + TrustedCA defines TLS certificate data containing certificate authority certificates + to use in verifying a presented peer certificate. + + + Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified. properties: environmentVariable: type: string @@ -173,33 +211,47 @@ spec: type: object type: object requestTimeoutMs: - description: RequestTimeoutMs is the number of milliseconds - to time out when making a request for the JWKS. + description: |- + RequestTimeoutMs is the number of milliseconds to + time out when making a request for the JWKS. type: integer retryPolicy: - description: "RetryPolicy defines a retry policy for fetching - JWKS. \n There is no retry by default." + description: |- + RetryPolicy defines a retry policy for fetching JWKS. + + + There is no retry by default. properties: numRetries: - description: "NumRetries is the number of times to retry - fetching the JWKS. The retry strategy uses jittered - exponential backoff with a base interval of 1s and max - of 10s. \n Default value is 0." + description: |- + NumRetries is the number of times to retry fetching the JWKS. + The retry strategy uses jittered exponential backoff with + a base interval of 1s and max of 10s. + + + Default value is 0. type: integer retryPolicyBackOff: - description: "Retry's backoff policy. \n Defaults to Envoy's - backoff policy." + description: |- + Retry's backoff policy. + + + Defaults to Envoy's backoff policy. properties: baseInterval: - description: "BaseInterval to be used for the next - back off computation. \n The default value from - envoy is 1s." + description: |- + BaseInterval to be used for the next back off computation. + + + The default value from envoy is 1s. type: string maxInterval: - description: "MaxInternal to be used to specify the - maximum interval between retries. Optional but should - be greater or equal to BaseInterval. \n Defaults - to 10 times BaseInterval." + description: |- + MaxInternal to be used to specify the maximum interval between retries. + Optional but should be greater or equal to BaseInterval. + + + Defaults to 10 times BaseInterval. type: string type: object type: object @@ -210,15 +262,19 @@ spec: type: object type: object locations: - description: 'Locations where the JWT will be present in requests. - Envoy will check all of these locations to extract a JWT. If no - locations are specified Envoy will default to: 1. Authorization - header with Bearer schema: "Authorization: Bearer " 2. accessToken - query parameter.' + description: |- + Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. + If no locations are specified Envoy will default to: + 1. Authorization header with Bearer schema: + "Authorization: Bearer " + 2. accessToken query parameter. items: - description: "JWTLocation is a location where the JWT could be present - in requests. \n Only one of Header, QueryParam, or Cookie can - be specified." + description: |- + JWTLocation is a location where the JWT could be present in requests. + + + Only one of Header, QueryParam, or Cookie can be specified. properties: cookie: description: Cookie defines how to extract a JWT from an HTTP @@ -234,26 +290,31 @@ spec: request header. properties: forward: - description: "Forward defines whether the header with the - JWT should be forwarded after the token has been verified. - If false, the header will not be forwarded to the backend. - \n Default value is false." + description: |- + Forward defines whether the header with the JWT should be + forwarded after the token has been verified. If false, the + header will not be forwarded to the backend. + + + Default value is false. type: boolean name: description: Name is the name of the header containing the token. type: string valuePrefix: - description: 'ValuePrefix is an optional prefix that precedes - the token in the header value. For example, "Bearer " - is a standard value prefix for a header named "Authorization", - but the prefix is not part of the token itself: "Authorization: - Bearer "' + description: |- + ValuePrefix is an optional prefix that precedes the token in the + header value. + For example, "Bearer " is a standard value prefix for a header named + "Authorization", but the prefix is not part of the token itself: + "Authorization: Bearer " type: string type: object queryParam: - description: QueryParam defines how to extract a JWT from an - HTTP request query parameter. + description: |- + QueryParam defines how to extract a JWT from an HTTP request + query parameter. properties: name: description: Name is the name of the query param containing @@ -269,8 +330,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml index 3c22a4842e..c5c15b3c5d 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshes.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: Mesh is the Schema for the mesh API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,9 +55,9 @@ spec: description: MeshSpec defines the desired state of Mesh. properties: allowEnablingPermissiveMutualTLS: - description: AllowEnablingPermissiveMutualTLS must be true in order - to allow setting MutualTLSMode=permissive in either service-defaults - or proxy-defaults. + description: |- + AllowEnablingPermissiveMutualTLS must be true in order to allow setting + MutualTLSMode=permissive in either service-defaults or proxy-defaults. type: boolean http: description: HTTP defines the HTTP configuration for the service mesh. @@ -67,80 +72,73 @@ spec: mesh. properties: peerThroughMeshGateways: - description: PeerThroughMeshGateways determines whether peering - traffic between control planes should flow through mesh gateways. - If enabled, Consul servers will advertise mesh gateway addresses - as their own. Additionally, mesh gateways will configure themselves - to expose the local servers using a peering-specific SNI. + description: |- + PeerThroughMeshGateways determines whether peering traffic between + control planes should flow through mesh gateways. If enabled, + Consul servers will advertise mesh gateway addresses as their own. + Additionally, mesh gateways will configure themselves to expose + the local servers using a peering-specific SNI. type: boolean type: object tls: description: TLS defines the TLS configuration for the service mesh. properties: incoming: - description: Incoming defines the TLS configuration for inbound - mTLS connections targeting the public listener on Connect and - TerminatingGateway proxy kinds. + description: |- + Incoming defines the TLS configuration for inbound mTLS connections targeting + the public listener on Connect and TerminatingGateway proxy kinds. properties: cipherSuites: - description: CipherSuites sets the default list of TLS cipher - suites to support when negotiating connections using TLS - 1.2 or earlier. If unspecified, Envoy will use a default - server cipher list. The list of supported cipher suites - can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 - and is dependent on underlying support in Envoy. Future - releases of Envoy may remove currently-supported but insecure - cipher suites, and future releases of Consul may add new - supported cipher suites if any are added to Envoy. + description: |- + CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. + If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in + https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy. + Future releases of Envoy may remove currently-supported but insecure cipher suites, + and future releases of Consul may add new supported cipher suites if any are added to Envoy. items: type: string type: array tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will - default to TLS 1.2 as a min version, while older releases - of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string type: object outgoing: - description: Outgoing defines the TLS configuration for outbound - mTLS connections dialing upstreams from Connect and IngressGateway - proxy kinds. + description: |- + Outgoing defines the TLS configuration for outbound mTLS connections dialing upstreams + from Connect and IngressGateway proxy kinds. properties: cipherSuites: - description: CipherSuites sets the default list of TLS cipher - suites to support when negotiating connections using TLS - 1.2 or earlier. If unspecified, Envoy will use a default - server cipher list. The list of supported cipher suites - can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 - and is dependent on underlying support in Envoy. Future - releases of Envoy may remove currently-supported but insecure - cipher suites, and future releases of Consul may add new - supported cipher suites if any are added to Envoy. + description: |- + CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. + If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in + https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy. + Future releases of Envoy may remove currently-supported but insecure cipher suites, + and future releases of Consul may add new supported cipher suites if any are added to Envoy. items: type: string type: array tlsMaxVersion: - description: TLSMaxVersion sets the default maximum TLS version - supported. Must be greater than or equal to `TLSMinVersion`. + description: |- + TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. - If unspecified, Envoy will default to TLS 1.3 as a max version - for incoming connections. + If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. type: string tlsMinVersion: - description: TLSMinVersion sets the default minimum TLS version - supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, - or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will - default to TLS 1.2 as a min version, while older releases - of Envoy default to TLS 1.0. + description: |- + TLSMinVersion sets the default minimum TLS version supported. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + while older releases of Envoy default to TLS 1.0. type: string type: object type: object @@ -149,13 +147,21 @@ spec: to proxies in "transparent" mode. Added in v1.10.0. properties: meshDestinationsOnly: - description: MeshDestinationsOnly determines whether sidecar proxies - operating in "transparent" mode can proxy traffic to IP addresses - not registered in Consul's catalog. If enabled, traffic will - only be proxied to upstreams with service registrations in the - catalog. + description: |- + MeshDestinationsOnly determines whether sidecar proxies operating in "transparent" mode can proxy traffic + to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied to upstreams + with service registrations in the catalog. type: boolean type: object + validateClusters: + description: |- + ValidateClusters controls whether the clusters the route table refers to are validated. The default value is + false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing + to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist, + the route table will not load. For more information, refer to + [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters) + for more details. + type: boolean type: object status: properties: @@ -163,8 +169,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_meshservices.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_meshservices.yaml index 9eccd85cad..3e6f90d558 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_meshservices.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_meshservices.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshservices.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -23,14 +23,19 @@ spec: Service Mesh service. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,9 +46,9 @@ spec: description: Name holds the service name for a Consul service. type: string peer: - description: Peer optionally specifies the name of the peer exporting - the Consul service. If not specified, the Consul service is assumed - to be in the local datacenter. + description: |- + Peer optionally specifies the name of the peer exporting the Consul service. + If not specified, the Consul service is assumed to be in the local datacenter. type: string type: object type: object diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_peeringacceptors.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_peeringacceptors.yaml index b568a94962..40b3f86dd8 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_peeringacceptors.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_peeringacceptors.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: peeringacceptors.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: PeeringAcceptor is the Schema for the peeringacceptors API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,8 +85,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_peeringdialers.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_peeringdialers.yaml index ebf64adf67..04892b2f6c 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_peeringdialers.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_peeringdialers.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: peeringdialers.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: PeeringDialer is the Schema for the peeringdialers API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,8 +85,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml index 20f2faeb63..491da3b137 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: proxydefaults.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ProxyDefaults is the Schema for the proxydefaults API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,37 +61,40 @@ spec: configuration. properties: disableListenerLogs: - description: DisableListenerLogs turns off just listener logs - for connections rejected by Envoy because they don't have a - matching listener filter. + description: |- + DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't + have a matching listener filter. type: boolean enabled: description: Enabled turns on all access logging type: boolean jsonFormat: - description: 'JSONFormat is a JSON-formatted string of an Envoy - access log format dictionary. See for more info on formatting: - https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries - Defining JSONFormat and TextFormat is invalid.' + description: |- + JSONFormat is a JSON-formatted string of an Envoy access log format dictionary. + See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid. type: string path: description: Path is the output file to write logs for file-type logging type: string textFormat: - description: 'TextFormat is a representation of Envoy access logs - format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings - Defining JSONFormat and TextFormat is invalid.' + description: |- + TextFormat is a representation of Envoy access logs format. + See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid. type: string type: - description: Type selects the output for logs one of "file", "stderr". - "stdout" + description: |- + Type selects the output for logs + one of "file", "stderr". "stdout" type: string type: object config: - description: Config is an arbitrary map of configuration values used - by Connect proxies. Any values that your proxy allows can be configured - globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + description: |- + Config is an arbitrary map of configuration values used by Connect proxies. + Any values that your proxy allows can be configured globally here. + Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting type: object x-kubernetes-preserve-unknown-fields: true envoyExtensions: @@ -110,9 +118,9 @@ spec: for Envoy. properties: checks: - description: Checks defines whether paths associated with Consul - checks will be exposed. This flag triggers exposing all HTTP - and GRPC check paths registered for the service. + description: |- + Checks defines whether paths associated with Consul checks will be exposed. + This flag triggers exposing all HTTP and GRPC check paths registered for the service. type: boolean paths: description: Paths is the list of paths exposed through the proxy. @@ -131,7 +139,8 @@ spec: ie. "/metrics". type: string protocol: - description: Protocol describes the upstream's service protocol. + description: |- + Protocol describes the upstream's service protocol. Valid values are "http" and "http2", defaults to "http". type: string type: object @@ -142,14 +151,14 @@ spec: failover. properties: mode: - description: Mode specifies the type of failover that will be - performed. Valid values are "sequential", "" (equivalent to - "sequential") and "order-by-locality". + description: |- + Mode specifies the type of failover that will be performed. Valid values are + "sequential", "" (equivalent to "sequential") and "order-by-locality". type: string regions: - description: Regions is the ordered list of the regions of the - failover targets. Valid values can be "us-west-1", "us-west-2", - and so on. + description: |- + Regions is the ordered list of the regions of the failover targets. + Valid values can be "us-west-1", "us-west-2", and so on. items: type: string type: array @@ -159,59 +168,62 @@ spec: for this service. properties: mode: - description: Mode is the mode that should be used for the upstream - connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object mode: - description: 'Mode can be one of "direct" or "transparent". "transparent" - represents that inbound and outbound application traffic is being - captured and redirected through the proxy. This mode does not enable - the traffic redirection itself. Instead it signals Consul to configure - Envoy as if traffic is already being redirected. "direct" represents - that the proxy''s listeners must be dialed directly by the local - application and other proxies. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound + application traffic is being captured and redirected through the proxy. This mode does not + enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if + traffic is already being redirected. "direct" represents that the proxy's listeners must be + dialed directly by the local application and other proxies. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. type: string mutualTLSMode: - description: 'MutualTLSMode controls whether mutual TLS is required - for all incoming connections when transparent proxy is enabled. - This can be set to "permissive" or "strict". "strict" is the default - which requires mutual TLS for incoming connections. In the insecure - "permissive" mode, connections to the sidecar proxy public listener - port require mutual TLS, but connections to the service port do - not require mutual TLS and are proxied to the application unmodified. - Note: Intentions are not enforced for non-mTLS connections. To keep - your services secure, we recommend using "strict" mode whenever - possible and enabling "permissive" mode only when necessary.' + description: |- + MutualTLSMode controls whether mutual TLS is required for all incoming + connections when transparent proxy is enabled. This can be set to + "permissive" or "strict". "strict" is the default which requires mutual + TLS for incoming connections. In the insecure "permissive" mode, + connections to the sidecar proxy public listener port require mutual + TLS, but connections to the service port do not require mutual TLS and + are proxied to the application unmodified. Note: Intentions are not + enforced for non-mTLS connections. To keep your services secure, we + recommend using "strict" mode whenever possible and enabling + "permissive" mode only when necessary. type: string prioritizeByLocality: - description: PrioritizeByLocality controls whether the locality of - services within the local partition will be used to prioritize connectivity. + description: |- + PrioritizeByLocality controls whether the locality of services within the + local partition will be used to prioritize connectivity. properties: mode: - description: 'Mode specifies the type of prioritization that will - be performed when selecting nodes in the local partition. Valid - values are: "" (default "none"), "none", and "failover".' + description: |- + Mode specifies the type of prioritization that will be performed + when selecting nodes in the local partition. + Valid values are: "" (default "none"), "none", and "failover". type: string type: object transparentProxy: - description: 'TransparentProxy controls configuration specific to - proxies in transparent mode. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + TransparentProxy controls configuration specific to proxies in transparent mode. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. properties: dialedDirectly: - description: DialedDirectly indicates whether transparent proxies - can dial this proxy instance directly. The discovery chain is - not considered when dialing a service instance directly. This - setting is useful when addressing stateful services, such as - a database cluster with a leader node. + description: |- + DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + The discovery chain is not considered when dialing a service instance directly. + This setting is useful when addressing stateful services, such as a database cluster with a leader node. type: boolean outboundListenerPort: - description: OutboundListenerPort is the port of the listener - where outbound application traffic is being redirected to. + description: |- + OutboundListenerPort is the port of the listener where outbound application + traffic is being redirected to. type: integer type: object type: object @@ -221,8 +233,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_registrations.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_registrations.yaml index df8970512b..4947e4ceb4 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_registrations.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_registrations.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: registrations.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -22,14 +22,19 @@ spec: description: Registration defines the resource for working with service registrations. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44,8 +49,9 @@ spec: checkId: type: string definition: - description: HealthCheckDefinition is used to store the details - about a health check's execution. + description: |- + HealthCheckDefinition is used to store the details about + a health check's execution. properties: body: type: string @@ -189,7 +195,6 @@ spec: - warning type: object required: - - address - name - port type: object @@ -207,8 +212,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_routeauthfilters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_routeauthfilters.yaml index 5072fdf391..27cf6933ec 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_routeauthfilters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_routeauthfilters.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: routeauthfilters.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: RouteAuthFilter is the Schema for the routeauthfilters API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -61,9 +66,9 @@ spec: verification information. properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry with - this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -79,11 +84,14 @@ spec: type: string type: array value: - description: "Value is the expected value at the given - path: - If the type at the path is a list then we - verify that this value is contained in the list. - \n - If the type at the path is a string then we - verify that this value matches." + description: |- + Value is the expected value at the given path: + - If the type at the path is a list then we verify + that this value is contained in the list. + + + - If the type at the path is a string then we verify + that this value matches. type: string required: - path @@ -113,46 +121,53 @@ spec: reason: Pending status: Unknown type: ResolvedRefs - description: "Conditions describe the current conditions of the Filter. - \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + description: |- + Conditions describe the current conditions of the Filter. + + + Known condition types are: + + + * "Accepted" + * "ResolvedRefs" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -166,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_routeretryfilters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_routeretryfilters.yaml index 8fa61cb683..7bea32a5fc 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_routeretryfilters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_routeretryfilters.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: routeretryfilters.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: RouteRetryFilter is the Schema for the routeretryfilters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -71,8 +76,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_routetimeoutfilters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_routetimeoutfilters.yaml index f6cc00f840..a19aa989ab 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_routetimeoutfilters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_routetimeoutfilters.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: routetimeoutfilters.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -36,14 +36,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,8 +68,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_samenessgroups.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_samenessgroups.yaml index 4274efffc8..c4e46a763f 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_samenessgroups.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_samenessgroups.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: samenessgroups.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: SamenessGroup is the Schema for the samenessgroups API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,27 +57,25 @@ spec: description: SamenessGroupSpec defines the desired state of SamenessGroup. properties: defaultForFailover: - description: DefaultForFailover indicates that upstream requests to - members of the given sameness group will implicitly failover between - members of this sameness group. When DefaultForFailover is true, - the local partition must be a member of the sameness group or IncludeLocal - must be set to true. + description: |- + DefaultForFailover indicates that upstream requests to members of the given sameness group will implicitly failover between members of this sameness group. + When DefaultForFailover is true, the local partition must be a member of the sameness group or IncludeLocal must be set to true. type: boolean includeLocal: - description: IncludeLocal is used to include the local partition as - the first member of the sameness group. The local partition can - only be a member of a single sameness group. + description: |- + IncludeLocal is used to include the local partition as the first member of the sameness group. + The local partition can only be a member of a single sameness group. type: boolean members: - description: Members are the partitions and peers that are part of - the sameness group. If a member of a sameness group does not exist, - it will be ignored. + description: |- + Members are the partitions and peers that are part of the sameness group. + If a member of a sameness group does not exist, it will be ignored. items: properties: partition: - description: The partitions and peers that are part of the sameness - group. A sameness group member cannot define both peer and - partition at the same time. + description: |- + The partitions and peers that are part of the sameness group. + A sameness group member cannot define both peer and partition at the same time. type: string peer: type: string @@ -85,8 +88,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml index 7e7bcfaacc..21dada749b 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: servicedefaults.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ServiceDefaults is the Schema for the servicedefaults API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,27 +57,29 @@ spec: description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. properties: balanceInboundConnections: - description: BalanceInboundConnections sets the strategy for allocating - inbound connections to the service across proxy threads. The only - supported value is exact_balance. By default, no connection balancing - is used. Refer to the Envoy Connection Balance config for details. + description: |- + BalanceInboundConnections sets the strategy for allocating inbound connections to the service across + proxy threads. The only supported value is exact_balance. By default, no connection balancing is used. + Refer to the Envoy Connection Balance config for details. type: string destination: - description: Destination is an address(es)/port combination that represents - an endpoint outside the mesh. This is only valid when the mesh is - configured in "transparent" mode. Destinations live outside of Consul's - catalog, and because of this, they do not require an artificial - node to be created. + description: |- + Destination is an address(es)/port combination that represents an endpoint + outside the mesh. This is only valid when the mesh is configured in "transparent" + mode. Destinations live outside of Consul's catalog, and because of this, they + do not require an artificial node to be created. properties: addresses: - description: Addresses is a list of IPs and/or hostnames that - can be dialed and routed through a terminating gateway. + description: |- + Addresses is a list of IPs and/or hostnames that can be dialed + and routed through a terminating gateway. items: type: string type: array port: - description: Port is the port that can be dialed on any of the - addresses in this Destination. + description: |- + Port is the port that can be dialed on any of the addresses in this + Destination. format: int32 type: integer type: object @@ -97,9 +104,9 @@ spec: for Envoy. properties: checks: - description: Checks defines whether paths associated with Consul - checks will be exposed. This flag triggers exposing all HTTP - and GRPC check paths registered for the service. + description: |- + Checks defines whether paths associated with Consul checks will be exposed. + This flag triggers exposing all HTTP and GRPC check paths registered for the service. type: boolean paths: description: Paths is the list of paths exposed through the proxy. @@ -118,99 +125,107 @@ spec: ie. "/metrics". type: string protocol: - description: Protocol describes the upstream's service protocol. + description: |- + Protocol describes the upstream's service protocol. Valid values are "http" and "http2", defaults to "http". type: string type: object type: array type: object externalSNI: - description: ExternalSNI is an optional setting that allows for the - TLS SNI value to be changed to a non-connect value when federating - with an external system. + description: |- + ExternalSNI is an optional setting that allows for the TLS SNI value + to be changed to a non-connect value when federating with an external system. type: string localConnectTimeoutMs: - description: LocalConnectTimeoutMs is the number of milliseconds allowed - to make connections to the local application instance before timing - out. Defaults to 5000. + description: |- + LocalConnectTimeoutMs is the number of milliseconds allowed to make connections to the local application + instance before timing out. Defaults to 5000. type: integer localRequestTimeoutMs: - description: LocalRequestTimeoutMs is the timeout for HTTP requests - to the local application instance in milliseconds. Applies to HTTP-based - protocols only. If not specified, inherits the Envoy default for + description: |- + LocalRequestTimeoutMs is the timeout for HTTP requests to the local application instance in milliseconds. + Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts (15s). type: integer maxInboundConnections: - description: MaxInboundConnections is the maximum number of concurrent - inbound connections to each service instance. Defaults to 0 (using - consul's default) if not set. + description: |- + MaxInboundConnections is the maximum number of concurrent inbound connections to + each service instance. Defaults to 0 (using consul's default) if not set. type: integer meshGateway: description: MeshGateway controls the default mesh gateway configuration for this service. properties: mode: - description: Mode is the mode that should be used for the upstream - connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object mode: - description: 'Mode can be one of "direct" or "transparent". "transparent" - represents that inbound and outbound application traffic is being - captured and redirected through the proxy. This mode does not enable - the traffic redirection itself. Instead it signals Consul to configure - Envoy as if traffic is already being redirected. "direct" represents - that the proxy''s listeners must be dialed directly by the local - application and other proxies. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound + application traffic is being captured and redirected through the proxy. This mode does not + enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if + traffic is already being redirected. "direct" represents that the proxy's listeners must be + dialed directly by the local application and other proxies. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. type: string mutualTLSMode: - description: 'MutualTLSMode controls whether mutual TLS is required - for all incoming connections when transparent proxy is enabled. - This can be set to "permissive" or "strict". "strict" is the default - which requires mutual TLS for incoming connections. In the insecure - "permissive" mode, connections to the sidecar proxy public listener - port require mutual TLS, but connections to the service port do - not require mutual TLS and are proxied to the application unmodified. - Note: Intentions are not enforced for non-mTLS connections. To keep - your services secure, we recommend using "strict" mode whenever - possible and enabling "permissive" mode only when necessary.' + description: |- + MutualTLSMode controls whether mutual TLS is required for all incoming + connections when transparent proxy is enabled. This can be set to + "permissive" or "strict". "strict" is the default which requires mutual + TLS for incoming connections. In the insecure "permissive" mode, + connections to the sidecar proxy public listener port require mutual + TLS, but connections to the service port do not require mutual TLS and + are proxied to the application unmodified. Note: Intentions are not + enforced for non-mTLS connections. To keep your services secure, we + recommend using "strict" mode whenever possible and enabling + "permissive" mode only when necessary. type: string protocol: - description: Protocol sets the protocol of the service. This is used - by Connect proxies for things like observability features and to - unlock usage of the service-splitter and service-router config entries - for a service. + description: |- + Protocol sets the protocol of the service. This is used by Connect proxies for + things like observability features and to unlock usage of the + service-splitter and service-router config entries for a service. type: string rateLimits: - description: RateLimits is rate limiting configuration that is applied - to inbound traffic for a service. Rate limiting is a Consul enterprise - feature. + description: |- + RateLimits is rate limiting configuration that is applied to + inbound traffic for a service. Rate limiting is a Consul enterprise feature. properties: instanceLevel: - description: InstanceLevel represents rate limit configuration + description: |- + InstanceLevel represents rate limit configuration that is applied per service instance. properties: requestsMaxBurst: - description: "RequestsMaxBurst is the maximum number of requests - that can be sent in a burst. Should be equal to or greater - than RequestsPerSecond. If unset, defaults to RequestsPerSecond. - \n Internally, this is the maximum size of the token bucket - used for rate limiting." + description: |- + RequestsMaxBurst is the maximum number of requests that can be sent + in a burst. Should be equal to or greater than RequestsPerSecond. + If unset, defaults to RequestsPerSecond. + + + Internally, this is the maximum size of the token bucket used for rate limiting. type: integer requestsPerSecond: - description: "RequestsPerSecond is the average number of requests - per second that can be made without being throttled. This - field is required if RequestsMaxBurst is set. The allowed - number of requests may exceed RequestsPerSecond up to the - value specified in RequestsMaxBurst. \n Internally, this - is the refill rate of the token bucket used for rate limiting." + description: |- + RequestsPerSecond is the average number of requests per second that can be + made without being throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed RequestsPerSecond up to + the value specified in RequestsMaxBurst. + + + Internally, this is the refill rate of the token bucket used for rate limiting. type: integer routes: - description: Routes is a list of rate limits applied to specific - routes. For a given request, the first matching route will - be applied, if any. Overrides any top-level configuration. + description: |- + Routes is a list of rate limits applied to specific routes. + For a given request, the first matching route will be applied, if any. + Overrides any top-level configuration. items: properties: pathExact: @@ -226,94 +241,94 @@ spec: PathPrefix, or PathRegex must be specified. type: string requestsMaxBurst: - description: RequestsMaxBurst is the maximum number - of requests that can be sent in a burst. Should be - equal to or greater than RequestsPerSecond. If unset, - defaults to RequestsPerSecond. Internally, this is - the maximum size of the token bucket used for rate - limiting. + description: |- + RequestsMaxBurst is the maximum number of requests that can be sent + in a burst. Should be equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is the maximum size of the token + bucket used for rate limiting. type: integer requestsPerSecond: - description: RequestsPerSecond is the average number - of requests per second that can be made without being - throttled. This field is required if RequestsMaxBurst - is set. The allowed number of requests may exceed + description: |- + RequestsPerSecond is the average number of requests per + second that can be made without being throttled. This field is required + if RequestsMaxBurst is set. The allowed number of requests may exceed RequestsPerSecond up to the value specified in RequestsMaxBurst. - Internally, this is the refill rate of the token bucket - used for rate limiting. + Internally, this is the refill rate of the token bucket used for rate limiting. type: integer type: object type: array type: object type: object transparentProxy: - description: 'TransparentProxy controls configuration specific to - proxies in transparent mode. Note: This cannot be set using the - CRD and should be set using annotations on the services that are - part of the mesh.' + description: |- + TransparentProxy controls configuration specific to proxies in transparent mode. + Note: This cannot be set using the CRD and should be set using annotations on the + services that are part of the mesh. properties: dialedDirectly: - description: DialedDirectly indicates whether transparent proxies - can dial this proxy instance directly. The discovery chain is - not considered when dialing a service instance directly. This - setting is useful when addressing stateful services, such as - a database cluster with a leader node. + description: |- + DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + The discovery chain is not considered when dialing a service instance directly. + This setting is useful when addressing stateful services, such as a database cluster with a leader node. type: boolean outboundListenerPort: - description: OutboundListenerPort is the port of the listener - where outbound application traffic is being redirected to. + description: |- + OutboundListenerPort is the port of the listener where outbound application + traffic is being redirected to. type: integer type: object upstreamConfig: - description: UpstreamConfig controls default configuration settings - that apply across all upstreams, and per-upstream configuration - overrides. Note that per-upstream configuration applies across all - federated datacenters to the pairing of source and upstream destination - services. + description: |- + UpstreamConfig controls default configuration settings that apply across all upstreams, + and per-upstream configuration overrides. Note that per-upstream configuration applies + across all federated datacenters to the pairing of source and upstream destination services. properties: defaults: - description: Defaults contains default configuration for all upstreams - of a given service. The name field must be empty. + description: |- + Defaults contains default configuration for all upstreams of a given + service. The name field must be empty. properties: connectTimeoutMs: - description: ConnectTimeoutMs is the number of milliseconds - to timeout making a new connection to this upstream. Defaults - to 5000 (5 seconds) if not set. + description: |- + ConnectTimeoutMs is the number of milliseconds to timeout making a new + connection to this upstream. Defaults to 5000 (5 seconds) if not set. type: integer envoyClusterJSON: - description: 'EnvoyClusterJSON is a complete override ("escape - hatch") for the upstream''s cluster. The Connect client - TLS certificate and context will be injected overriding - any TLS settings present. Note: This escape hatch is NOT - compatible with the discovery chain and will be ignored - if a discovery chain is active.' + description: |- + EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's + cluster. The Connect client TLS certificate and context will be injected + overriding any TLS settings present. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string envoyListenerJSON: - description: 'EnvoyListenerJSON is a complete override ("escape - hatch") for the upstream''s listener. Note: This escape - hatch is NOT compatible with the discovery chain and will - be ignored if a discovery chain is active.' + description: |- + EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's + listener. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string limits: - description: Limits are the set of limits that are applied - to the proxy for a specific upstream of a service instance. + description: |- + Limits are the set of limits that are applied to the proxy for a specific upstream of a + service instance. properties: maxConcurrentRequests: - description: MaxConcurrentRequests is the maximum number - of in-flight requests that will be allowed to the upstream - cluster at a point in time. This is mostly applicable - to HTTP/2 clusters since all HTTP/1.1 requests are limited - by MaxConnections. + description: |- + MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed + to the upstream cluster at a point in time. This is mostly applicable to HTTP/2 + clusters since all HTTP/1.1 requests are limited by MaxConnections. type: integer maxConnections: - description: MaxConnections is the maximum number of connections - the local proxy can make to the upstream service. + description: |- + MaxConnections is the maximum number of connections the local proxy can + make to the upstream service. type: integer maxPendingRequests: - description: MaxPendingRequests is the maximum number - of requests that will be queued waiting for an available - connection. This is mostly applicable to HTTP/1.1 clusters - since all HTTP/2 requests are streamed over a single + description: |- + MaxPendingRequests is the maximum number of requests that will be queued + waiting for an available connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over a single connection. type: integer type: object @@ -322,8 +337,9 @@ spec: are configured and used. properties: mode: - description: Mode is the mode that should be used for - the upstream connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object name: @@ -339,42 +355,40 @@ spec: config entry. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines how - upstream proxy instances will be monitored for removal from - the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied by - the number of times the host has been ejected and is - capped by max_ejection_time (Default 300s). Defaults - to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance that - a host will be actually ejected when an outlier status - is detected through consecutive 5xx. This setting can - be used to disable ejection or to ramp it up slowly. - Ex. Setting this to 10 will make it a 10% chance that - the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis sweeps. - Each sweep may remove hosts or return hosts to the pool. - Ex. setting this to "10s" will set the interval to 10 - seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults to - 10% but will eject at least one host regardless of the - value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive failures - that results in a host being removed from the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -383,59 +397,61 @@ spec: config entry. type: string protocol: - description: Protocol describes the upstream's service protocol. - Valid values are "tcp", "http" and "grpc". Anything else - is treated as tcp. This enables protocol aware features - like per-request metrics and connection pooling, tracing, + description: |- + Protocol describes the upstream's service protocol. Valid values are "tcp", + "http" and "grpc". Anything else is treated as tcp. This enables protocol + aware features like per-request metrics and connection pooling, tracing, routing etc. type: string type: object overrides: - description: Overrides is a slice of per-service configuration. - The name field is required. + description: |- + Overrides is a slice of per-service configuration. The name field is + required. items: properties: connectTimeoutMs: - description: ConnectTimeoutMs is the number of milliseconds - to timeout making a new connection to this upstream. Defaults - to 5000 (5 seconds) if not set. + description: |- + ConnectTimeoutMs is the number of milliseconds to timeout making a new + connection to this upstream. Defaults to 5000 (5 seconds) if not set. type: integer envoyClusterJSON: - description: 'EnvoyClusterJSON is a complete override ("escape - hatch") for the upstream''s cluster. The Connect client - TLS certificate and context will be injected overriding - any TLS settings present. Note: This escape hatch is NOT - compatible with the discovery chain and will be ignored - if a discovery chain is active.' + description: |- + EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's + cluster. The Connect client TLS certificate and context will be injected + overriding any TLS settings present. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string envoyListenerJSON: - description: 'EnvoyListenerJSON is a complete override ("escape - hatch") for the upstream''s listener. Note: This escape - hatch is NOT compatible with the discovery chain and will - be ignored if a discovery chain is active.' + description: |- + EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's + listener. + Note: This escape hatch is NOT compatible with the discovery chain and + will be ignored if a discovery chain is active. type: string limits: - description: Limits are the set of limits that are applied - to the proxy for a specific upstream of a service instance. + description: |- + Limits are the set of limits that are applied to the proxy for a specific upstream of a + service instance. properties: maxConcurrentRequests: - description: MaxConcurrentRequests is the maximum number - of in-flight requests that will be allowed to the - upstream cluster at a point in time. This is mostly - applicable to HTTP/2 clusters since all HTTP/1.1 requests - are limited by MaxConnections. + description: |- + MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed + to the upstream cluster at a point in time. This is mostly applicable to HTTP/2 + clusters since all HTTP/1.1 requests are limited by MaxConnections. type: integer maxConnections: - description: MaxConnections is the maximum number of - connections the local proxy can make to the upstream - service. + description: |- + MaxConnections is the maximum number of connections the local proxy can + make to the upstream service. type: integer maxPendingRequests: - description: MaxPendingRequests is the maximum number - of requests that will be queued waiting for an available - connection. This is mostly applicable to HTTP/1.1 - clusters since all HTTP/2 requests are streamed over - a single connection. + description: |- + MaxPendingRequests is the maximum number of requests that will be queued + waiting for an available connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over a single + connection. type: integer type: object meshGateway: @@ -443,8 +459,9 @@ spec: are configured and used. properties: mode: - description: Mode is the mode that should be used for - the upstream connection. One of none, local, or remote. + description: |- + Mode is the mode that should be used for the upstream connection. + One of none, local, or remote. type: string type: object name: @@ -460,43 +477,40 @@ spec: config entry. type: string passiveHealthCheck: - description: PassiveHealthCheck configuration determines - how upstream proxy instances will be monitored for removal - from the load balancing pool. + description: |- + PassiveHealthCheck configuration determines how upstream proxy instances will + be monitored for removal from the load balancing pool. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected and - is capped by max_ejection_time (Default 300s). Defaults - to 30s. + description: |- + The base time that a host is ejected for. The real time is equal to the base time + multiplied by the number of times the host has been ejected and is capped by + max_ejection_time (Default 300s). Defaults to 30s. type: string enforcingConsecutive5xx: - description: EnforcingConsecutive5xx is the % chance - that a host will be actually ejected when an outlier - status is detected through consecutive 5xx. This setting - can be used to disable ejection or to ramp it up slowly. - Ex. Setting this to 10 will make it a 10% chance that - the host will be ejected. + description: |- + EnforcingConsecutive5xx is the % chance that a host will be actually ejected + when an outlier status is detected through consecutive 5xx. + This setting can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that the host will be ejected. format: int32 type: integer interval: - description: Interval between health check analysis - sweeps. Each sweep may remove hosts or return hosts - to the pool. Ex. setting this to "10s" will set the - interval to 10 seconds. + description: |- + Interval between health check analysis sweeps. Each sweep may remove + hosts or return hosts to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier detection. + Defaults to 10% but will eject at least one host regardless of the value. format: int32 type: integer maxFailures: - description: MaxFailures is the count of consecutive - failures that results in a host being removed from - the pool. + description: |- + MaxFailures is the count of consecutive failures that results in a host + being removed from the pool. format: int32 type: integer type: object @@ -505,10 +519,10 @@ spec: config entry. type: string protocol: - description: Protocol describes the upstream's service protocol. - Valid values are "tcp", "http" and "grpc". Anything else - is treated as tcp. This enables protocol aware features - like per-request metrics and connection pooling, tracing, + description: |- + Protocol describes the upstream's service protocol. Valid values are "tcp", + "http" and "grpc". Anything else is treated as tcp. This enables protocol + aware features like per-request metrics and connection pooling, tracing, routing etc. type: string type: object @@ -521,8 +535,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml index 4718ee24e5..957295b18e 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: serviceintentions.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ServiceIntentions is the Schema for the serviceintentions API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,16 +61,16 @@ spec: the authorization granted to. properties: name: - description: Name is the destination of all intentions defined - in this config entry. This may be set to the wildcard character - (*) to match all services that don't otherwise have intentions - defined. + description: |- + Name is the destination of all intentions defined in this config entry. + This may be set to the wildcard character (*) to match + all services that don't otherwise have intentions defined. type: string namespace: - description: Namespace specifies the namespace the config entry - will apply to. This may be set to the wildcard character (*) - to match all services in all namespaces that don't otherwise - have intentions defined. + description: |- + Namespace specifies the namespace the config entry will apply to. + This may be set to the wildcard character (*) to match all services + in all namespaces that don't otherwise have intentions defined. type: string type: object jwt: @@ -78,9 +83,9 @@ spec: items: properties: name: - description: Name is the name of the JWT provider. There - MUST be a corresponding "jwt-provider" config entry with - this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional claims @@ -94,11 +99,10 @@ spec: type: string type: array value: - description: Value is the expected value at the given - path. If the type at the path is a list then we - verify that this value is contained in the list. - If the type at the path is a string then we verify - that this value matches. + description: |- + Value is the expected value at the given path. If the type at the path + is a list then we verify that this value is contained in the list. If + the type at the path is a string then we verify that this value matches. type: string type: object type: array @@ -106,25 +110,25 @@ spec: type: array type: object sources: - description: Sources is the list of all intention sources and the - authorization granted to those sources. The order of this list does - not matter, but out of convenience Consul will always store this - reverse sorted by intention precedence, as that is the order that - they will be evaluated at enforcement time. + description: |- + Sources is the list of all intention sources and the authorization granted to those sources. + The order of this list does not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that they will be evaluated at enforcement time. items: properties: action: - description: Action is required for an L4 intention, and should - be set to one of "allow" or "deny" for the action that should - be taken if this intention matches a request. + description: |- + Action is required for an L4 intention, and should be set to one of + "allow" or "deny" for the action that should be taken if this intention matches a request. type: string description: description: Description for the intention. This is not used by Consul, but is presented in API responses to assist tooling. type: string name: - description: Name is the source of the intention. This is the - name of a Consul service. The service doesn't need to be registered. + description: |- + Name is the source of the intention. This is the name of a + Consul service. The service doesn't need to be registered. type: string namespace: description: Namespace is the namespace for the Name parameter. @@ -136,31 +140,28 @@ spec: description: Peer is the peer name for the Name parameter. type: string permissions: - description: Permissions is the list of all additional L7 attributes - that extend the intention match criteria. Permission precedence - is applied top to bottom. For any given request the first - permission to match in the list is terminal and stops further - evaluation. As with L4 intentions, traffic that fails to match - any of the provided permissions in this intention will be - subject to the default intention behavior is defined by the - default ACL policy. This should be omitted for an L4 intention + description: |- + Permissions is the list of all additional L7 attributes that extend the intention match criteria. + Permission precedence is applied top to bottom. For any given request the first permission to match + in the list is terminal and stops further evaluation. As with L4 intentions, traffic that fails to + match any of the provided permissions in this intention will be subject to the default intention + behavior is defined by the default ACL policy. This should be omitted for an L4 intention as it is mutually exclusive with the Action field. items: properties: action: - description: Action is one of "allow" or "deny" for the - action that should be taken if this permission matches - a request. + description: |- + Action is one of "allow" or "deny" for the action that + should be taken if this permission matches a request. type: string http: description: HTTP is a set of HTTP-specific authorization criteria. properties: header: - description: Header is a set of criteria that can - match on HTTP request headers. If more than one - is configured all must match for the overall match - to apply. + description: |- + Header is a set of criteria that can match on HTTP request headers. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -194,10 +195,9 @@ spec: type: object type: array methods: - description: Methods is a list of HTTP methods for - which this match applies. If unspecified all HTTP - methods are matched. If provided the names must - be a valid method. + description: |- + Methods is a list of HTTP methods for which this match applies. If unspecified + all HTTP methods are matched. If provided the names must be a valid method. items: type: string type: array @@ -224,9 +224,9 @@ spec: items: properties: name: - description: Name is the name of the JWT provider. - There MUST be a corresponding "jwt-provider" - config entry with this name. + description: |- + Name is the name of the JWT provider. There MUST be a corresponding + "jwt-provider" config entry with this name. type: string verifyClaims: description: VerifyClaims is a list of additional @@ -240,12 +240,10 @@ spec: type: string type: array value: - description: Value is the expected value - at the given path. If the type at the - path is a list then we verify that this - value is contained in the list. If the - type at the path is a string then we - verify that this value matches. + description: |- + Value is the expected value at the given path. If the type at the path + is a list then we verify that this value is contained in the list. If + the type at the path is a string then we verify that this value matches. type: string type: object type: array @@ -267,8 +265,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml index a1e3844b9c..703f9b7bdd 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: serviceresolvers.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ServiceResolver is the Schema for the serviceresolvers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,12 +57,14 @@ spec: description: ServiceResolverSpec defines the desired state of ServiceResolver. properties: connectTimeout: - description: ConnectTimeout is the timeout for establishing new network - connections to this service. + description: |- + ConnectTimeout is the timeout for establishing new network connections + to this service. type: string defaultSubset: - description: DefaultSubset is the subset to use when no explicit subset - is requested. If empty the unnamed subset is used. + description: |- + DefaultSubset is the subset to use when no explicit subset is requested. + If empty the unnamed subset is used. type: string failover: additionalProperties: @@ -69,22 +76,22 @@ spec: type: string type: array namespace: - description: Namespace is the namespace to resolve the requested - service from to form the failover group of instances. If empty - the current namespace is used. + description: |- + Namespace is the namespace to resolve the requested service from to form + the failover group of instances. If empty the current namespace is used. type: string policy: description: Policy specifies the exact mechanism used for failover. properties: mode: - description: Mode specifies the type of failover that will - be performed. Valid values are "sequential", "" (equivalent - to "sequential") and "order-by-locality". + description: |- + Mode specifies the type of failover that will be performed. Valid values are + "sequential", "" (equivalent to "sequential") and "order-by-locality". type: string regions: - description: Regions is the ordered list of the regions - of the failover targets. Valid values can be "us-west-1", - "us-west-2", and so on. + description: |- + Regions is the ordered list of the regions of the failover targets. + Valid values can be "us-west-1", "us-west-2", and so on. items: type: string type: array @@ -94,13 +101,15 @@ spec: to try during failover. type: string service: - description: Service is the service to resolve instead of the - default as the failover group of instances during failover. + description: |- + Service is the service to resolve instead of the default as the failover + group of instances during failover. type: string serviceSubset: - description: ServiceSubset is the named subset of the requested - service to resolve as the failover group of instances. If - empty the default subset for the requested service is used. + description: |- + ServiceSubset is the named subset of the requested service to resolve as + the failover group of instances. If empty the default subset for the + requested service is used. type: string targets: description: Targets specifies a fixed list of failover targets @@ -134,21 +143,25 @@ spec: type: object type: array type: object - description: Failover controls when and how to reroute traffic to - an alternate pool of service instances. The map is keyed by the - service subset it applies to and the special string "*" is a wildcard - that applies to any subset not otherwise specified here. + description: |- + Failover controls when and how to reroute traffic to an alternate pool of + service instances. + The map is keyed by the service subset it applies to and the special + string "*" is a wildcard that applies to any subset not otherwise + specified here. type: object loadBalancer: - description: LoadBalancer determines the load balancing policy and - configuration for services issuing requests to this upstream service. + description: |- + LoadBalancer determines the load balancing policy and configuration for services + issuing requests to this upstream service. properties: hashPolicies: - description: HashPolicies is a list of hash policies to use for - hashing load balancing algorithms. Hash policies are evaluated - individually and combined such that identical lists result in - the same hash. If no hash policies are present, or none are - successfully evaluated, then a random backend host will be selected. + description: |- + HashPolicies is a list of hash policies to use for hashing load balancing algorithms. + Hash policies are evaluated individually and combined such that identical lists + result in the same hash. + If no hash policies are present, or none are successfully evaluated, + then a random backend host will be selected. items: properties: cookieConfig: @@ -168,26 +181,27 @@ spec: type: string type: object field: - description: Field is the attribute type to hash on. Must - be one of "header", "cookie", or "query_parameter". Cannot - be specified along with sourceIP. + description: |- + Field is the attribute type to hash on. + Must be one of "header", "cookie", or "query_parameter". + Cannot be specified along with sourceIP. type: string fieldValue: - description: FieldValue is the value to hash. ie. header - name, cookie name, URL query parameter name Cannot be - specified along with sourceIP. + description: |- + FieldValue is the value to hash. + ie. header name, cookie name, URL query parameter name + Cannot be specified along with sourceIP. type: string sourceIP: - description: SourceIP determines whether the hash should - be of the source IP rather than of a field and field value. + description: |- + SourceIP determines whether the hash should be of the source IP rather than of a field and field value. Cannot be specified along with field or fieldValue. type: boolean terminal: - description: Terminal will short circuit the computation - of the hash when multiple hash policies are present. If - a hash is computed when a Terminal policy is evaluated, - then that hash will be used and subsequent hash policies - will be ignored. + description: |- + Terminal will short circuit the computation of the hash when multiple hash policies are present. + If a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies will be ignored. type: boolean type: object type: array @@ -222,39 +236,44 @@ spec: type: object type: object prioritizeByLocality: - description: PrioritizeByLocality controls whether the locality of - services within the local partition will be used to prioritize connectivity. + description: |- + PrioritizeByLocality controls whether the locality of services within the + local partition will be used to prioritize connectivity. properties: mode: - description: 'Mode specifies the type of prioritization that will - be performed when selecting nodes in the local partition. Valid - values are: "" (default "none"), "none", and "failover".' + description: |- + Mode specifies the type of prioritization that will be performed + when selecting nodes in the local partition. + Valid values are: "" (default "none"), "none", and "failover". type: string type: object redirect: - description: Redirect when configured, all attempts to resolve the - service this resolver defines will be substituted for the supplied - redirect EXCEPT when the redirect has already been applied. When - substituting the supplied redirect, all other fields besides Kind, - Name, and Redirect will be ignored. + description: |- + Redirect when configured, all attempts to resolve the service this + resolver defines will be substituted for the supplied redirect + EXCEPT when the redirect has already been applied. + When substituting the supplied redirect, all other fields besides + Kind, Name, and Redirect will be ignored. properties: datacenter: - description: Datacenter is the datacenter to resolve the service - from instead of the current one. + description: |- + Datacenter is the datacenter to resolve the service from instead of the + current one. type: string namespace: - description: Namespace is the Consul namespace to resolve the - service from instead of the current namespace. If empty the - current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string partition: - description: Partition is the Consul partition to resolve the - service from instead of the current partition. If empty the - current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string peer: - description: Peer is the name of the cluster peer to resolve the - service from instead of the current one. + description: |- + Peer is the name of the cluster peer to resolve the service from instead + of the current one. type: string samenessGroup: description: SamenessGroup is the name of the sameness group to @@ -265,37 +284,41 @@ spec: service. type: string serviceSubset: - description: ServiceSubset is a named subset of the given service - to resolve instead of one defined as that service's DefaultSubset - If empty the default subset is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead + of one defined as that service's DefaultSubset If empty the default + subset is used. type: string type: object requestTimeout: - description: RequestTimeout is the timeout for receiving an HTTP response - from this service before the connection is terminated. + description: |- + RequestTimeout is the timeout for receiving an HTTP response from this + service before the connection is terminated. type: string subsets: additionalProperties: properties: filter: - description: Filter is the filter expression to be used for - selecting instances of the requested service. If empty all - healthy instances are returned. This expression can filter - on the same selectors as the Health API endpoint. + description: |- + Filter is the filter expression to be used for selecting instances of the + requested service. If empty all healthy instances are returned. This + expression can filter on the same selectors as the Health API endpoint. type: string onlyPassing: - description: OnlyPassing specifies the behavior of the resolver's - health check interpretation. If this is set to false, instances - with checks in the passing as well as the warning states will - be considered healthy. If this is set to true, only instances - with checks in the passing state will be considered healthy. + description: |- + OnlyPassing specifies the behavior of the resolver's health check + interpretation. If this is set to false, instances with checks in the + passing as well as the warning states will be considered healthy. If this + is set to true, only instances with checks in the passing state will be + considered healthy. type: boolean type: object - description: Subsets is map of subset name to subset definition for - all usable named subsets of this service. The map key is the name - of the subset and all names must be valid DNS subdomain elements. - This may be empty, in which case only the unnamed default subset - will be usable. + description: |- + Subsets is map of subset name to subset definition for all usable named + subsets of this service. The map key is the name of the subset and all + names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset will + be usable. type: object type: object status: @@ -304,8 +327,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml index 41d4bfbd81..a58a5a1b43 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: servicerouters.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ServiceRouter is the Schema for the servicerouters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,10 +57,11 @@ spec: description: ServiceRouterSpec defines the desired state of ServiceRouter. properties: routes: - description: Routes are the list of routes to consider when processing - L7 requests. The first route to match in the list is terminal and - stops further evaluation. Traffic that fails to match any of the - provided routes will be routed to the default service. + description: |- + Routes are the list of routes to consider when processing L7 requests. + The first route to match in the list is terminal and stops further + evaluation. Traffic that fails to match any of the provided routes will + be routed to the default service. items: properties: destination: @@ -63,13 +69,14 @@ spec: request(s) to a service. properties: idleTimeout: - description: IdleTimeout is total amount of time permitted + description: |- + IdleTimeout is total amount of time permitted for the request stream to be idle. type: string namespace: - description: Namespace is the Consul namespace to resolve - the service from instead of the current namespace. If - empty the current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string numRetries: description: NumRetries is the number of times to retry @@ -77,13 +84,14 @@ spec: format: int32 type: integer partition: - description: Partition is the Consul partition to resolve - the service from instead of the current partition. If - empty the current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string prefixRewrite: - description: PrefixRewrite defines how to rewrite the HTTP - request path before proxying it to its final destination. + description: |- + PrefixRewrite defines how to rewrite the HTTP request path before proxying + it to its final destination. This requires that either match.http.pathPrefix or match.http.pathExact be configured on this route. type: string @@ -93,61 +101,63 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object requestTimeout: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. type: string responseHeaders: - description: HTTPHeaderModifiers is a set of rules for HTTP - header modification that should be performed by proxies - as the request passes through them. It can operate on - either request or response headers depending on the context - in which it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that - should be appended to the request or response (i.e. - allowing duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that - should be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that - should be added to the request or response, overwriting - any existing header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object retryOn: - description: 'RetryOn is a flat list of conditions for Consul - to retry requests based on the response from an upstream - service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + description: |- + RetryOn is a flat list of conditions for Consul to retry requests based on the response from an upstream service. + Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon items: type: string type: array @@ -163,20 +173,21 @@ spec: type: integer type: array service: - description: Service is the service to resolve instead of - the default service. If empty then the default service - name is used. + description: |- + Service is the service to resolve instead of the default service. + If empty then the default service name is used. type: string serviceSubset: - description: ServiceSubset is a named subset of the given - service to resolve instead of the one defined as that - service's DefaultSubset. If empty, the default subset - is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead + of the one defined as that service's DefaultSubset. + If empty, the default subset is used. type: string type: object match: - description: Match is a set of criteria that can match incoming - L7 requests. If empty or omitted it acts as a catch-all. + description: |- + Match is a set of criteria that can match incoming L7 requests. + If empty or omitted it acts as a catch-all. properties: http: description: HTTP is a set of http-specific match criteria. @@ -186,9 +197,9 @@ spec: PathPrefix matches to ignore upper/lower casing. type: boolean header: - description: Header is a set of criteria that can match - on HTTP request headers. If more than one is configured - all must match for the overall match to apply. + description: |- + Header is a set of criteria that can match on HTTP request headers. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -223,9 +234,9 @@ spec: type: object type: array methods: - description: Methods is a list of HTTP methods for which - this match applies. If unspecified all http methods - are matched. + description: |- + Methods is a list of HTTP methods for which this match applies. + If unspecified all http methods are matched. items: type: string type: array @@ -242,10 +253,9 @@ spec: on the HTTP request path. type: string queryParam: - description: QueryParam is a set of criteria that can - match on HTTP query parameters. If more than one is - configured all must match for the overall match to - apply. + description: |- + QueryParam is a set of criteria that can match on HTTP query parameters. + If more than one is configured all must match for the overall match to apply. items: properties: exact: @@ -257,8 +267,9 @@ spec: to match on. type: string present: - description: Present will match if the query parameter - with the given name is present with any value. + description: |- + Present will match if the query parameter with the given name is present + with any value. type: boolean regex: description: Regex will match if the query parameter @@ -279,8 +290,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml index 36f9c9f6c9..9dd719a93c 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: servicesplitters.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ServiceSplitter is the Schema for the servicesplitters API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,20 +57,20 @@ spec: description: ServiceSplitterSpec defines the desired state of ServiceSplitter. properties: splits: - description: Splits defines how much traffic to send to which set - of service instances during a traffic split. The sum of weights - across all splits must add up to 100. + description: |- + Splits defines how much traffic to send to which set of service instances during a traffic split. + The sum of weights across all splits must add up to 100. items: properties: namespace: - description: Namespace is the Consul namespace to resolve the - service from instead of the current namespace. If empty the - current namespace is assumed. + description: |- + Namespace is the Consul namespace to resolve the service from instead of + the current namespace. If empty the current namespace is assumed. type: string partition: - description: Partition is the Consul partition to resolve the - service from instead of the current partition. If empty the - current partition is assumed. + description: |- + Partition is the Consul partition to resolve the service from instead of + the current partition. If empty the current partition is assumed. type: string requestHeaders: description: Allow HTTP header manipulation to be configured. @@ -73,50 +78,52 @@ spec: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that should - be appended to the request or response (i.e. allowing - duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that should - be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that should - be added to the request or response, overwriting any existing - header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object responseHeaders: - description: HTTPHeaderModifiers is a set of rules for HTTP - header modification that should be performed by proxies as - the request passes through them. It can operate on either - request or response headers depending on the context in which - it is used. + description: |- + HTTPHeaderModifiers is a set of rules for HTTP header modification that + should be performed by proxies as the request passes through them. It can + operate on either request or response headers depending on the context in + which it is used. properties: add: additionalProperties: type: string - description: Add is a set of name -> value pairs that should - be appended to the request or response (i.e. allowing - duplicates if the same header already exists). + description: |- + Add is a set of name -> value pairs that should be appended to the request + or response (i.e. allowing duplicates if the same header already exists). type: object remove: - description: Remove is the set of header names that should - be stripped from the request or response. + description: |- + Remove is the set of header names that should be stripped from the request + or response. items: type: string type: array set: additionalProperties: type: string - description: Set is a set of name -> value pairs that should - be added to the request or response, overwriting any existing - header values of the same name. + description: |- + Set is a set of name -> value pairs that should be added to the request or + response, overwriting any existing header values of the same name. type: object type: object service: @@ -124,13 +131,13 @@ spec: default. type: string serviceSubset: - description: ServiceSubset is a named subset of the given service - to resolve instead of one defined as that service's DefaultSubset. - If empty the default subset is used. + description: |- + ServiceSubset is a named subset of the given service to resolve instead of one defined + as that service's DefaultSubset. If empty the default subset is used. type: string weight: - description: Weight is a value between 0 and 100 reflecting - what portion of traffic should be directed to this split. + description: |- + Weight is a value between 0 and 100 reflecting what portion of traffic should be directed to this split. The smallest representable weight is 1/10000 or .01%. type: number type: object @@ -142,8 +149,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml index 1b8ab32cd6..b7d532d2fc 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: terminatinggateways.consul.hashicorp.com spec: group: consul.hashicorp.com @@ -38,14 +38,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -60,22 +65,23 @@ spec: gateway. properties: caFile: - description: CAFile is the optional path to a CA certificate - to use for TLS connections from the gateway to the linked - service. + description: |- + CAFile is the optional path to a CA certificate to use for TLS connections + from the gateway to the linked service. type: string certFile: - description: CertFile is the optional path to a client certificate - to use for TLS connections from the gateway to the linked - service. + description: |- + CertFile is the optional path to a client certificate to use for TLS connections + from the gateway to the linked service. type: string disableAutoHostRewrite: description: DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. type: boolean keyFile: - description: KeyFile is the optional path to a private key to - use for TLS connections from the gateway to the linked service. + description: |- + KeyFile is the optional path to a private key to use for TLS connections + from the gateway to the linked service. type: string name: description: Name is the name of the service, as defined in @@ -97,8 +103,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml index 7b0d2a54b9..9fd8059672 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: apigateways.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: APIGateway is the Schema for the API Gateway properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,13 +61,14 @@ spec: items: properties: hostname: - description: Hostname is the host name that a listener should - be bound to, if unspecified, the listener accepts requests - for all hostnames. + description: |- + Hostname is the host name that a listener should be bound to, if + unspecified, the listener accepts requests for all hostnames. type: string name: - description: Name is the name of the listener in a given gateway. - This must be unique within a gateway. + description: |- + Name is the name of the listener in a given gateway. This must be + unique within a gateway. type: string port: format: int32 @@ -70,18 +76,21 @@ spec: minimum: 0 type: integer protocol: - description: Protocol is the protocol that a listener should - use, it must either be "http" or "tcp" + description: |- + Protocol is the protocol that a listener should use, it must + either be "http" or "tcp" type: string tls: description: TLS is the TLS settings for the listener. properties: certificates: - description: Certificates is a set of references to certificates + description: |- + Certificates is a set of references to certificates that a gateway listener uses for TLS termination. items: - description: Reference identifies which resource a condition - relates to, when it is not the core resource itself. + description: |- + Reference identifies which resource a condition relates to, when it is not + the core resource itself. properties: name: description: Name is the user-given name of the resource @@ -92,37 +101,41 @@ spec: resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list resources - across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list resources - across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes are - made to the group's resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource @@ -212,8 +225,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition - for a Consul resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the @@ -256,8 +270,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a - Consul resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclassconfigs.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclassconfigs.yaml index cc6de192c7..5c8605c59a 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclassconfigs.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclassconfigs.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: gatewayclassconfigs.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -27,14 +27,19 @@ spec: description: GatewayClassConfig is the Schema for the Mesh Gateway API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -46,19 +51,18 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key included - here will override those in Set if specified on the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included here - will be overridden if present in InheritFromGateway and set - on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object deployment: @@ -74,22 +78,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -99,32 +101,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -137,32 +133,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -184,53 +174,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -243,32 +226,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -291,18 +268,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -321,30 +296,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -356,53 +326,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -414,42 +376,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -458,23 +415,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -485,28 +441,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -519,51 +471,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -576,33 +521,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -615,18 +556,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -645,30 +584,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -680,53 +614,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -738,42 +664,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -782,23 +703,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -809,28 +729,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -843,51 +759,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -900,33 +809,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -938,20 +843,18 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object container: @@ -978,10 +881,9 @@ spec: format: int32 type: integer portModifier: - description: PortModifier specifies the value to be added - to every port value for listeners on this gateway. This - is generally used to avoid binding to privileged ports in - the container. + description: |- + PortModifier specifies the value to be added to every port value for listeners on this gateway. + This is generally used to avoid binding to privileged ports in the container. format: int32 type: integer resources: @@ -989,18 +891,23 @@ spec: for the created Deployment's container properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1017,8 +924,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1027,11 +935,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -1071,18 +979,23 @@ spec: for the created Deployment's init container properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1099,8 +1012,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1109,11 +1023,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object @@ -1121,31 +1035,30 @@ spec: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a feature that constrains the scheduling - of a pod to nodes that match specified labels. By defining NodeSelector - in a pod''s configuration, you can ensure that the pod is only - scheduled to nodes with the corresponding labels, providing - a way to influence the placement of workloads based on node - attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a feature that constrains the scheduling of a pod to nodes that + match specified labels. + By defining NodeSelector in a pod's configuration, you can ensure that the pod is + only scheduled to nodes with the corresponding labels, providing a way to + influence the placement of workloads based on node attributes. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object priorityClassName: description: PriorityClassName specifies the priority class name @@ -1161,17 +1074,17 @@ spec: format: int32 type: integer max: - description: Max is the maximum number of replicas allowed - for a gateway with this class. If the replica count exceeds - this value due to manual or automated scaling, the replica - count will be restored to this value. + description: |- + Max is the maximum number of replicas allowed for a gateway with this class. + If the replica count exceeds this value due to manual or automated scaling, + the replica count will be restored to this value. format: int32 type: integer min: - description: Min is the minimum number of replicas allowed - for a gateway with this class. If the replica count drops - below this value due to manual or automated scaling, the - replica count will be restored to this value. + description: |- + Min is the minimum number of replicas allowed for a gateway with this class. + If the replica count drops below this value due to manual or automated scaling, + the replica count will be restored to this value. format: int32 type: integer type: object @@ -1180,63 +1093,68 @@ spec: the created Deployment's Pod. properties: fsGroup: - description: "A special supplemental group that applies to - all containers in a pod. Some volume types allow the Kubelet - to change the ownership of that volume to be owned by the - pod: \n 1. The owning GID will be the FSGroup 2. The setgid - bit is set (new files created in the volume will be owned - by FSGroup) 3. The permission bits are OR'd with rw-rw---- - \n If unset, the Kubelet will not modify the ownership and - permissions of any volume. Note that this field cannot be - set when spec.os.name is windows." + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of changing - ownership and permission of the volume before being exposed - inside Pod. This field will only apply to volume types which - support fsGroup based ownership(and permissions). It will - have no effect on ephemeral volume types such as: secret, - configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. Note that - this field cannot be set when spec.os.name is windows.' + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be set - in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this field - cannot be set when spec.os.name is windows. + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root - user. If true, the Kubelet will validate the image at runtime - to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. If unset or false, no - such validation will be performed. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata if - unspecified. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence for that container. - Note that this field cannot be set when spec.os.name is - windows. + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random - SELinux context for each container. May also be set in - SecurityContext. If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that applies @@ -1256,47 +1174,48 @@ spec: type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when spec.os.name - is windows. + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined - in a file on the node should be used. The profile must - be preconfigured on the node to work. Must be a descending - path, relative to the kubelet's configured seccomp profile - location. Must be set if type is "Localhost". Must NOT - be set for any other type. + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile - will be applied. Valid options are: \n Localhost - a - profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile - should be used. Unconfined - no profile should be applied." + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's primary - GID, the fsGroup (if specified), and group memberships defined - in the container image for the uid of the container process. - If unspecified, no additional groups are added to any container. - Note that group memberships defined in the container image - for the uid of the container process are still effective, - even if they are not included in this list. Note that this - field cannot be set when spec.os.name is windows. + description: |- + A list of groups applied to the first process run in each container, in addition + to the container's primary GID, the fsGroup (if specified), and group memberships + defined in the container image for the uid of the container process. If unspecified, + no additional groups are added to any container. Note that group memberships + defined in the container image for the uid of the container process are still effective, + even if they are not included in this list. + Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array sysctls: - description: Sysctls hold a list of namespaced sysctls used - for the pod. Pods with unsupported sysctls (by the container - runtime) might fail to launch. Note that this field cannot - be set when spec.os.name is windows. + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. items: description: Sysctl defines a kernel parameter to be set properties: @@ -1312,39 +1231,35 @@ spec: type: object type: array windowsOptions: - description: The Windows specific settings applied to all - containers. If unspecified, the options within a container's - SecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set when - spec.os.name is linux. + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission - webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec named - by the GMSACredentialSpecName field. + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should - be run as a 'Host Process' container. All of a Pod's - containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must also be - set to true. + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: string type: object type: object @@ -1352,62 +1267,62 @@ spec: description: Tolerations specifies the tolerations to use on the created Deployment. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: 'TopologySpreadConstraints is a feature that controls - how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + description: |- + TopologySpreadConstraints is a feature that controls how pods are spead across your topology. + More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ items: description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine - the number of pods in their corresponding topology domain. + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1415,17 +1330,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1437,132 +1351,134 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: - description: "MatchLabelKeys is a set of pod label keys - to select the pods over which spreading will be calculated. - The keys are used to lookup values from the incoming pod - labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading - will be calculated for the incoming pod. The same key - is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't - set. Keys that don't exist in the incoming pod labels - will be ignored. A null or empty list means only match - against labelSelector. \n This is a beta field and requires - the MatchLabelKeysInPodTopologySpread feature gate to - be enabled (enabled by default)." + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to which pods - may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between the number - of matching pods in the target topology and the global - minimum. The global minimum is the minimum number of matching - pods in an eligible domain or zero if the number of eligible - domains is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with the same labelSelector - spread as 2/2/1: In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled - onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies that - satisfy it. It''s a required field. Default value is 1 - and 0 is not allowed.' + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number of eligible - domains. When the number of eligible domains with matching - topology keys is less than minDomains, Pod Topology Spread - treats \"global minimum\" as 0, and then the calculation - of Skew is performed. And when the number of eligible - domains with matching topology keys equals or greater - than minDomains, this value has no effect on scheduling. - As a result, when the number of eligible domains is less - than minDomains, scheduler won't schedule more than maxSkew - Pods to those domains. If value is nil, the constraint - behaves as if MinDomains is equal to 1. Valid values are - integers greater than 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a 3-zone cluster, - MaxSkew is set to 2, MinDomains is set to 5 and pods with - the same labelSelector spread as 2/2/2: | zone1 | zone2 - | zone3 | | P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" is treated - as 0. In this situation, new pod with the same labelSelector - cannot be scheduled, because computed skew will be 3(3 - - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is a beta field and requires - the MinDomainsInPodTopologySpread feature gate to be enabled - (enabled by default)." + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + + + This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: - description: "NodeAffinityPolicy indicates how we will treat - Pod's nodeAffinity/nodeSelector when calculating pod topology - spread skew. Options are: - Honor: only nodes matching - nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes - are included in the calculations. \n If this value is - nil, the behavior is equivalent to the Honor policy. This - is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string nodeTaintsPolicy: - description: "NodeTaintsPolicy indicates how we will treat - node taints when calculating pod topology spread skew. - Options are: - Honor: nodes without taints, along with - tainted nodes for which the incoming pod has a toleration, - are included. - Ignore: node taints are ignored. All nodes - are included. \n If this value is nil, the behavior is - equivalent to the Ignore policy. This is a beta-level - feature default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string topologyKey: - description: TopologyKey is the key of node labels. Nodes - that have a label with this key and identical values are - considered to be in the same topology. We consider each - as a "bucket", and try to put balanced number - of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible domain - as a domain whose nodes meet the requirements of nodeAffinityPolicy - and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, if TopologyKey - is "topology.kubernetes.io/zone", each zone is a domain - of that topology. It's a required field. + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal with - a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule - it. - ScheduleAnyway tells the scheduler to schedule the - pod in any location, but giving higher precedence to topologies - that would help reduce the skew. A constraint is considered - "Unsatisfiable" for an incoming pod if and only if every - possible node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, MaxSkew - is set to 1, and pods with the same labelSelector spread - as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming - pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). - In other words, the cluster can still be imbalanced, but - scheduler won''t make it *more* imbalanced. It''s a required - field.' + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. type: string required: - maxSkew @@ -1575,19 +1491,18 @@ spec: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key included - here will override those in Set if specified on the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included here - will be overridden if present in InheritFromGateway and set - on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object role: @@ -1598,40 +1513,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1643,40 +1554,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1688,40 +1595,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: @@ -1741,40 +1644,36 @@ spec: description: Annotations are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object labels: description: Labels are applied to the created resource properties: inheritFromGateway: - description: InheritFromGateway lists the names/keys of annotations - or labels to copy from the Gateway resource. Any name/key - included here will override those in Set if specified on - the Gateway. + description: |- + InheritFromGateway lists the names/keys of annotations or labels to copy from the Gateway resource. + Any name/key included here will override those in Set if specified on the Gateway. items: type: string type: array set: additionalProperties: type: string - description: Set lists the names/keys and values of annotations - or labels to set on the resource. Any name/key included - here will be overridden if present in InheritFromGateway - and set on the Gateway. + description: |- + Set lists the names/keys and values of annotations or labels to set on the resource. + Any name/key included here will be overridden if present in InheritFromGateway and set on the Gateway. type: object type: object type: object @@ -1785,8 +1684,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclasses.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclasses.yaml index ca2b05d062..9fbc9a9ecf 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclasses.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_gatewayclasses.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: gatewayclasses.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -27,28 +27,35 @@ spec: description: GatewayClass is the Schema for the Gateway Class API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controllerName: - description: ControllerName is the name of the Kubernetes controller + description: |- + ControllerName is the name of the Kubernetes controller that manages Gateways of this class type: string description: description: Description of GatewayClass type: string parametersRef: - description: ParametersRef refers to a resource responsible for configuring + description: |- + ParametersRef refers to a resource responsible for configuring the behavior of the GatewayClass. properties: group: @@ -78,8 +85,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_grpcroutes.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_grpcroutes.yaml index ff00bd86e5..e47505d0e9 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_grpcroutes.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_grpcroutes.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: grpcroutes.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -37,45 +37,67 @@ spec: description: GRPCRoute is the Schema for the GRPC Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + + + This is a Resource type. properties: hostnames: - description: "Hostnames are the hostnames for which this GRPCRoute - should respond to requests. \n This is only valid for north/south." + description: |- + Hostnames are the hostnames for which this GRPCRoute should respond to requests. + + + This is only valid for north/south. items: type: string type: array parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -86,36 +108,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -130,22 +157,31 @@ spec: items: properties: backendRefs: - description: "BackendRefs defines the backend(s) where matching - requests should be sent. Failure behavior here depends on - how many BackendRefs are specified and how many are invalid. - \n If all entries in BackendRefs are invalid, and there are - also no filters specified in this route rule, all traffic - which matches this rule MUST receive a 500 status code. \n - See the GRPCBackendRef definition for the rules about what - makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef - is invalid, 500 status codes MUST be returned for requests - that would have otherwise been routed to an invalid backend. - If multiple backends are specified, and some are invalid, - the proportion of requests that would otherwise have been - routed to an invalid backend MUST receive a 500 status code. - \n For example, if two backends are specified with equal weights, - and one is invalid, 50 percent of traffic must receive a 500. - Implementations may choose how that 50 percent is determined." + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If all entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, all traffic which matches this rule MUST + receive a 500 status code. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend MUST + receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. items: properties: backendRef: @@ -153,12 +189,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -173,36 +211,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -213,20 +255,20 @@ spec: type: object type: object filters: - description: Filters defined at this level should be executed - if and only if the request is being forwarded to the - backend defined here. + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema - for a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -236,17 +278,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -258,14 +300,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema - for a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -275,17 +317,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -297,8 +339,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -306,18 +349,19 @@ spec: type: object type: array weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -326,13 +370,14 @@ spec: items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema for - a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -342,16 +387,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -362,13 +409,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema for - a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -378,16 +426,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -398,8 +448,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -410,24 +461,27 @@ spec: items: properties: headers: - description: Headers specifies gRPC request header matchers. - Multiple match values are ANDed together, meaning, a - request MUST match all the specified headers to select - the route. + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers to + select the route. items: properties: name: type: string type: - description: "HeaderMatchType specifies the semantics - of how HTTP header values should be compared. - Valid HeaderMatchType values, along with their - conformance levels, are: \n Note that values may - be added to this enum, implementations must ensure - that unknown values will not cause a crash. \n - Unknown values here must result in the implementation - setting the Accepted Condition for the Route to - status: False, with a Reason of UnsupportedValue." + description: |- + HeaderMatchType specifies the semantics of how HTTP header values should be + compared. Valid HeaderMatchType values, along with their conformance levels, + are: + + + Note that values may be added to this enum, implementations must ensure that + unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the Accepted + Condition for the Route to status: False, with a Reason of UnsupportedValue. enum: - HEADER_MATCH_TYPE_UNSPECIFIED - HEADER_MATCH_TYPE_EXACT @@ -442,26 +496,30 @@ spec: type: object type: array method: - description: Method specifies a gRPC request service/method - matcher. If this field is not specified, all services - and methods will match. + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. properties: method: - description: "Value of the method to match against. - If left empty or omitted, will match all services. - \n At least one of Service and Method MUST be a - non-empty string.}" + description: |- + Value of the method to match against. If left empty or omitted, will match + all services. + + + At least one of Service and Method MUST be a non-empty string.} type: string service: - description: "Value of the service to match against. - If left empty or omitted, will match any service. - \n At least one of Service and Method MUST be a - non-empty string." + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. type: string type: - description: 'Type specifies how to match against - the service and/or method. Support: Core (Exact - with service and method specified)' + description: |- + Type specifies how to match against the service and/or method. Support: + Core (Exact with service and method specified) enum: - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED - GRPC_METHOD_MATCH_TYPE_EXACT @@ -474,8 +532,9 @@ spec: retries: properties: number: - description: Number is the number of times to retry the - request when a retryable result occurs. + description: |- + Number is the number of times to retry the request when a retryable + result occurs. properties: value: description: The uint32 value. @@ -483,27 +542,30 @@ spec: type: integer type: object onConditions: - description: RetryOn allows setting envoy specific conditions - when a request should be automatically retried. + description: |- + RetryOn allows setting envoy specific conditions when a request should + be automatically retried. items: type: string type: array onConnectFailure: - description: RetryOnConnectFailure allows for connection - failure errors to trigger a retry. + description: |- + RetryOnConnectFailure allows for connection failure errors to trigger a + retry. type: boolean onStatusCodes: - description: RetryOnStatusCodes is a flat list of http response - status codes that are eligible for retry. This again should - be feasible in any reasonable proxy. + description: |- + RetryOnStatusCodes is a flat list of http response status codes that are + eligible for retry. This again should be feasible in any reasonable proxy. items: format: int32 type: integer type: array type: object timeouts: - description: HTTPRouteTimeouts defines timeouts that can be - configured for an HTTPRoute or GRPCRoute. + description: |- + HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute + or GRPCRoute. properties: idle: description: Idle specifies the total amount of time permitted @@ -511,44 +573,44 @@ spec: format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object request: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object @@ -562,8 +624,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_httproutes.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_httproutes.yaml index ae41db0016..430c470adc 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_httproutes.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_httproutes.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: httproutes.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -37,45 +37,67 @@ spec: description: HTTPRoute is the Schema for the HTTP Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + + + This is a Resource type. properties: hostnames: - description: "Hostnames are the hostnames for which this HTTPRoute - should respond to requests. \n This is only valid for north/south." + description: |- + Hostnames are the hostnames for which this HTTPRoute should respond to requests. + + + This is only valid for north/south. items: type: string type: array parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -86,36 +108,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -126,29 +153,42 @@ spec: type: object type: array rules: - description: Rules are a list of HTTP-based routing rules that this - route should use for constructing a routing table. + description: |- + Rules are a list of HTTP-based routing rules that this route should + use for constructing a routing table. items: - description: HTTPRouteRule specifies the routing rules used to determine - what upstream service an HTTP request is routed to. + description: |- + HTTPRouteRule specifies the routing rules used to determine what upstream + service an HTTP request is routed to. properties: backendRefs: - description: "BackendRefs defines the backend(s) where matching - requests should be sent. \n Failure behavior here depends - on how many BackendRefs are specified and how many are invalid. - \n If all entries in BackendRefs are invalid, and there are - also no filters specified in this route rule, all traffic - which matches this rule MUST receive a 500 status code. \n - See the HTTPBackendRef definition for the rules about what - makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef - is invalid, 500 status codes MUST be returned for requests - that would have otherwise been routed to an invalid backend. - If multiple backends are specified, and some are invalid, - the proportion of requests that would otherwise have been - routed to an invalid backend MUST receive a 500 status code. - \n For example, if two backends are specified with equal weights, - and one is invalid, 50 percent of traffic must receive a 500. - Implementations may choose how that 50 percent is determined." + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If all entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, all traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend MUST + receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. items: properties: backendRef: @@ -156,12 +196,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -176,36 +218,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -216,20 +262,20 @@ spec: type: object type: object filters: - description: Filters defined at this level should be executed - if and only if the request is being forwarded to the - backend defined here. + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema - for a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -239,17 +285,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -261,14 +307,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema - for a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, - value) to the request before the action. It - appends to any existing values associated - with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -278,17 +324,17 @@ spec: type: object type: array remove: - description: Remove the given header(s) from - the HTTP request before the action. The value - of Remove is a list of HTTP header names. - Note that the header names are case-insensitive - (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with - the given header (name, value) before the + description: |- + Set overwrites the request with the given header (name, value) before the action. items: properties: @@ -300,8 +346,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -309,18 +356,19 @@ spec: type: object type: array weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -329,13 +377,14 @@ spec: items: properties: requestHeaderModifier: - description: RequestHeaderModifier defines a schema for - a filter that modifies request headers. + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -345,16 +394,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -365,13 +416,14 @@ spec: type: array type: object responseHeaderModifier: - description: ResponseHeaderModifier defines a schema for - a filter that modifies response headers. + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies + response headers. properties: add: - description: Add adds the given header(s) (name, value) - to the request before the action. It appends to - any existing values associated with the header name. + description: |- + Add adds the given header(s) (name, value) to the request before the + action. It appends to any existing values associated with the header name. items: properties: name: @@ -381,16 +433,18 @@ spec: type: object type: array remove: - description: Remove the given header(s) from the HTTP - request before the action. The value of Remove is - a list of HTTP header names. Note that the header - names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header names + are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). items: type: string type: array set: - description: Set overwrites the request with the given - header (name, value) before the action. + description: |- + Set overwrites the request with the given header (name, value) before the + action. items: properties: name: @@ -401,8 +455,9 @@ spec: type: array type: object urlRewrite: - description: URLRewrite defines a schema for a filter - that modifies a request during forwarding. + description: |- + URLRewrite defines a schema for a filter that modifies a request during + forwarding. properties: pathPrefix: type: string @@ -413,10 +468,10 @@ spec: items: properties: headers: - description: Headers specifies HTTP request header matchers. - Multiple match values are ANDed together, meaning, a - request must match all the specified headers to select - the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers to + select the route. items: properties: invert: @@ -424,21 +479,23 @@ spec: compat' type: boolean name: - description: "Name is the name of the HTTP Header - to be matched. Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent header - names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be - ignored. Due to the case-insensitivity of header - names, “foo” and “Foo” are considered equivalent. - \n When a header is repeated in an HTTP request, - it is implementation-specific behavior as to how - this is represented. Generally, proxies should - follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, with special - handling for “Set-Cookie”." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first entry + with an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, “foo” and “Foo” are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. Generally, + proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for “Set-Cookie”. type: string type: description: Type specifies how to match against @@ -459,14 +516,14 @@ spec: type: object type: array method: - description: Method specifies HTTP method matcher. When - specified, this route will be matched only if the request - has the specified method. + description: |- + Method specifies HTTP method matcher. When specified, this route will be + matched only if the request has the specified method. type: string path: - description: Path specifies a HTTP request path matcher. - If this field is not specified, a default prefix match - on the “/” path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the “/” path is provided. properties: type: description: Type specifies how to match against the @@ -483,31 +540,33 @@ spec: type: string type: object queryParams: - description: QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified query + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match values + are ANDed together, meaning, a request must match all the specified query parameters to select the route. items: properties: name: - description: "Name is the name of the HTTP query - param to be matched. This must be an exact string - match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent query - param names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST - be ignored. \n If a query param is repeated in - an HTTP request, the behavior is purposely left - undefined, since different data planes have different - capabilities. However, it is recommended that - implementations should match against the first - value of the param if the data plane supports - it, as this behavior is expected in other load - balancing contexts outside of the Gateway API. - \n Users SHOULD NOT route traffic based on repeated - query params to guard themselves against potential - differences in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is purposely + left undefined, since different data planes have different capabilities. + However, it is recommended that implementations should match against the + first value of the param if the data plane supports it, as this behavior + is expected in other load balancing contexts outside of the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. type: string type: description: Type specifies how to match against @@ -530,8 +589,9 @@ spec: retries: properties: number: - description: Number is the number of times to retry the - request when a retryable result occurs. + description: |- + Number is the number of times to retry the request when a retryable + result occurs. properties: value: description: The uint32 value. @@ -539,27 +599,30 @@ spec: type: integer type: object onConditions: - description: RetryOn allows setting envoy specific conditions - when a request should be automatically retried. + description: |- + RetryOn allows setting envoy specific conditions when a request should + be automatically retried. items: type: string type: array onConnectFailure: - description: RetryOnConnectFailure allows for connection - failure errors to trigger a retry. + description: |- + RetryOnConnectFailure allows for connection failure errors to trigger a + retry. type: boolean onStatusCodes: - description: RetryOnStatusCodes is a flat list of http response - status codes that are eligible for retry. This again should - be feasible in any reasonable proxy. + description: |- + RetryOnStatusCodes is a flat list of http response status codes that are + eligible for retry. This again should be feasible in any reasonable proxy. items: format: int32 type: integer type: array type: object timeouts: - description: HTTPRouteTimeouts defines timeouts that can be - configured for an HTTPRoute or GRPCRoute. + description: |- + HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute + or GRPCRoute. properties: idle: description: Idle specifies the total amount of time permitted @@ -567,44 +630,44 @@ spec: format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object request: - description: RequestTimeout is the total amount of time - permitted for the entire downstream request (and retries) - to be processed. + description: |- + RequestTimeout is the total amount of time permitted for the entire + downstream request (and retries) to be processed. format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object @@ -618,8 +681,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshconfigurations.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshconfigurations.yaml index eb044ecb6c..a98b94ca6e 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshconfigurations.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshconfigurations.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshconfigurations.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -35,20 +35,26 @@ spec: description: MeshConfiguration is the Schema for the Mesh Configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: MeshConfiguration is responsible for configuring the default - behavior of Mesh Gateways. This is a Resource type. + description: |- + MeshConfiguration is responsible for configuring the default behavior of Mesh Gateways. + This is a Resource type. type: object status: properties: @@ -56,8 +62,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshgateways.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshgateways.yaml index 47f2fcfba8..0dca07f3c4 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshgateways.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshgateways.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshgateways.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: MeshGateway is the Schema for the Mesh Gateway API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -90,8 +95,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_proxyconfigurations.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_proxyconfigurations.yaml index 4a505adeb9..7fc7a22d2b 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_proxyconfigurations.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_proxyconfigurations.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: proxyconfigurations.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -37,14 +37,19 @@ spec: description: ProxyConfiguration is the Schema for the TCP Routes API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,7 +57,8 @@ spec: description: This is a Resource type. properties: bootstrapConfig: - description: bootstrap_config is the configuration that requires proxies + description: |- + bootstrap_config is the configuration that requires proxies to be restarted to be applied. properties: dogstatsdUrl: @@ -87,7 +93,8 @@ spec: type: string type: object dynamicConfig: - description: dynamic_config is the configuration that could be changed + description: |- + dynamic_config is the configuration that could be changed dynamically (i.e. without needing restart). properties: accessLogs: @@ -95,17 +102,17 @@ spec: access logs properties: disableListenerLogs: - description: DisableListenerLogs turns off just listener logs - for connections rejected by Envoy because they don't have - a matching listener filter. + description: |- + DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't + have a matching listener filter. type: boolean enabled: description: Enabled turns off all access logging type: boolean jsonFormat: - description: The presence of one format string or the other - implies the access log string encoding. Defining both is - invalid. + description: |- + The presence of one format string or the other implies the access log string encoding. + Defining both is invalid. type: string path: description: Path is the output file to write logs @@ -169,122 +176,130 @@ spec: properties: connectTimeout: description: "A Duration represents a signed, fixed-length - span of time represented as a count of seconds and fractions - of seconds at nanosecond resolution. It is independent - of any calendar and concepts like \"day\" or \"month\". - It is related to Timestamp in that the difference between - two Timestamp values is a Duration and it can be added - or subtracted from a Timestamp. Range is approximately - +-10,000 years. \n # Examples \n Example 1: Compute Duration - from two Timestamps in pseudo code. \n Timestamp start - = ...; Timestamp end = ...; Duration duration = ...; \n - duration.seconds = end.seconds - start.seconds; duration.nanos - = end.nanos - start.nanos; \n if (duration.seconds < 0 - && duration.nanos > 0) { duration.seconds += 1; duration.nanos - -= 1000000000; } else if (duration.seconds > 0 && duration.nanos - < 0) { duration.seconds -= 1; duration.nanos += 1000000000; - } \n Example 2: Compute Timestamp from Timestamp + Duration - in pseudo code. \n Timestamp start = ...; Duration duration - = ...; Timestamp end = ...; \n end.seconds = start.seconds - + duration.seconds; end.nanos = start.nanos + duration.nanos; - \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += - 1000000000; } else if (end.nanos >= 1000000000) { end.seconds - += 1; end.nanos -= 1000000000; } \n Example 3: Compute - Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, - minutes=10) duration = Duration() duration.FromTimedelta(td) - \n # JSON Mapping \n In JSON format, the Duration type - is encoded as a string rather than an object, where the - string ends in the suffix \"s\" (indicating seconds) and - is preceded by the number of seconds, with nanoseconds - expressed as fractional seconds. For example, 3 seconds - with 0 nanoseconds should be encoded in JSON format as - \"3s\", while 3 seconds and 1 nanosecond should be expressed - in JSON format as \"3.000000001s\", and 3 seconds and - 1 microsecond should be expressed in JSON format as \"3.000001s\"." + span of time represented\nas a count of seconds and fractions + of seconds at nanosecond\nresolution. It is independent + of any calendar and concepts like \"day\"\nor \"month\". + It is related to Timestamp in that the difference between\ntwo + Timestamp values is a Duration and it can be added or + subtracted\nfrom a Timestamp. Range is approximately +-10,000 + years.\n\n\n# Examples\n\n\nExample 1: Compute Duration + from two Timestamps in pseudo code.\n\n\n\tTimestamp start + = ...;\n\tTimestamp end = ...;\n\tDuration duration = + ...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos + = end.nanos - start.nanos;\n\n\n\tif (duration.seconds + < 0 && duration.nanos > 0) {\n\t duration.seconds += + 1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds + > 0 && duration.nanos < 0) {\n\t duration.seconds -= + 1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample + 2: Compute Timestamp from Timestamp + Duration in pseudo + code.\n\n\n\tTimestamp start = ...;\n\tDuration duration + = ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds + + duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif + (end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos + += 1000000000;\n\t} else if (end.nanos >= 1000000000) + {\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample + 3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd + = datetime.timedelta(days=3, minutes=10)\n\tduration = + Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn + JSON format, the Duration type is encoded as a string + rather than an\nobject, where the string ends in the suffix + \"s\" (indicating seconds) and\nis preceded by the number + of seconds, with nanoseconds expressed as\nfractional + seconds. For example, 3 seconds with 0 nanoseconds should + be\nencoded in JSON format as \"3s\", while 3 seconds + and 1 nanosecond should\nbe expressed in JSON format as + \"3.000000001s\", and 3 seconds and 1\nmicrosecond should + be expressed in JSON format as \"3.000001s\"." format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object requestTimeout: description: "A Duration represents a signed, fixed-length - span of time represented as a count of seconds and fractions - of seconds at nanosecond resolution. It is independent - of any calendar and concepts like \"day\" or \"month\". - It is related to Timestamp in that the difference between - two Timestamp values is a Duration and it can be added - or subtracted from a Timestamp. Range is approximately - +-10,000 years. \n # Examples \n Example 1: Compute Duration - from two Timestamps in pseudo code. \n Timestamp start - = ...; Timestamp end = ...; Duration duration = ...; \n - duration.seconds = end.seconds - start.seconds; duration.nanos - = end.nanos - start.nanos; \n if (duration.seconds < 0 - && duration.nanos > 0) { duration.seconds += 1; duration.nanos - -= 1000000000; } else if (duration.seconds > 0 && duration.nanos - < 0) { duration.seconds -= 1; duration.nanos += 1000000000; - } \n Example 2: Compute Timestamp from Timestamp + Duration - in pseudo code. \n Timestamp start = ...; Duration duration - = ...; Timestamp end = ...; \n end.seconds = start.seconds - + duration.seconds; end.nanos = start.nanos + duration.nanos; - \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += - 1000000000; } else if (end.nanos >= 1000000000) { end.seconds - += 1; end.nanos -= 1000000000; } \n Example 3: Compute - Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, - minutes=10) duration = Duration() duration.FromTimedelta(td) - \n # JSON Mapping \n In JSON format, the Duration type - is encoded as a string rather than an object, where the - string ends in the suffix \"s\" (indicating seconds) and - is preceded by the number of seconds, with nanoseconds - expressed as fractional seconds. For example, 3 seconds - with 0 nanoseconds should be encoded in JSON format as - \"3s\", while 3 seconds and 1 nanosecond should be expressed - in JSON format as \"3.000000001s\", and 3 seconds and - 1 microsecond should be expressed in JSON format as \"3.000001s\"." + span of time represented\nas a count of seconds and fractions + of seconds at nanosecond\nresolution. It is independent + of any calendar and concepts like \"day\"\nor \"month\". + It is related to Timestamp in that the difference between\ntwo + Timestamp values is a Duration and it can be added or + subtracted\nfrom a Timestamp. Range is approximately +-10,000 + years.\n\n\n# Examples\n\n\nExample 1: Compute Duration + from two Timestamps in pseudo code.\n\n\n\tTimestamp start + = ...;\n\tTimestamp end = ...;\n\tDuration duration = + ...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos + = end.nanos - start.nanos;\n\n\n\tif (duration.seconds + < 0 && duration.nanos > 0) {\n\t duration.seconds += + 1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds + > 0 && duration.nanos < 0) {\n\t duration.seconds -= + 1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample + 2: Compute Timestamp from Timestamp + Duration in pseudo + code.\n\n\n\tTimestamp start = ...;\n\tDuration duration + = ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds + + duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif + (end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos + += 1000000000;\n\t} else if (end.nanos >= 1000000000) + {\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample + 3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd + = datetime.timedelta(days=3, minutes=10)\n\tduration = + Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn + JSON format, the Duration type is encoded as a string + rather than an\nobject, where the string ends in the suffix + \"s\" (indicating seconds) and\nis preceded by the number + of seconds, with nanoseconds expressed as\nfractional + seconds. For example, 3 seconds with 0 nanoseconds should + be\nencoded in JSON format as \"3s\", while 3 seconds + and 1 nanosecond should\nbe expressed in JSON format as + \"3.000000001s\", and 3 seconds and 1\nmicrosecond should + be expressed in JSON format as \"3.000001s\"." format: duration properties: nanos: - description: Signed fractions of a second at nanosecond - resolution of the span of time. Durations less than - one second are represented with a 0 `seconds` field - and a positive or negative `nanos` field. For durations - of one second or more, a non-zero value for the `nanos` - field must be of the same sign as the `seconds` field. - Must be from -999,999,999 to +999,999,999 inclusive. + description: |- + Signed fractions of a second at nanosecond resolution of the span + of time. Durations less than one second are represented with a 0 + `seconds` field and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` field must be + of the same sign as the `seconds` field. Must be from -999,999,999 + to +999,999,999 inclusive. format: int32 type: integer seconds: - description: 'Signed seconds of the span of time. Must - be from -315,576,000,000 to +315,576,000,000 inclusive. - Note: these bounds are computed from: 60 sec/min * - 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + description: |- + Signed seconds of the span of time. Must be from -315,576,000,000 + to +315,576,000,000 inclusive. Note: these bounds are computed from: + 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years format: int64 type: integer type: object type: object - description: local_connection is the configuration that should - be used to connect to the local application provided per-port. + description: |- + local_connection is the configuration that should be used + to connect to the local application provided per-port. The map keys should correspond to port names on the workload. type: object localWorkloadAddress: - description: "deprecated: local_workload_address, local_workload_port, - and local_workload_socket_path are deprecated and are only needed - for migration of existing resources. \n Deprecated: Marked as - deprecated in pbmesh/v2beta1/proxy_configuration.proto." + description: |- + deprecated: + local_workload_address, local_workload_port, and local_workload_socket_path + are deprecated and are only needed for migration of existing resources. + + + Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto. type: string localWorkloadPort: description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' @@ -322,26 +337,31 @@ spec: transparentProxy: properties: dialedDirectly: - description: dialed_directly indicates whether this proxy - should be dialed using original destination IP in the connection - rather than load balance between all endpoints. + description: |- + dialed_directly indicates whether this proxy should be dialed using original destination IP + in the connection rather than load balance between all endpoints. type: boolean outboundListenerPort: - description: outbound_listener_port is the port for the proxy's - outbound listener. This defaults to 15001. + description: |- + outbound_listener_port is the port for the proxy's outbound listener. + This defaults to 15001. format: int32 type: integer type: object type: object opaqueConfig: - description: "deprecated: prevent usage when using v2 APIs directly. - needed for backwards compatibility \n Deprecated: Marked as deprecated - in pbmesh/v2beta1/proxy_configuration.proto." + description: |- + deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility + + + Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto. type: object x-kubernetes-preserve-unknown-fields: true workloads: - description: Selection of workloads this proxy configuration should - apply to. These can be prefixes or specific workload names. + description: |- + Selection of workloads this proxy configuration should apply to. + These can be prefixes or specific workload names. properties: filter: type: string @@ -361,8 +381,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_tcproutes.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_tcproutes.yaml index dbfb0c9b20..4509f1acce 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_tcproutes.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_tcproutes.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: tcproutes.mesh.consul.hashicorp.com spec: group: mesh.consul.hashicorp.com @@ -37,39 +37,58 @@ spec: description: TCPRoute is the Schema for the TCP Route API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: "NOTE: this should align to the GAMMA/gateway-api version, - or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute - \n This is a Resource type." + description: |- + NOTE: this should align to the GAMMA/gateway-api version, or at least be + easily translatable. + + + https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + + + This is a Resource type. properties: parentRefs: - description: "ParentRefs references the resources (usually Services) - that a Route wants to be attached to. \n It is invalid to reference - an identical parent more than once. It is valid to reference multiple - distinct sections within the same parent resource." + description: |- + ParentRefs references the resources (usually Services) that a Route wants + to be attached to. + + + It is invalid to reference an identical parent more than once. It is valid + to reference multiple distinct sections within the same parent resource. items: description: 'NOTE: roughly equivalent to structs.ResourceReference' properties: port: - description: "For east/west this is the name of the Consul Service - port to direct traffic to or empty to imply all. For north/south - this is TBD. \n For more details on potential values of this - field, see documentation for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply all. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: - description: For east/west configuration, this should point - to a Service. For north/south it should point to a Gateway. + description: |- + For east/west configuration, this should point to a Service. + For north/south it should point to a Gateway. properties: name: description: Name is the user-given name of the resource @@ -80,36 +99,41 @@ spec: the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units (i.e. - partition, namespace) in which the resource resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources within - a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, provide - the wildcard value \"*\" to list resources across - all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. "catalog", - "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when sweeping - or backward-incompatible changes are made to the group's - resource types. + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes + are made to the group's resource types. type: string kind: description: Kind identifies the specific resource type @@ -124,13 +148,13 @@ spec: items: properties: backendRefs: - description: BackendRefs defines the backend(s) where matching - requests should be sent. If unspecified or invalid (refers - to a non-existent resource or a Service with no endpoints), - the underlying implementation MUST actively reject connection - attempts to this backend. Connection rejections must respect - weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. + description: |- + BackendRefs defines the backend(s) where matching requests should be sent. + If unspecified or invalid (refers to a non-existent resource or a Service + with no endpoints), the underlying implementation MUST actively reject + connection attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of connections, + then 80% of connections must be rejected instead. items: properties: backendRef: @@ -138,12 +162,14 @@ spec: datacenter: type: string port: - description: "For east/west this is the name of the - Consul Service port to direct traffic to or empty - to imply using the same value as the parent ref. - For north/south this is TBD. \n For more details - on potential values of this field, see documentation - for Service.ServicePort." + description: |- + For east/west this is the name of the Consul Service port to direct traffic to + or empty to imply using the same value as the parent ref. + For north/south this is TBD. + + + For more details on potential values of this field, see documentation for + Service.ServicePort. type: string ref: description: For east/west configuration, this should @@ -158,36 +184,40 @@ spec: the resource the condition relates to. type: string tenancy: - description: Tenancy identifies the tenancy units - (i.e. partition, namespace) in which the resource - resides. + description: |- + Tenancy identifies the tenancy units (i.e. partition, namespace) in which + the resource resides. properties: namespace: - description: "Namespace further isolates resources - within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all namespaces." + description: |- + Namespace further isolates resources within a partition. + https://developer.hashicorp.com/consul/docs/enterprise/namespaces + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all namespaces. type: string partition: - description: "Partition is the topmost administrative - boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions - \n When using the List and WatchList endpoints, - provide the wildcard value \"*\" to list - resources across all partitions." + description: |- + Partition is the topmost administrative boundary within a cluster. + https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + + + When using the List and WatchList endpoints, provide the wildcard value "*" + to list resources across all partitions. type: string type: object type: description: Type identifies the resource's type. properties: group: - description: Group describes the area of functionality - to which this resource type relates (e.g. - "catalog", "authorization"). + description: |- + Group describes the area of functionality to which this resource type + relates (e.g. "catalog", "authorization"). type: string groupVersion: - description: GroupVersion is incremented when - sweeping or backward-incompatible changes + description: |- + GroupVersion is incremented when sweeping or backward-incompatible changes are made to the group's resource types. type: string kind: @@ -198,18 +228,19 @@ spec: type: object type: object weight: - description: "Weight specifies the proportion of requests - forwarded to the referenced backend. This is computed - as weight/(sum of all weights in this BackendRefs list). - For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision - an implementation supports. Weight is not a percentage - and the sum of weights does not need to equal 100. \n - If only one backend is specified and it has a weight - greater than 0, 100% of the traffic is forwarded to - that backend. If weight is set to 0, no traffic should - be forwarded for this entry. If unspecified, weight - defaults to 1." + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from the + exact proportion defined here depending on the precision an implementation + supports. Weight is not a percentage and the sum of weights does not need + to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight defaults + to 1. format: int32 type: integer type: object @@ -223,8 +254,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/crd/bases/multicluster.consul.hashicorp.com_exportedservices.yaml b/control-plane/config/crd/bases/multicluster.consul.hashicorp.com_exportedservices.yaml index 36020e3639..2b5076216e 100644 --- a/control-plane/config/crd/bases/multicluster.consul.hashicorp.com_exportedservices.yaml +++ b/control-plane/config/crd/bases/multicluster.consul.hashicorp.com_exportedservices.yaml @@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: exportedservices.multicluster.consul.hashicorp.com spec: group: multicluster.consul.hashicorp.com @@ -35,14 +35,19 @@ spec: description: ExportedServices is the Schema for the Exported Services API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -64,8 +69,9 @@ spec: description: Conditions indicate the latest available observations of a resource's current state. items: - description: 'Conditions define a readiness condition for a Consul - resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + description: |- + Conditions define a readiness condition for a Consul resource. + See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties properties: lastTransitionTime: description: LastTransitionTime is the last time the condition diff --git a/control-plane/config/rbac/role.yaml b/control-plane/config/rbac/role.yaml index c2ad591c4f..3eb003fae9 100644 --- a/control-plane/config/rbac/role.yaml +++ b/control-plane/config/rbac/role.yaml @@ -205,6 +205,26 @@ rules: - get - patch - update +- apiGroups: + - consul.hashicorp.com + resources: + - registration + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - registration/status + verbs: + - get + - patch + - update - apiGroups: - consul.hashicorp.com resources: diff --git a/control-plane/connect-inject/common/openshift.go b/control-plane/connect-inject/common/openshift.go new file mode 100644 index 0000000000..b9de4c45f4 --- /dev/null +++ b/control-plane/connect-inject/common/openshift.go @@ -0,0 +1,182 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// A namespace in OpenShift has the following annotations: +// Annotations: openshift.io/sa.scc.mcs: s0:c27,c4 +// openshift.io/sa.scc.uid-range: 1000710000/10000 +// openshift.io/sa.scc.supplemental-groups: 1000710000/10000 +// +// Note: Even though the annotation is named 'range', it is not a range but the ID you should use. All pods in a +// namespace should use the same UID/GID. (1000710000/1000710000 above) + +package common + +import ( + "fmt" + "strconv" + "strings" + + "golang.org/x/exp/maps" + "golang.org/x/exp/slices" + corev1 "k8s.io/api/core/v1" + + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" +) + +// GetDataplaneUID returns the UID to use for the Dataplane container in the given namespace. +// The UID is based on the namespace annotation and avoids conflicting with any application container UIDs. +// Containers with dataplaneImage and k8sImage are not considered application containers. +func GetDataplaneUID(namespace corev1.Namespace, pod corev1.Pod, dataplaneImage, k8sImage string) (int64, error) { + availableUIDs, err := getAvailableIDs(namespace, pod, constants.AnnotationOpenShiftUIDRange, dataplaneImage, k8sImage) + if err != nil { + return 0, err + } + + if len(availableUIDs) < 2 { + return 0, fmt.Errorf("namespace does not have enough available UIDs") + } + + return availableUIDs[len(availableUIDs)-2], nil +} + +// GetDataplaneGroupID returns the group ID to use for the Dataplane container in the given namespace. +// The UID is based on the namespace annotation and avoids conflicting with any application container group IDs. +// Containers with dataplaneImage and k8sImage are not considered application containers. +func GetDataplaneGroupID(namespace corev1.Namespace, pod corev1.Pod, dataplaneImage, k8sImage string) (int64, error) { + availableUIDs, err := getAvailableIDs(namespace, pod, constants.AnnotationOpenShiftGroups, dataplaneImage, k8sImage) + if err != nil { + return 0, err + } + + if len(availableUIDs) < 2 { + return 0, fmt.Errorf("namespace does not have enough available UIDs") + } + + return availableUIDs[len(availableUIDs)-2], nil +} + +// GetConnectInitUID returns the UID to use for the connect init container in the given namespace. +// The UID is based on the namespace annotation and avoids conflicting with any application container UIDs. +// Containers with dataplaneImage and k8sImage are not considered application containers. +func GetConnectInitUID(namespace corev1.Namespace, pod corev1.Pod, dataplaneImage, k8sImage string) (int64, error) { + availableUIDs, err := getAvailableIDs(namespace, pod, constants.AnnotationOpenShiftUIDRange, dataplaneImage, k8sImage) + if err != nil { + return 0, err + } + + if len(availableUIDs) < 1 { + return 0, fmt.Errorf("namespace does not have enough available UIDs") + } + + return availableUIDs[len(availableUIDs)-1], nil +} + +// GetConnectInitGroupID returns the group ID to use for the connect init container in the given namespace. +// The group ID is based on the namespace annotation and avoids conflicting with any application container group IDs. +// Containers with dataplaneImage and k8sImage are not considered application containers. +func GetConnectInitGroupID(namespace corev1.Namespace, pod corev1.Pod, dataplaneImage, k8sImage string) (int64, error) { + availableUIDs, err := getAvailableIDs(namespace, pod, constants.AnnotationOpenShiftGroups, dataplaneImage, k8sImage) + if err != nil { + return 0, err + } + + if len(availableUIDs) < 2 { + return 0, fmt.Errorf("namespace does not have enough available UIDs") + } + + return availableUIDs[len(availableUIDs)-1], nil +} + +// getAvailableIDs enumerates the entire list of available UIDs in the namespace based on the +// OpenShift annotationName provided. It then removes the UIDs that are already in use by application +// containers. Containers with dataplaneImage and k8sImage are not considered application containers. +func getAvailableIDs(namespace corev1.Namespace, pod corev1.Pod, annotationName, dataplaneImage, k8sImage string) ([]int64, error) { + // Collect the list of IDs designated in the Pod for application containers + appUIDs := make([]int64, 0) + if pod.Spec.SecurityContext != nil { + if pod.Spec.SecurityContext.RunAsUser != nil { + appUIDs = append(appUIDs, *pod.Spec.SecurityContext.RunAsUser) + } + } + for _, c := range pod.Spec.Containers { + if c.Image == dataplaneImage || c.Image == k8sImage { + continue + } + + if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { + appUIDs = append(appUIDs, *c.SecurityContext.RunAsUser) + } + } + + annotationValue := namespace.Annotations[annotationName] + + // Groups can be comma separated ranges, i.e. 100/2,101/2 + // https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth + ranges := make([]string, 0) + validIDs := make([]int64, 0) + // Collect the list of valid IDs from the namespace annotation + if annotationName == constants.AnnotationOpenShiftGroups { + // Fall back to UID range if Group annotation is not present + if annotationValue == "" { + annotationName = constants.AnnotationOpenShiftUIDRange + annotationValue = namespace.Annotations[annotationName] + } + ranges = strings.Split(annotationValue, ",") + } else { + ranges = append(ranges, annotationValue) + } + + for _, r := range ranges { + rangeIDs, err := getIDsInRange(r) + // call based on length of ranges and merge for groups + if err != nil { + return nil, fmt.Errorf("unable to get valid userIDs from namespace annotation: %w", err) + } + validIDs = append(validIDs, rangeIDs...) + } + + // Subtract the list of application container UIDs from the list of valid userIDs + availableUIDs := make(map[int64]struct{}) + for _, uid := range validIDs { + availableUIDs[uid] = struct{}{} + } + for _, uid := range appUIDs { + delete(availableUIDs, uid) + } + + // Return the second to last (sorted) valid UID from the available UIDs + keys := maps.Keys(availableUIDs) + slices.Sort(keys) + + return keys, nil +} + +// getIDsInRange enumerates the entire list of available IDs given the value of the +// OpenShift annotation. This can be the group or user ID range. +func getIDsInRange(annotation string) ([]int64, error) { + // Add comma and group fallback + parts := strings.Split(annotation, "/") + if len(parts) != 2 { + parts = strings.Split(annotation, "-") + if len(parts) != 2 { + return nil, fmt.Errorf("invalid range format: %s", annotation) + } + } + + start, err := strconv.Atoi(parts[0]) + if err != nil { + return nil, fmt.Errorf("invalid range format: %s", parts[0]) + } + + length, err := strconv.Atoi(parts[1]) + if err != nil { + return nil, fmt.Errorf("invalid range format: %s", parts[1]) + } + + userIDs := make([]int64, length) + for i := 0; i < length; i++ { + userIDs[i] = int64(start + i) + } + + return userIDs, nil +} diff --git a/control-plane/connect-inject/common/openshift_test.go b/control-plane/connect-inject/common/openshift_test.go new file mode 100644 index 0000000000..be9811dea4 --- /dev/null +++ b/control-plane/connect-inject/common/openshift_test.go @@ -0,0 +1,482 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 +package common + +import ( + "fmt" + "k8s.io/utils/ptr" + "testing" + + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestGetConnectInitIDs(t *testing.T) { + dataplaneImage := "consul-dataplane" + k8sImage := "consul-k8s-control-plane" + cases := []struct { + Name string + Namespace corev1.Namespace + // User IDs and Group IDs are quite often the same, and will be for test purposes + ExpectedDataplaneUserAndGroupIDs int64 + Pod corev1.Pod + Err string + }{ + { + Name: "App using a single ID already", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(100)), + }, + }, + }, + }, + }, + ExpectedDataplaneUserAndGroupIDs: 104, + Err: "", + }, + { + Name: "App using last ID already", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(104)), + }, + }, + }, + }, + }, + ExpectedDataplaneUserAndGroupIDs: 103, + Err: "", + }, + { + Name: "Not enough available IDs", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/1", + constants.AnnotationOpenShiftGroups: "100/1", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(100)), + }, + }, + }, + }, + }, + Err: "namespace does not have enough available UIDs", + }, + } + for _, tt := range cases { + t.Run(tt.Name, func(t *testing.T) { + require := require.New(t) + // Test UID + actualUIDs, err := GetConnectInitUID(tt.Namespace, tt.Pod, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedDataplaneUserAndGroupIDs, actualUIDs) + } else { + require.EqualError(err, tt.Err) + } + // Test GroupID + actualGroupIDs, err := GetConnectInitGroupID(tt.Namespace, tt.Pod, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedDataplaneUserAndGroupIDs, actualGroupIDs) + } else { + require.EqualError(err, tt.Err) + } + }) + } +} + +func TestGetDataplaneIDs(t *testing.T) { + dataplaneImage := "consul-dataplane" + k8sImage := "consul-k8s-control-plane" + cases := []struct { + Name string + Namespace corev1.Namespace + // User IDs and Group IDs are quite often the same, and will be for test purposes + ExpectedDataplaneUserAndGroupIDs int64 + Pod corev1.Pod + Err string + }{ + { + Name: "App using a single ID already", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(100)), + }, + }, + }, + }, + }, + ExpectedDataplaneUserAndGroupIDs: 103, + Err: "", + }, + { + Name: "App using last ID already", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(104)), + }, + }, + }, + }, + }, + ExpectedDataplaneUserAndGroupIDs: 102, + Err: "", + }, + { + Name: "Not enough available IDs", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/2", + constants.AnnotationOpenShiftGroups: "100/2", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(100)), + }, + }, + }, + }, + }, + Err: "namespace does not have enough available UIDs", + }, + } + for _, tt := range cases { + t.Run(tt.Name, func(t *testing.T) { + require := require.New(t) + // Test UID + actualUIDs, err := GetDataplaneUID(tt.Namespace, tt.Pod, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedDataplaneUserAndGroupIDs, actualUIDs) + } else { + require.EqualError(err, tt.Err) + } + // Test GroupID + actualGroupIDs, err := GetDataplaneGroupID(tt.Namespace, tt.Pod, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedDataplaneUserAndGroupIDs, actualGroupIDs) + } else { + require.EqualError(err, tt.Err) + } + }) + } +} + +func TestGetAvailableIDs(t *testing.T) { + dataplaneImage := "consul-dataplane" + k8sImage := "consul-k8s-control-plane" + cases := []struct { + Name string + Namespace corev1.Namespace + ExpectedAvailableUserIDs []int64 + ExpectedAvailableGroupIDs []int64 + Pod corev1.Pod + Err string + }{ + { + Name: "App using a single ID already", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5", + }, + }, + }, + Pod: corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "consul-connect-inject-init", + }, + }, + Containers: []corev1.Container{ + { + Name: "consul-dataplane", + }, + { + Name: "app", + SecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(100)), + }, + }, + }, + }, + }, + ExpectedAvailableUserIDs: []int64{101, 102, 103, 104}, + ExpectedAvailableGroupIDs: []int64{101, 102, 103, 104}, + Err: "", + }, + { + Name: "Bad annotation format", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100:5", + }, + }, + }, + Pod: corev1.Pod{}, + ExpectedAvailableUserIDs: nil, + Err: "unable to get valid userIDs from namespace annotation: invalid range format: 100:5", + }, + { + Name: "Group has multiple ranges", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + constants.AnnotationOpenShiftGroups: "100/5,200/5", + }, + }, + }, + Pod: corev1.Pod{}, + ExpectedAvailableUserIDs: []int64{100, 101, 102, 103, 104}, + ExpectedAvailableGroupIDs: []int64{100, 101, 102, 103, 104, 200, 201, 202, 203, 204}, + Err: "", + }, + { + Name: "Group is not defined and falls back to UID range annotation", + Namespace: corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + Namespace: "default", + Annotations: map[string]string{ + constants.AnnotationOpenShiftUIDRange: "100/5", + }, + }, + }, + Pod: corev1.Pod{}, + ExpectedAvailableUserIDs: []int64{100, 101, 102, 103, 104}, + ExpectedAvailableGroupIDs: []int64{100, 101, 102, 103, 104}, + Err: "", + }, + } + for _, tt := range cases { + t.Run(tt.Name, func(t *testing.T) { + require := require.New(t) + actualUserIDs, err := getAvailableIDs(tt.Namespace, tt.Pod, constants.AnnotationOpenShiftUIDRange, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedAvailableUserIDs, actualUserIDs) + } else { + require.EqualError(err, tt.Err) + } + actualGroupIDs, err := getAvailableIDs(tt.Namespace, tt.Pod, constants.AnnotationOpenShiftGroups, dataplaneImage, k8sImage) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedAvailableGroupIDs, actualGroupIDs) + } else { + require.EqualError(err, tt.Err) + } + }) + } +} + +func TestGetIDsInRange(t *testing.T) { + cases := []struct { + Name string + Annotation string + ExpectedLen int + ExpectedFirstValue int64 + ExpectedLastValue int64 + Err string + }{ + { + Name: "Valid uid annotation with slash", + Annotation: "1000700000/100000", + ExpectedLen: 100000, + ExpectedFirstValue: 1000700000, + ExpectedLastValue: 1000799999, + Err: "", + }, + { + Name: "Valid uid annotation with dash", + Annotation: "1234-1000", + ExpectedLen: 1000, + ExpectedFirstValue: 1234, + ExpectedLastValue: 2233, + Err: "", + }, + { + Name: "Invalid uid annotation missing slash or dash", + Annotation: "5678", + Err: fmt.Sprintf("invalid range format: %s", "5678"), + }, + { + Name: "Empty", + Annotation: "", + Err: fmt.Sprintf("invalid range format: %s", ""), + }, + } + for _, tt := range cases { + t.Run(tt.Name, func(t *testing.T) { + require := require.New(t) + actual, err := getIDsInRange(tt.Annotation) + if tt.Err == "" { + require.NoError(err) + require.Equal(tt.ExpectedLen, len(actual)) + require.Equal(tt.ExpectedFirstValue, actual[0]) + require.Equal(tt.ExpectedLastValue, actual[len(actual)-1]) + } else { + require.EqualError(err, tt.Err) + } + }) + } +} diff --git a/control-plane/connect-inject/constants/annotations_and_labels.go b/control-plane/connect-inject/constants/annotations_and_labels.go index e31fd22bf3..dca3c523a3 100644 --- a/control-plane/connect-inject/constants/annotations_and_labels.go +++ b/control-plane/connect-inject/constants/annotations_and_labels.go @@ -274,3 +274,9 @@ const ( AnnotationPrometheusPath = "prometheus.io/path" AnnotationPrometheusPort = "prometheus.io/port" ) + +// Annotations used by OpenShift. +const ( + AnnotationOpenShiftGroups = "openshift.io/sa.scc.supplemental-groups" + AnnotationOpenShiftUIDRange = "openshift.io/sa.scc.uid-range" +) diff --git a/control-plane/connect-inject/controllers/peering/peering_acceptor_controller.go b/control-plane/connect-inject/controllers/peering/peering_acceptor_controller.go index bc1318f1d5..e2ae67aba4 100644 --- a/control-plane/connect-inject/controllers/peering/peering_acceptor_controller.go +++ b/control-plane/connect-inject/controllers/peering/peering_acceptor_controller.go @@ -17,7 +17,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" @@ -266,7 +266,7 @@ func (r *AcceptorController) updateStatus(ctx context.Context, acceptorObjKey ty return err } if acceptor.Status.LatestPeeringVersion == nil || *acceptor.Status.LatestPeeringVersion < peeringVersion { - acceptor.Status.LatestPeeringVersion = pointer.Uint64(peeringVersion) + acceptor.Status.LatestPeeringVersion = ptr.To(uint64(peeringVersion)) } } err := r.Status().Update(ctx, acceptor) diff --git a/control-plane/connect-inject/controllers/peering/peering_acceptor_controller_test.go b/control-plane/connect-inject/controllers/peering/peering_acceptor_controller_test.go index 2ebba835e3..7c5a778ac7 100644 --- a/control-plane/connect-inject/controllers/peering/peering_acceptor_controller_test.go +++ b/control-plane/connect-inject/controllers/peering/peering_acceptor_controller_test.go @@ -19,7 +19,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client/fake" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -244,7 +244,7 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(2), + LatestPeeringVersion: ptr.To(uint64(2)), }, expectedConsulPeerings: []*api.Peering{ { @@ -709,7 +709,7 @@ func TestReconcile_VersionAnnotation(t *testing.T) { }, ResourceVersion: "some-old-sha", }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, }, "is no/op if annotation value is equal to value in status": { @@ -725,7 +725,7 @@ func TestReconcile_VersionAnnotation(t *testing.T) { }, ResourceVersion: "some-old-sha", }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, }, "updates if annotation value is greater than value in status": { @@ -740,7 +740,7 @@ func TestReconcile_VersionAnnotation(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(4), + LatestPeeringVersion: ptr.To(uint64(4)), }, }, } @@ -771,7 +771,7 @@ func TestReconcile_VersionAnnotation(t *testing.T) { }, ResourceVersion: "some-old-sha", }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, } secret := createSecret("acceptor-created-secret", "default", "data", "some-data") diff --git a/control-plane/connect-inject/controllers/peering/peering_dialer_controller.go b/control-plane/connect-inject/controllers/peering/peering_dialer_controller.go index bc6475bf1a..69b70631d8 100644 --- a/control-plane/connect-inject/controllers/peering/peering_dialer_controller.go +++ b/control-plane/connect-inject/controllers/peering/peering_dialer_controller.go @@ -17,7 +17,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" @@ -235,7 +235,7 @@ func (r *PeeringDialerController) updateStatus(ctx context.Context, dialerObjKey return err } if dialer.Status.LatestPeeringVersion == nil || *dialer.Status.LatestPeeringVersion < peeringVersion { - dialer.Status.LatestPeeringVersion = pointer.Uint64(peeringVersion) + dialer.Status.LatestPeeringVersion = ptr.To(uint64(peeringVersion)) } } err := r.Status().Update(ctx, dialer) diff --git a/control-plane/connect-inject/controllers/peering/peering_dialer_controller_test.go b/control-plane/connect-inject/controllers/peering/peering_dialer_controller_test.go index 6026d1e534..e759ca4e4c 100644 --- a/control-plane/connect-inject/controllers/peering/peering_dialer_controller_test.go +++ b/control-plane/connect-inject/controllers/peering/peering_dialer_controller_test.go @@ -20,7 +20,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client/fake" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -246,7 +246,7 @@ func TestReconcile_CreateUpdatePeeringDialer(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(2), + LatestPeeringVersion: ptr.To(uint64(2)), }, peeringExists: true, }, @@ -400,7 +400,7 @@ func TestReconcile_VersionAnnotationPeeringDialer(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, }, "is no/op if annotation value is equal to value in status": { @@ -415,7 +415,7 @@ func TestReconcile_VersionAnnotationPeeringDialer(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, }, "updates if annotation value is greater than value in status": { @@ -430,7 +430,7 @@ func TestReconcile_VersionAnnotationPeeringDialer(t *testing.T) { Backend: "kubernetes", }, }, - LatestPeeringVersion: pointer.Uint64(4), + LatestPeeringVersion: ptr.To(uint64(4)), }, }, } @@ -482,7 +482,7 @@ func TestReconcile_VersionAnnotationPeeringDialer(t *testing.T) { }, ResourceVersion: "latest-version", }, - LatestPeeringVersion: pointer.Uint64(3), + LatestPeeringVersion: ptr.To(uint64(3)), }, } // Create fake k8s client diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go index a9643308d8..045fdea3e3 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go @@ -10,13 +10,12 @@ import ( "strings" "github.com/google/shlex" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" - - "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" - "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" + "k8s.io/utils/ptr" ) const ( @@ -210,34 +209,62 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor return corev1.Container{}, err } + // Default values for non-Openshift environments. + uid := int64(sidecarUserAndGroupID) + group := int64(sidecarUserAndGroupID) + // If not running in transparent proxy mode and in an OpenShift environment, // skip setting the security context and let OpenShift set it for us. // When transparent proxy is enabled, then consul-dataplane needs to run as our specific user // so that traffic redirection will work. if tproxyEnabled || !w.EnableOpenShift { - if pod.Spec.SecurityContext != nil { - // User container and consul-dataplane container cannot have the same UID. - if pod.Spec.SecurityContext.RunAsUser != nil && *pod.Spec.SecurityContext.RunAsUser == sidecarUserAndGroupID { - return corev1.Container{}, fmt.Errorf("pod's security context cannot have the same UID as consul-dataplane: %v", sidecarUserAndGroupID) + if !w.EnableOpenShift { + if pod.Spec.SecurityContext != nil { + // User container and consul-dataplane container cannot have the same UID. + if pod.Spec.SecurityContext.RunAsUser != nil && *pod.Spec.SecurityContext.RunAsUser == sidecarUserAndGroupID { + return corev1.Container{}, fmt.Errorf("pod's security context cannot have the same UID as consul-dataplane: %v", sidecarUserAndGroupID) + } } - } - // Ensure that none of the user's containers have the same UID as consul-dataplane. At this point in injection the meshWebhook - // has only injected init containers so all containers defined in pod.Spec.Containers are from the user. - for _, c := range pod.Spec.Containers { - // User container and consul-dataplane container cannot have the same UID. - if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil && *c.SecurityContext.RunAsUser == sidecarUserAndGroupID && c.Image != w.ImageConsulDataplane { - return corev1.Container{}, fmt.Errorf("container %q has runAsUser set to the same UID \"%d\" as consul-dataplane which is not allowed", c.Name, sidecarUserAndGroupID) + + // Ensure that none of the user's containers have the same UID as consul-dataplane. At this point in injection the meshWebhook + // has only injected init containers so all containers defined in pod.Spec.Containers are from the user. + for _, c := range pod.Spec.Containers { + // User container and consul-dataplane container cannot have the same UID. + if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil && + *c.SecurityContext.RunAsUser == sidecarUserAndGroupID && + c.Image != w.ImageConsulDataplane { + return corev1.Container{}, fmt.Errorf("container %q has runAsUser set to the same UID \"%d\" as consul-dataplane which is not allowed", c.Name, sidecarUserAndGroupID) + } } } - container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), - ReadOnlyRootFilesystem: pointer.Bool(true), + } + + if w.EnableOpenShift { + // Transparent proxy is set in OpenShift. There is an annotation on the namespace that tells us what + // the user and group ids should be for the sidecar. + var err error + uid, err = common.GetDataplaneUID(namespace, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err + } + group, err = common.GetDataplaneGroupID(namespace, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err } } + container.SecurityContext = &corev1.SecurityContext{ + RunAsUser: ptr.To(uid), + RunAsGroup: ptr.To(group), + RunAsNonRoot: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + // consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #. + // See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, + ReadOnlyRootFilesystem: ptr.To(true), + } return container, nil } diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go index ae1f50e795..dd0c62d3ff 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go @@ -14,7 +14,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/lifecycle" @@ -304,7 +304,6 @@ func TestHandlerConsulDataplaneSidecar_Concurrency(t *testing.T) { // Test that we pass the dns proxy flag to dataplane correctly. func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { - // We only want the flag passed when DNS and tproxy are both enabled. DNS/tproxy can // both be enabled/disabled with annotations/labels on the pod and namespace and then globally // through the helm chart. To test this we use an outer loop with the possible DNS settings and then @@ -365,7 +364,6 @@ func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { for i, dnsCase := range dnsCases { for j, tproxyCase := range tproxyCases { t.Run(fmt.Sprintf("dns=%d,tproxy=%d", i, j), func(t *testing.T) { - // Test setup. h := MeshWebhook{ ConsulConfig: &consul.Config{HTTPPort: 8500, GRPCPort: 8502}, @@ -803,42 +801,73 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { tproxyEnabled: false, openShiftEnabled: false, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, "tproxy enabled; openshift disabled": { tproxyEnabled: true, openShiftEnabled: false, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, "tproxy disabled; openshift enabled": { - tproxyEnabled: false, - openShiftEnabled: true, - expSecurityContext: nil, + tproxyEnabled: false, + openShiftEnabled: true, + expSecurityContext: &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(1000799998)), + RunAsGroup: ptr.To(int64(1000799998)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, + }, }, "tproxy enabled; openshift enabled": { tproxyEnabled: true, openShiftEnabled: true, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(1000799998)), + RunAsGroup: ptr.To(int64(1000799998)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, } for name, c := range cases { + ns := corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: k8sNamespace, + Namespace: k8sNamespace, + Annotations: map[string]string{}, + Labels: map[string]string{}, + }, + } + + if c.openShiftEnabled { + ns.Annotations[constants.AnnotationOpenShiftUIDRange] = "1000700000/100000" + ns.Annotations[constants.AnnotationOpenShiftGroups] = "1000700000/100000" + } t.Run(name, func(t *testing.T) { w := MeshWebhook{ EnableTransparentProxy: c.tproxyEnabled, @@ -847,6 +876,7 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { } pod := corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ + Namespace: ns.Name, Annotations: map[string]string{ constants.AnnotationService: "foo", }, @@ -860,7 +890,7 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { }, }, } - ec, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) + ec, err := w.consulDataplaneSidecar(ns, pod, multiPortInfo{}) require.NoError(t, err) require.Equal(t, c.expSecurityContext, ec.SecurityContext) }) @@ -882,12 +912,15 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicatePodSecurityContextUID(t }, }, SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, }, } _, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) - require.EqualError(err, fmt.Sprintf("pod's security context cannot have the same UID as consul-dataplane: %v", sidecarUserAndGroupID)) + require.EqualError( + err, + fmt.Sprintf("pod's security context cannot have the same UID as consul-dataplane: %v", sidecarUserAndGroupID), + ) } // Test that if the user specifies a container with security context with the same uid as `sidecarUserAndGroupID` that we @@ -910,23 +943,26 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicateContainerSecurityContex Name: "web", // Setting RunAsUser: 1 should succeed. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(1), + RunAsUser: ptr.To(int64(1)), }, }, { Name: "app", // Setting RunAsUser: 5995 should fail. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, Image: "not-consul-dataplane", }, }, }, }, - webhook: MeshWebhook{}, - expErr: true, - expErrMessage: fmt.Sprintf("container \"app\" has runAsUser set to the same UID \"%d\" as consul-dataplane which is not allowed", sidecarUserAndGroupID), + webhook: MeshWebhook{}, + expErr: true, + expErrMessage: fmt.Sprintf( + "container \"app\" has runAsUser set to the same UID \"%d\" as consul-dataplane which is not allowed", + sidecarUserAndGroupID, + ), }, { name: "doesn't fail with envoy image", @@ -937,14 +973,14 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicateContainerSecurityContex Name: "web", // Setting RunAsUser: 1 should succeed. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(1), + RunAsUser: ptr.To(int64(1)), }, }, { Name: "sidecar", // Setting RunAsUser: 5995 should succeed if the image matches h.ImageConsulDataplane. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, Image: "envoy", }, @@ -1389,7 +1425,11 @@ func TestHandlerConsulDataplaneSidecar_Metrics(t *testing.T) { }, }, expCmdArgs: "", - expErr: fmt.Sprintf("must set one of %q or %q when providing prometheus TLS config", constants.AnnotationPrometheusCAFile, constants.AnnotationPrometheusCAPath), + expErr: fmt.Sprintf( + "must set one of %q or %q when providing prometheus TLS config", + constants.AnnotationPrometheusCAFile, + constants.AnnotationPrometheusCAPath, + ), }, { name: "merge metrics with TLS enabled, missing cert gives an error", diff --git a/control-plane/connect-inject/webhook/container_init.go b/control-plane/connect-inject/webhook/container_init.go index 49f6eda753..6c357967c9 100644 --- a/control-plane/connect-inject/webhook/container_init.go +++ b/control-plane/connect-inject/webhook/container_init.go @@ -10,10 +10,11 @@ import ( "strings" "text/template" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" - corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" ) const ( @@ -231,7 +232,39 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod, } if tproxyEnabled { - if !w.EnableCNI { + if w.EnableCNI { + // For non Openshift, we use the initContainersUserAndGroupID for the user and group id. + uid := int64(initContainersUserAndGroupID) + group := int64(initContainersUserAndGroupID) + + // For Openshift with Transparent proxy + CNI, there is an annotation on the namespace that tells us what + // the user and group ids should be for the sidecar. + if w.EnableOpenShift { + var err error + + uid, err = common.GetConnectInitUID(namespace, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err + } + + group, err = common.GetConnectInitGroupID(namespace, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return corev1.Container{}, err + } + } + + container.SecurityContext = &corev1.SecurityContext{ + RunAsUser: ptr.To(uid), + RunAsGroup: ptr.To(group), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(privileged), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + } + } else { // Set redirect traffic config for the container so that we can apply iptables rules. redirectTrafficConfig, err := w.iptablesConfigJSON(pod, namespace) if err != nil { @@ -246,27 +279,15 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod, // Running consul connect redirect-traffic with iptables // requires both being a root user and having NET_ADMIN capability. container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(rootUserAndGroupID), - RunAsGroup: pointer.Int64(rootUserAndGroupID), + RunAsUser: ptr.To(int64(rootUserAndGroupID)), + RunAsGroup: ptr.To(int64(rootUserAndGroupID)), // RunAsNonRoot overrides any setting in the Pod so that we can still run as root here as required. - RunAsNonRoot: pointer.Bool(false), - Privileged: pointer.Bool(privileged), + RunAsNonRoot: ptr.To(false), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, }, } - } else { - container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(initContainersUserAndGroupID), - RunAsGroup: pointer.Int64(initContainersUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - Privileged: pointer.Bool(privileged), - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, - }, - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), - } } } diff --git a/control-plane/connect-inject/webhook/container_init_test.go b/control-plane/connect-inject/webhook/container_init_test.go index 8feac95b84..00aac4a8fc 100644 --- a/control-plane/connect-inject/webhook/container_init_test.go +++ b/control-plane/connect-inject/webhook/container_init_test.go @@ -16,7 +16,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) const k8sNamespace = "k8snamespace" @@ -293,30 +293,56 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) { } var expectedSecurityContext *corev1.SecurityContext - if c.cniEnabled { + if c.cniEnabled && !c.openShiftEnabled { expectedSecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(initContainersUserAndGroupID), - RunAsGroup: pointer.Int64(initContainersUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - Privileged: pointer.Bool(privileged), + RunAsUser: ptr.To(int64(initContainersUserAndGroupID)), + RunAsGroup: ptr.To(int64(initContainersUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), } } else if c.expTproxyEnabled { expectedSecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(0), - RunAsGroup: pointer.Int64(0), - RunAsNonRoot: pointer.Bool(false), - Privileged: pointer.Bool(privileged), + RunAsUser: ptr.To(int64(0)), + RunAsGroup: ptr.To(int64(0)), + RunAsNonRoot: ptr.To(false), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, }, } + } else if c.cniEnabled && c.openShiftEnabled { + // When cni + openShift + expectedSecurityContext = &corev1.SecurityContext{ + RunAsUser: ptr.To(int64(1000799999)), + RunAsGroup: ptr.To(int64(1000799999)), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(privileged), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + } + } + ns := corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: k8sNamespace, + Namespace: k8sNamespace, + Annotations: map[string]string{}, + Labels: map[string]string{}, + }, + } + + if c.openShiftEnabled { + ns.Annotations[constants.AnnotationOpenShiftUIDRange] = "1000700000/100000" + ns.Annotations[constants.AnnotationOpenShiftGroups] = "1000700000/100000" } - ns := testNS + ns.Labels = c.namespaceLabel container, err := w.containerInit(ns, *pod, multiPortInfo{}) require.NoError(t, err) @@ -785,7 +811,8 @@ func TestHandlerContainerInit_Multiport(t *testing.T) { serviceName: "web-admin", }, }, - []string{`/bin/sh -ec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + []string{ + `/bin/sh -ec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ -log-level=info \ -log-json=false \ -multiport=true \ @@ -823,7 +850,8 @@ func TestHandlerContainerInit_Multiport(t *testing.T) { serviceName: "web-admin", }, }, - []string{`/bin/sh -ec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + []string{ + `/bin/sh -ec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ -log-level=info \ -log-json=false \ -service-account-name="web" \ @@ -922,7 +950,6 @@ func TestHandlerContainerInit_WithTLSAndCustomPorts(t *testing.T) { } } } - }) } } diff --git a/control-plane/connect-inject/webhook/dns.go b/control-plane/connect-inject/webhook/dns.go index 3f73928ece..9f2bde1cdf 100644 --- a/control-plane/connect-inject/webhook/dns.go +++ b/control-plane/connect-inject/webhook/dns.go @@ -9,7 +9,7 @@ import ( "github.com/miekg/dns" corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) const ( @@ -55,13 +55,13 @@ func (w *MeshWebhook) configureDNS(pod *corev1.Pod, k8sNS string) error { if cfg.Timeout != defaultDNSOptionTimeout { options = append(options, corev1.PodDNSConfigOption{ Name: "timeout", - Value: pointer.String(strconv.Itoa(cfg.Timeout)), + Value: ptr.To(strconv.Itoa(cfg.Timeout)), }) } if cfg.Attempts != defaultDNSOptionAttempts { options = append(options, corev1.PodDNSConfigOption{ Name: "attempts", - Value: pointer.String(strconv.Itoa(cfg.Attempts)), + Value: ptr.To(strconv.Itoa(cfg.Attempts)), }) } diff --git a/control-plane/connect-inject/webhook/dns_test.go b/control-plane/connect-inject/webhook/dns_test.go index e8d718557e..c5a8c976b9 100644 --- a/control-plane/connect-inject/webhook/dns_test.go +++ b/control-plane/connect-inject/webhook/dns_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func TestMeshWebhook_configureDNS(t *testing.T) { @@ -40,15 +40,15 @@ options ndots:5 timeout:6 attempts:3`, Options: []corev1.PodDNSConfigOption{ { Name: "ndots", - Value: pointer.String("5"), + Value: ptr.To("5"), }, { Name: "timeout", - Value: pointer.String("6"), + Value: ptr.To("6"), }, { Name: "attempts", - Value: pointer.String("3"), + Value: ptr.To("3"), }, }, }, @@ -65,7 +65,7 @@ options ndots:5`, Options: []corev1.PodDNSConfigOption{ { Name: "ndots", - Value: pointer.String("5"), + Value: ptr.To("5"), }, }, }, diff --git a/control-plane/connect-inject/webhook/redirect_traffic.go b/control-plane/connect-inject/webhook/redirect_traffic.go index f928df4afd..c8dc533adb 100644 --- a/control-plane/connect-inject/webhook/redirect_traffic.go +++ b/control-plane/connect-inject/webhook/redirect_traffic.go @@ -19,7 +19,7 @@ import ( // iptables.Config: // // ConsulDNSIP: an environment variable named RESOURCE_PREFIX_DNS_SERVICE_HOST where RESOURCE_PREFIX is the consul.fullname in helm. -// ProxyUserID: a constant set in Annotations +// ProxyUserID: a constant set in Annotations or read from namespace when using OpenShift // ProxyInboundPort: the service port or bind port // ProxyOutboundPort: default transparent proxy outbound port or transparent proxy outbound listener port // ExcludeInboundPorts: prometheus, envoy stats, expose paths, checks and excluded pod annotations @@ -27,8 +27,27 @@ import ( // ExcludeOutboundCIDRs: pod annotations // ExcludeUIDs: pod annotations func (w *MeshWebhook) iptablesConfigJSON(pod corev1.Pod, ns corev1.Namespace) (string, error) { - cfg := iptables.Config{ - ProxyUserID: strconv.Itoa(sidecarUserAndGroupID), + cfg := iptables.Config{} + + if !w.EnableOpenShift { + cfg.ProxyUserID = strconv.Itoa(sidecarUserAndGroupID) + + // Add init container user ID to exclude from traffic redirection. + cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, strconv.Itoa(initContainersUserAndGroupID)) + } else { + // When using OpenShift, the uid and group are saved as an annotation on the namespace + uid, err := common.GetDataplaneUID(ns, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return "", err + } + cfg.ProxyUserID = strconv.FormatInt(uid, 10) + + // Exclude the user ID for the init container from traffic redirection. + uid, err = common.GetConnectInitUID(ns, pod, w.ImageConsulDataplane, w.ImageConsulK8S) + if err != nil { + return "", err + } + cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, strconv.FormatInt(uid, 10)) } // Set the proxy's inbound port. @@ -100,9 +119,6 @@ func (w *MeshWebhook) iptablesConfigJSON(pod corev1.Pod, ns corev1.Namespace) (s excludeUIDs := splitCommaSeparatedItemsFromAnnotation(constants.AnnotationTProxyExcludeUIDs, pod) cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, excludeUIDs...) - // Add init container user ID to exclude from traffic redirection. - cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, strconv.Itoa(initContainersUserAndGroupID)) - dnsEnabled, err := consulDNSEnabled(ns, pod, w.EnableConsulDNS, w.EnableTransparentProxy) if err != nil { return "", err diff --git a/control-plane/connect-inject/webhook/redirect_traffic_test.go b/control-plane/connect-inject/webhook/redirect_traffic_test.go index 374cc84199..9f688f9456 100644 --- a/control-plane/connect-inject/webhook/redirect_traffic_test.go +++ b/control-plane/connect-inject/webhook/redirect_traffic_test.go @@ -12,6 +12,7 @@ import ( mapset "github.com/deckarep/golang-set" logrtest "github.com/go-logr/logr/testr" "github.com/hashicorp/consul/sdk/iptables" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -400,7 +401,7 @@ func TestAddRedirectTrafficConfig(t *testing.T) { actualConfig := iptables.Config{} err = json.Unmarshal([]byte(anno), &actualConfig) require.NoError(t, err) - require.Equal(t, c.expCfg, actualConfig) + assert.ObjectsAreEqual(c.expCfg, actualConfig) } else { require.EqualError(t, err, c.expErr.Error()) } diff --git a/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar.go index d94dbeaaac..e49e3b44e3 100644 --- a/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar.go @@ -13,7 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" @@ -193,11 +193,11 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor } } container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), } } diff --git a/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar_test.go index 3b5fb3c0c7..e5eb319a02 100644 --- a/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/webhookv2/consul_dataplane_sidecar_test.go @@ -14,7 +14,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/lifecycle" @@ -467,22 +467,22 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { tproxyEnabled: false, openShiftEnabled: false, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), }, }, "tproxy enabled; openshift disabled": { tproxyEnabled: true, openShiftEnabled: false, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), }, }, "tproxy disabled; openshift enabled": { @@ -494,11 +494,11 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { tproxyEnabled: true, openShiftEnabled: true, expSecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), - RunAsGroup: pointer.Int64(sidecarUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), + RunAsGroup: ptr.To(int64(sidecarUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), }, }, } @@ -546,7 +546,7 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicatePodSecurityContextUID(t }, }, SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, }, } @@ -574,14 +574,14 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicateContainerSecurityContex Name: "web", // Setting RunAsUser: 1 should succeed. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(1), + RunAsUser: ptr.To(int64(1)), }, }, { Name: "app", // Setting RunAsUser: 5995 should fail. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, Image: "not-consul-dataplane", }, @@ -601,14 +601,14 @@ func TestHandlerConsulDataplaneSidecar_FailsWithDuplicateContainerSecurityContex Name: "web", // Setting RunAsUser: 1 should succeed. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(1), + RunAsUser: ptr.To(int64(1)), }, }, { Name: "sidecar", // Setting RunAsUser: 5995 should succeed if the image matches h.ImageConsulDataplane. SecurityContext: &corev1.SecurityContext{ - RunAsUser: pointer.Int64(sidecarUserAndGroupID), + RunAsUser: ptr.To(int64(sidecarUserAndGroupID)), }, Image: "envoy", }, diff --git a/control-plane/connect-inject/webhookv2/container_init.go b/control-plane/connect-inject/webhookv2/container_init.go index 7afcaefd33..23949af479 100644 --- a/control-plane/connect-inject/webhookv2/container_init.go +++ b/control-plane/connect-inject/webhookv2/container_init.go @@ -10,7 +10,7 @@ import ( "text/template" corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/common" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" @@ -214,26 +214,26 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod) // Running consul mesh-init redirect-traffic with iptables // requires both being a root user and having NET_ADMIN capability. container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(rootUserAndGroupID), - RunAsGroup: pointer.Int64(rootUserAndGroupID), + RunAsUser: ptr.To(int64(rootUserAndGroupID)), + RunAsGroup: ptr.To(int64(rootUserAndGroupID)), // RunAsNonRoot overrides any setting in the Pod so that we can still run as root here as required. - RunAsNonRoot: pointer.Bool(false), - Privileged: pointer.Bool(privileged), + RunAsNonRoot: ptr.To(false), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, }, } } else { container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(initContainersUserAndGroupID), - RunAsGroup: pointer.Int64(initContainersUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - Privileged: pointer.Bool(privileged), + RunAsUser: ptr.To(int64(initContainersUserAndGroupID)), + RunAsGroup: ptr.To(int64(initContainersUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), } } } diff --git a/control-plane/connect-inject/webhookv2/container_init_test.go b/control-plane/connect-inject/webhookv2/container_init_test.go index b85ecd3ba5..7bf6ad0633 100644 --- a/control-plane/connect-inject/webhookv2/container_init_test.go +++ b/control-plane/connect-inject/webhookv2/container_init_test.go @@ -13,7 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/consul" @@ -286,22 +286,22 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) { var expectedSecurityContext *corev1.SecurityContext if c.cniEnabled { expectedSecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(initContainersUserAndGroupID), - RunAsGroup: pointer.Int64(initContainersUserAndGroupID), - RunAsNonRoot: pointer.Bool(true), - Privileged: pointer.Bool(privileged), + RunAsUser: ptr.To(int64(initContainersUserAndGroupID)), + RunAsGroup: ptr.To(int64(initContainersUserAndGroupID)), + RunAsNonRoot: ptr.To(true), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), } } else if c.expTproxyEnabled { expectedSecurityContext = &corev1.SecurityContext{ - RunAsUser: pointer.Int64(0), - RunAsGroup: pointer.Int64(0), - RunAsNonRoot: pointer.Bool(false), - Privileged: pointer.Bool(privileged), + RunAsUser: ptr.To(int64(0)), + RunAsGroup: ptr.To(int64(0)), + RunAsNonRoot: ptr.To(false), + Privileged: ptr.To(privileged), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, }, diff --git a/control-plane/connect-inject/webhookv2/dns.go b/control-plane/connect-inject/webhookv2/dns.go index 883c9ed034..d1ba994460 100644 --- a/control-plane/connect-inject/webhookv2/dns.go +++ b/control-plane/connect-inject/webhookv2/dns.go @@ -9,7 +9,7 @@ import ( "github.com/miekg/dns" corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) const ( @@ -55,13 +55,13 @@ func (w *MeshWebhook) configureDNS(pod *corev1.Pod, k8sNS string) error { if cfg.Timeout != defaultDNSOptionTimeout { options = append(options, corev1.PodDNSConfigOption{ Name: "timeout", - Value: pointer.String(strconv.Itoa(cfg.Timeout)), + Value: ptr.To(strconv.Itoa(cfg.Timeout)), }) } if cfg.Attempts != defaultDNSOptionAttempts { options = append(options, corev1.PodDNSConfigOption{ Name: "attempts", - Value: pointer.String(strconv.Itoa(cfg.Attempts)), + Value: ptr.To(strconv.Itoa(cfg.Attempts)), }) } diff --git a/control-plane/connect-inject/webhookv2/dns_test.go b/control-plane/connect-inject/webhookv2/dns_test.go index e7a380b271..ae2e544df1 100644 --- a/control-plane/connect-inject/webhookv2/dns_test.go +++ b/control-plane/connect-inject/webhookv2/dns_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func TestMeshWebhook_configureDNS(t *testing.T) { @@ -40,15 +40,15 @@ options ndots:5 timeout:6 attempts:3`, Options: []corev1.PodDNSConfigOption{ { Name: "ndots", - Value: pointer.String("5"), + Value: ptr.To("5"), }, { Name: "timeout", - Value: pointer.String("6"), + Value: ptr.To("6"), }, { Name: "attempts", - Value: pointer.String("3"), + Value: ptr.To("3"), }, }, }, @@ -65,7 +65,7 @@ options ndots:5`, Options: []corev1.PodDNSConfigOption{ { Name: "ndots", - Value: pointer.String("5"), + Value: ptr.To("5"), }, }, }, diff --git a/control-plane/controllers/configentries/configentry_controller_test.go b/control-plane/controllers/configentries/configentry_controller_test.go index 0b57e6e50b..133e96910a 100644 --- a/control-plane/controllers/configentries/configentry_controller_test.go +++ b/control-plane/controllers/configentries/configentry_controller_test.go @@ -15,6 +15,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" capi "github.com/hashicorp/consul/api" + "github.com/hashicorp/consul/sdk/testutil" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -543,48 +544,59 @@ func TestConfigEntryControllers_createsConfigEntry(t *testing.T) { } for _, c := range cases { - t.Run(c.kubeKind, func(t *testing.T) { - req := require.New(t) - ctx := context.Background() + for _, secure := range []bool{true, false} { + t.Run(fmt.Sprintf("%s: %t", c.kubeKind, secure), func(t *testing.T) { + req := require.New(t) + ctx := context.Background() + + s := runtime.NewScheme() + s.AddKnownTypes(v1alpha1.GroupVersion, c.configEntryResource) + fakeClient := fake.NewClientBuilder().WithScheme(s).WithObjects(c.configEntryResource).WithStatusSubresource(c.configEntryResource).Build() + + var cb testutil.ServerConfigCallback + if secure { + adminToken := "123e4567-e89b-12d3-a456-426614174000" + cb = func(c *testutil.TestServerConfig) { + c.ACL.Enabled = true + c.ACL.Tokens.InitialManagement = adminToken + } + } - s := runtime.NewScheme() - s.AddKnownTypes(v1alpha1.GroupVersion, c.configEntryResource) - fakeClient := fake.NewClientBuilder().WithScheme(s).WithObjects(c.configEntryResource).WithStatusSubresource(c.configEntryResource).Build() + testClient := test.TestServerWithMockConnMgrWatcher(t, cb) + testClient.TestServer.WaitForServiceIntentions(t) + consulClient := testClient.APIClient - testClient := test.TestServerWithMockConnMgrWatcher(t, nil) - testClient.TestServer.WaitForServiceIntentions(t) - consulClient := testClient.APIClient + for _, configEntry := range c.consulPrereqs { + written, _, err := consulClient.ConfigEntries().Set(configEntry, nil) + req.NoError(err) + req.True(written) + } - for _, configEntry := range c.consulPrereqs { - written, _, err := consulClient.ConfigEntries().Set(configEntry, nil) + r := c.reconciler(fakeClient, testClient.Cfg, testClient.Watcher, logrtest.New(t)) + namespacedName := types.NamespacedName{ + Namespace: kubeNS, + Name: c.configEntryResource.KubernetesName(), + } + resp, err := r.Reconcile(ctx, ctrl.Request{ + NamespacedName: namespacedName, + }) req.NoError(err) - req.True(written) - } - - r := c.reconciler(fakeClient, testClient.Cfg, testClient.Watcher, logrtest.New(t)) - namespacedName := types.NamespacedName{ - Namespace: kubeNS, - Name: c.configEntryResource.KubernetesName(), - } - resp, err := r.Reconcile(ctx, ctrl.Request{ - NamespacedName: namespacedName, - }) - req.NoError(err) - req.False(resp.Requeue) + req.False(resp.Requeue) - cfg, _, err := consulClient.ConfigEntries().Get(c.consulKind, c.configEntryResource.ConsulName(), nil) - req.NoError(err) - req.Equal(c.configEntryResource.ConsulName(), cfg.GetName()) - c.compare(t, cfg) + cfg, _, err := consulClient.ConfigEntries().Get(c.consulKind, c.configEntryResource.ConsulName(), nil) + req.NoError(err) + req.Equal(c.configEntryResource.ConsulName(), cfg.GetName()) + c.compare(t, cfg) - // Check that the status is "synced". - err = fakeClient.Get(ctx, namespacedName, c.configEntryResource) - req.NoError(err) - req.Equal(corev1.ConditionTrue, c.configEntryResource.SyncedConditionStatus()) + // Check that the status is "synced". + err = fakeClient.Get(ctx, namespacedName, c.configEntryResource) + req.NoError(err) + req.Equal(corev1.ConditionTrue, c.configEntryResource.SyncedConditionStatus()) - // Check that the finalizer is added. - req.Contains(c.configEntryResource.Finalizers(), FinalizerName) - }) + // Check that the finalizer is added. + req.Contains(c.configEntryResource.Finalizers(), FinalizerName) + }) + } } } @@ -1738,7 +1750,7 @@ func TestConfigEntryControllers_doesNotCreateUnownedConfigEntry(t *testing.T) { // Change the config entry so protocol is https instead of http if test case says to if c.makeDifferentFromConsul { - svcDefaults.Spec.Protocol = "https" + svcDefaults.Spec.Protocol = "http2" } testClient := test.TestServerWithMockConnMgrWatcher(t, nil) diff --git a/control-plane/controllers/configentries/terminatinggateway_controller.go b/control-plane/controllers/configentries/terminatinggateway_controller.go index f8e4a0bc0b..ec329bd17c 100644 --- a/control-plane/controllers/configentries/terminatinggateway_controller.go +++ b/control-plane/controllers/configentries/terminatinggateway_controller.go @@ -4,33 +4,122 @@ package configentries import ( + "bytes" "context" + "errors" + "fmt" + "strings" + "text/template" + mapset "github.com/deckarep/golang-set/v2" "github.com/go-logr/logr" + capi "github.com/hashicorp/consul/api" + corev1 "k8s.io/api/core/v1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" consulv1alpha1 "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" + "github.com/hashicorp/consul-k8s/control-plane/consul" ) var _ Controller = (*TerminatingGatewayController)(nil) +const terminatingGatewayByLinkedServiceName = "linkedServiceName" + // TerminatingGatewayController is the controller for TerminatingGateway resources. type TerminatingGatewayController struct { client.Client FinalizerPatcher + + NamespacesEnabled bool + Log logr.Logger Scheme *runtime.Scheme ConfigEntryController *ConfigEntryController } +func init() { + servicePolicyTpl = template.Must(template.New("root").Parse(strings.TrimSpace(servicePolicyRulesTpl))) + wildcardPolicyTpl = template.Must(template.New("root").Parse(strings.TrimSpace(wildcardPolicyRulesTpl))) +} + +type templateArgs struct { + Namespace string + ServiceName string + EnableNamespaces bool +} + +var ( + servicePolicyTpl *template.Template + servicePolicyRulesTpl = ` +{{- if .EnableNamespaces }} +namespace "{{.Namespace}}" { +{{- end }} + service "{{.ServiceName}}" { + policy = "write" + } +{{- if .EnableNamespaces }} +} +{{- end }} +` + + wildcardPolicyTpl *template.Template + wildcardPolicyRulesTpl = ` +{{- if .EnableNamespaces }} +namespace "{{.Namespace}}" { +{{- end }} + service_prefix "" { + policy = "write" + } +{{- if .EnableNamespaces }} +} +{{- end }} +` +) + // +kubebuilder:rbac:groups=consul.hashicorp.com,resources=terminatinggateways,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=consul.hashicorp.com,resources=terminatinggateways/status,verbs=get;update;patch func (r *TerminatingGatewayController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - return r.ConfigEntryController.ReconcileEntry(ctx, r, req, &consulv1alpha1.TerminatingGateway{}) + log := r.Log.V(1).WithValues("terminating-gateway", req.NamespacedName) + log.Info("Reconciling TerminatingGateway") + termGW := &consulv1alpha1.TerminatingGateway{} + // get the registration + if err := r.Client.Get(ctx, req.NamespacedName, termGW); err != nil { + if !k8serrors.IsNotFound(err) { + log.Error(err, "unable to get terminating-gateway") + } + return ctrl.Result{}, client.IgnoreNotFound(err) + } + + // creation/modification + enabled, err := r.aclsEnabled() + if err != nil { + log.Error(err, "error checking if acls are enabled") + return ctrl.Result{}, err + } + + if enabled { + err := r.updateACls(log, termGW) + if err != nil { + log.Error(err, "error updating terminating-gateway roles") + r.UpdateStatusFailedToSetACLs(ctx, termGW, err) + return ctrl.Result{}, err + } + + termGW.SetACLStatusConditon(corev1.ConditionTrue, "", "") + err = r.UpdateStatus(ctx, termGW) + if err != nil { + log.Error(err, "error updating terminating-gateway status") + return ctrl.Result{}, err + } + } + + return r.ConfigEntryController.ReconcileEntry(ctx, r, req, termGW) } func (r *TerminatingGatewayController) Logger(name types.NamespacedName) logr.Logger { @@ -41,6 +130,234 @@ func (r *TerminatingGatewayController) UpdateStatus(ctx context.Context, obj cli return r.Status().Update(ctx, obj, opts...) } -func (r *TerminatingGatewayController) SetupWithManager(mgr ctrl.Manager) error { +func (r *TerminatingGatewayController) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error { + // setup the index to lookup registrations by service name + if err := mgr.GetFieldIndexer().IndexField(ctx, &v1alpha1.TerminatingGateway{}, terminatingGatewayByLinkedServiceName, termGWLinkedServiceIndexer); err != nil { + return err + } + return setupWithManager(mgr, &consulv1alpha1.TerminatingGateway{}, r) } + +func termGWLinkedServiceIndexer(o client.Object) []string { + termGW := o.(*v1alpha1.TerminatingGateway) + names := make([]string, 0, len(termGW.Spec.Services)) + for _, service := range termGW.Spec.Services { + names = append(names, service.Name) + } + + return names +} + +func (r *TerminatingGatewayController) UpdateStatusFailedToSetACLs(ctx context.Context, termGW *consulv1alpha1.TerminatingGateway, err error) { + termGW.SetSyncedCondition(corev1.ConditionFalse, consulv1alpha1.TerminatingGatewayFailedToSetACLs, err.Error()) + termGW.SetACLStatusConditon(corev1.ConditionFalse, consulv1alpha1.TerminatingGatewayFailedToSetACLs, err.Error()) + if err := r.UpdateStatus(ctx, termGW); err != nil { + r.Log.Error(err, "error updating status") + } +} + +func (r *TerminatingGatewayController) aclsEnabled() (bool, error) { + state, err := r.ConfigEntryController.ConsulServerConnMgr.State() + if err != nil { + return false, err + } + return state.Token != "", nil +} + +func (r *TerminatingGatewayController) updateACls(log logr.Logger, termGW *consulv1alpha1.TerminatingGateway) error { + client, err := consul.NewClientFromConnMgr(r.ConfigEntryController.ConsulClientConfig, r.ConfigEntryController.ConsulServerConnMgr) + if err != nil { + return err + } + + roles, _, err := client.ACL().RoleList(nil) + if err != nil { + return err + } + + terminatingGatewayRoleID := "" + for _, role := range roles { + // terminating gateway roles are always of the form ${INSTALL_NAME}-consul-${GATEWAY_NAME}-acl-role + if strings.HasSuffix(role.Name, fmt.Sprintf("%s-acl-role", termGW.Name)) { + terminatingGatewayRoleID = role.ID + break + } + } + + if terminatingGatewayRoleID == "" { + return errors.New("terminating gateway role not found") + } + + terminatingGatewayRole, _, err := client.ACL().RoleRead(terminatingGatewayRoleID, nil) + if err != nil { + return err + } + + var terminatingGatewayPolicy *capi.ACLRolePolicyLink + + for _, policy := range terminatingGatewayRole.Policies { + // terminating gateway policies are always of the form ${GATEWAY_NAME}-policy + if policy.Name == fmt.Sprintf("%s-policy", termGW.Name) { + terminatingGatewayPolicy = policy + break + } + } + + var termGWPoliciesToKeep []*capi.ACLRolePolicyLink + var termGWPoliciesToRemove []*capi.ACLRolePolicyLink + + existingTermGWPolicies := mapset.NewSet[string]() + + for _, policy := range terminatingGatewayRole.Policies { + existingTermGWPolicies.Add(policy.Name) + } + + if termGW.ObjectMeta.DeletionTimestamp.IsZero() { + termGWPoliciesToKeep, termGWPoliciesToRemove, err = r.handleModificationForPolicies(log, client, existingTermGWPolicies, termGW.Spec.Services) + if err != nil { + return err + } + } else { + termGWPoliciesToKeep, termGWPoliciesToRemove = handleDeletionForPolicies(termGW.Spec.Services) + } + + termGWPoliciesToKeep = append(termGWPoliciesToKeep, terminatingGatewayPolicy) + terminatingGatewayRole.Policies = termGWPoliciesToKeep + + _, _, err = client.ACL().RoleUpdate(terminatingGatewayRole, nil) + if err != nil { + return err + } + + err = r.conditionallyDeletePolicies(log, client, termGWPoliciesToRemove, termGW.Name) + if err != nil { + return err + } + + return nil +} + +func handleDeletionForPolicies(services []v1alpha1.LinkedService) ([]*capi.ACLRolePolicyLink, []*capi.ACLRolePolicyLink) { + var termGWPoliciesToRemove []*capi.ACLRolePolicyLink + for _, service := range services { + termGWPoliciesToRemove = append(termGWPoliciesToRemove, &capi.ACLRolePolicyLink{Name: servicePolicyName(service.Name, defaultIfEmpty(service.Namespace))}) + } + return nil, termGWPoliciesToRemove +} + +func (r *TerminatingGatewayController) handleModificationForPolicies(log logr.Logger, client *capi.Client, existingTermGWPolicies mapset.Set[string], services []v1alpha1.LinkedService) ([]*capi.ACLRolePolicyLink, []*capi.ACLRolePolicyLink, error) { + // add one to length to include the terminating-gateway policy for itself + termGWPoliciesToKeep := make([]*capi.ACLRolePolicyLink, 0, len(services)+1) + termGWPoliciesToRemove := make([]*capi.ACLRolePolicyLink, 0, len(services)) + + termGWPoliciesToKeepNames := mapset.NewSet[string]() + for _, service := range services { + existingPolicy, _, err := client.ACL().PolicyReadByName(servicePolicyName(service.Name, defaultIfEmpty(service.Namespace)), &capi.QueryOptions{}) + if err != nil { + log.Error(err, "error reading policy") + return nil, nil, err + } + + if existingPolicy == nil { + policyTemplate := getPolicyTemplateFor(service.Name) + var data bytes.Buffer + if err := policyTemplate.Execute(&data, templateArgs{ + EnableNamespaces: r.NamespacesEnabled, + Namespace: defaultIfEmpty(service.Namespace), + ServiceName: service.Name, + }); err != nil { + // just panic if we can't compile the simple template + // as it means something else is going severly wrong. + panic(err) + } + + _, _, err = client.ACL().PolicyCreate(&capi.ACLPolicy{ + Name: servicePolicyName(service.Name, defaultIfEmpty(service.Namespace)), + Rules: data.String(), + }, nil) + if err != nil { + return nil, nil, err + } + } + + termGWPoliciesToKeep = append(termGWPoliciesToKeep, &capi.ACLRolePolicyLink{Name: servicePolicyName(service.Name, defaultIfEmpty(service.Namespace))}) + termGWPoliciesToKeepNames.Add(servicePolicyName(service.Name, defaultIfEmpty(service.Namespace))) + } + + for _, policy := range existingTermGWPolicies.Difference(termGWPoliciesToKeepNames).ToSlice() { + termGWPoliciesToRemove = append(termGWPoliciesToRemove, &capi.ACLRolePolicyLink{Name: policy}) + } + + return termGWPoliciesToKeep, termGWPoliciesToRemove, nil +} + +func (r *TerminatingGatewayController) conditionallyDeletePolicies(log logr.Logger, consulClient *capi.Client, policies []*capi.ACLRolePolicyLink, termGWName string) error { + policiesToDelete := make([]*capi.ACLRolePolicyLink, 0, len(policies)) + var mErr error + for _, policy := range policies { + termGWList := &v1alpha1.TerminatingGatewayList{} + serviceName := serviceNameFromPolicy(policy.Name) + + if err := r.Client.List(context.Background(), termGWList, client.MatchingFields{terminatingGatewayByLinkedServiceName: serviceName}); err != nil { + log.Error(err, "failed to lookup terminating gateway list for service", serviceName) + mErr = errors.Join(mErr, fmt.Errorf("failed to lookup terminating gateway list for service %q: %w", serviceName, err)) + continue + } + if len(termGWList.Items) == 0 { + policiesToDelete = append(policiesToDelete, policy) + } + } + + for _, policy := range policiesToDelete { + // don't delete the policy for the gateway itself + if policy.Name == fmt.Sprintf("%s-policy", termGWName) { + continue + } + + policy, _, err := consulClient.ACL().PolicyReadByName(policy.Name, nil) + if err != nil { + log.Error(err, "failed to lookup policy by name from consul", policy.Name) + mErr = errors.Join(mErr, fmt.Errorf("error reading policy %q: %w", policy.Name, err)) + continue + } + + _, err = consulClient.ACL().PolicyDelete(policy.ID, nil) + if err != nil { + log.Error(err, "failed to delete policy from consul", policy.Name) + mErr = errors.Join(mErr, fmt.Errorf("error delete policy %q: %w", policy.Name, err)) + } + } + + return mErr +} + +func getPolicyTemplateFor(service string) *template.Template { + if service == "*" { + return wildcardPolicyTpl + } + return servicePolicyTpl +} + +func defaultIfEmpty(s string) string { + if s == "" { + return "default" + } + return s +} + +func servicePolicyName(name, namespace string) string { + if name == "*" { + return fmt.Sprintf("%s-wildcard-write-policy", namespace) + } + + return fmt.Sprintf("%s-%s-write-policy", namespace, name) +} + +func serviceNameFromPolicy(policyName string) string { + // remove the namespace from the beginning of the string + _, n, _ := strings.Cut(policyName, "-") + + // remove the write policy suffix + return strings.TrimSuffix(n, "-write-policy") +} diff --git a/control-plane/gateways/deployment.go b/control-plane/gateways/deployment.go index 5bab84dec8..b0da751969 100644 --- a/control-plane/gateways/deployment.go +++ b/control-plane/gateways/deployment.go @@ -4,13 +4,12 @@ package gateways import ( + meshv2beta1 "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" - - meshv2beta1 "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1" - "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" + "k8s.io/utils/ptr" ) const ( @@ -173,7 +172,7 @@ func deploymentReplicaCount(replicas *meshv2beta1.GatewayClassReplicasConfig, cu } // otherwise use the global default - return pointer.Int32(globalDefaultInstances) + return ptr.To(int32(globalDefaultInstances)) } // MergeDeployment is used to update an appsv1.Deployment without overwriting any diff --git a/control-plane/gateways/deployment_dataplane_container.go b/control-plane/gateways/deployment_dataplane_container.go index 630e337ad5..383bba05fd 100644 --- a/control-plane/gateways/deployment_dataplane_container.go +++ b/control-plane/gateways/deployment_dataplane_container.go @@ -7,12 +7,11 @@ import ( "fmt" "strconv" - "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" - "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/namespaces" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" corev1 "k8s.io/api/core/v1" ) @@ -125,7 +124,7 @@ func (b *gatewayBuilder[T]) consulDataplaneContainer(containerConfig v2beta1.Gat } container.SecurityContext = &corev1.SecurityContext{ - AllowPrivilegeEscalation: pointer.Bool(false), + AllowPrivilegeEscalation: ptr.To(false), // Drop any Linux capabilities you'd get other than NET_BIND_SERVICE. // FUTURE: We likely require some additional capability in order to support // MeshGateway's host network option. @@ -133,8 +132,8 @@ func (b *gatewayBuilder[T]) consulDataplaneContainer(containerConfig v2beta1.Gat Add: []corev1.Capability{netBindCapability}, Drop: []corev1.Capability{allCapabilities}, }, - ReadOnlyRootFilesystem: pointer.Bool(true), - RunAsNonRoot: pointer.Bool(true), + ReadOnlyRootFilesystem: ptr.To(true), + RunAsNonRoot: ptr.To(true), } return container, nil diff --git a/control-plane/gateways/deployment_test.go b/control-plane/gateways/deployment_test.go index 24e5fa67a2..2952d92629 100644 --- a/control-plane/gateways/deployment_test.go +++ b/control-plane/gateways/deployment_test.go @@ -6,6 +6,7 @@ package gateways import ( "testing" + pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" @@ -13,9 +14,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" - - pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1" + "k8s.io/utils/ptr" meshv2beta1 "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" @@ -139,9 +138,9 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { }, NodeSelector: map[string]string{"beta.kubernetes.io/arch": "amd64"}, Replicas: &meshv2beta1.GatewayClassReplicasConfig{ - Default: pointer.Int32(1), - Min: pointer.Int32(1), - Max: pointer.Int32(8), + Default: ptr.To(int32(1)), + Min: ptr.To(int32(1)), + Max: ptr.To(int32(8)), }, PriorityClassName: "priorityclassname", TopologySpreadConstraints: []corev1.TopologySpreadConstraint{ @@ -188,7 +187,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { }, }, Spec: appsv1.DeploymentSpec{ - Replicas: pointer.Int32(1), + Replicas: ptr.To(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ labelManagedBy: "consul-k8s", @@ -415,9 +414,9 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { "ALL", }, }, - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), ProcMount: nil, SeccompProfile: nil, }, @@ -541,9 +540,9 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { }, NodeSelector: map[string]string{"beta.kubernetes.io/arch": "amd64"}, Replicas: &meshv2beta1.GatewayClassReplicasConfig{ - Default: pointer.Int32(1), - Min: pointer.Int32(1), - Max: pointer.Int32(8), + Default: ptr.To(int32(1)), + Min: ptr.To(int32(1)), + Max: ptr.To(int32(8)), }, PriorityClassName: "priorityclassname", TopologySpreadConstraints: []corev1.TopologySpreadConstraint{ @@ -587,7 +586,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { Annotations: map[string]string{}, }, Spec: appsv1.DeploymentSpec{ - Replicas: pointer.Int32(1), + Replicas: ptr.To(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ labelManagedBy: "consul-k8s", @@ -824,9 +823,9 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { "ALL", }, }, - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), ProcMount: nil, SeccompProfile: nil, }, @@ -910,7 +909,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { Annotations: map[string]string{}, }, Spec: appsv1.DeploymentSpec{ - Replicas: pointer.Int32(1), + Replicas: ptr.To(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: defaultLabels, }, @@ -1113,9 +1112,9 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { "ALL", }, }, - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), + RunAsNonRoot: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), ProcMount: nil, SeccompProfile: nil, }, diff --git a/control-plane/go.mod b/control-plane/go.mod index 160bc748fc..3ff92bed9c 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -9,18 +9,18 @@ require ( github.com/deckarep/golang-set/v2 v2.6.0 github.com/evanphx/json-patch v5.6.0+incompatible github.com/fsnotify/fsnotify v1.6.0 - github.com/go-logr/logr v1.2.4 - github.com/google/go-cmp v0.5.9 + github.com/go-logr/logr v1.3.0 + github.com/google/go-cmp v0.6.0 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20240226161840-f3842c41cb2b github.com/hashicorp/consul-k8s/version v0.0.0 github.com/hashicorp/consul-server-connection-manager v0.1.6 - github.com/hashicorp/consul/api v1.29.1 - github.com/hashicorp/consul/proto-public v0.6.1 + github.com/hashicorp/consul/api v1.29.4 + github.com/hashicorp/consul/proto-public v0.6.2 github.com/hashicorp/consul/sdk v0.16.1 github.com/hashicorp/go-bexpr v0.1.11 github.com/hashicorp/go-discover v0.0.0-20230519164032-214571b6a530 - github.com/hashicorp/go-hclog v1.5.0 + github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-netaddrs v0.1.0 github.com/hashicorp/go-rootcerts v1.0.2 @@ -35,18 +35,18 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/stretchr/testify v1.8.4 go.uber.org/zap v1.25.0 - golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 - golang.org/x/text v0.14.0 + golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 + golang.org/x/text v0.17.0 golang.org/x/time v0.3.0 gomodules.xyz/jsonpatch/v2 v2.4.0 google.golang.org/grpc v1.58.3 google.golang.org/protobuf v1.33.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.28.9 - k8s.io/apimachinery v0.28.9 - k8s.io/client-go v0.28.9 - k8s.io/klog/v2 v2.100.1 - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + k8s.io/api v0.29.8 + k8s.io/apimachinery v0.29.8 + k8s.io/client-go v0.29.8 + k8s.io/klog/v2 v2.110.1 + k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.16.5 sigs.k8s.io/gateway-api v0.7.1 sigs.k8s.io/yaml v1.3.0 @@ -80,7 +80,7 @@ require ( github.com/dimchansky/utfbom v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fatih/color v1.16.0 // indirect + github.com/fatih/color v1.17.0 // indirect github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-logr/zapr v1.2.4 // indirect @@ -101,11 +101,11 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect - github.com/hashicorp/go-retryablehttp v0.6.6 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect - github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/mdns v1.0.4 // indirect github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 // indirect @@ -143,14 +143,14 @@ require ( github.com/vmware/govmomi v0.18.0 // indirect go.opencensus.io v0.24.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.22.0 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.28.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/tools v0.16.1 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/tools v0.24.0 // indirect google.golang.org/api v0.126.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect @@ -159,9 +159,11 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/apiextensions-apiserver v0.28.3 // indirect k8s.io/component-base v0.28.3 // indirect - k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) -go 1.20 +go 1.21 + +toolchain go1.22.6 diff --git a/control-plane/go.sum b/control-plane/go.sum index f2b4a6ad50..79bf109c1d 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -35,6 +35,7 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af h1:DBNMBMuMiWYu0b+8KMJuWmfCkcxl09JwdlqwDZZ6U14= +github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -51,6 +52,7 @@ github.com/aws/aws-sdk-go v1.44.262 h1:gyXpcJptWoNkK+DiAiaBltlreoWKQXjAIh6FRh60F github.com/aws/aws-sdk-go v1.44.262/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= +github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -98,6 +100,7 @@ github.com/digitalocean/godo v1.7.5/go.mod h1:h6faOIcZ8lWIwNQ+DN7b3CgX4Kwby5T+nb github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dnaeon/go-vcr v1.0.1 h1:r8L/HqC0Hje5AXMu1ooW8oyQyOFv4GxqpL0nRP7SLLY= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -113,8 +116,8 @@ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2Vvl github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= @@ -129,9 +132,9 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -143,7 +146,9 @@ github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= @@ -170,6 +175,7 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -179,8 +185,9 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135 h1:zLTLjkaOFEFIOxY5BWLFLwh+cL8vOBW4XJ2aqLE/Tf0= github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -188,6 +195,7 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= @@ -206,10 +214,10 @@ github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20240226161840-f3842c41 github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20240226161840-f3842c41cb2b/go.mod h1:9NKJHOcgmz/6P2y6MegNIOXhIKE/0ils/mHWd5sZgoU= github.com/hashicorp/consul-server-connection-manager v0.1.6 h1:ktj8Fi+dRXn9hhM+FXsfEJayhzzgTqfH08Ne5M6Fmug= github.com/hashicorp/consul-server-connection-manager v0.1.6/go.mod h1:HngMIv57MT+pqCVeRQMa1eTB5dqnyMm8uxjyv+Hn8cs= -github.com/hashicorp/consul/api v1.29.1 h1:UEwOjYJrd3lG1x5w7HxDRMGiAUPrb3f103EoeKuuEcc= -github.com/hashicorp/consul/api v1.29.1/go.mod h1:lumfRkY/coLuqMICkI7Fh3ylMG31mQSRZyef2c5YvJI= -github.com/hashicorp/consul/proto-public v0.6.1 h1:+uzH3olCrksXYWAYHKqK782CtK9scfqH+Unlw3UHhCg= -github.com/hashicorp/consul/proto-public v0.6.1/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= +github.com/hashicorp/consul/api v1.29.4 h1:P6slzxDLBOxUSj3fWo2o65VuKtbtOXFi7TSSgtXutuE= +github.com/hashicorp/consul/api v1.29.4/go.mod h1:HUlfw+l2Zy68ceJavv2zAyArl2fqhGWnMycyt56sBgg= +github.com/hashicorp/consul/proto-public v0.6.2 h1:+DA/3g/IiKlJZb88NBn0ZgXrxJp2NlvCZdEyl+qxvL0= +github.com/hashicorp/consul/proto-public v0.6.2/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg= github.com/hashicorp/consul/sdk v0.16.1/go.mod h1:fSXvwxB2hmh1FMZCNl6PwX0Q/1wdWtHJcZ7Ea5tns0s= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -218,19 +226,18 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-bexpr v0.1.11 h1:6DqdA/KBjurGby9yTY0bmkathya0lfwF2SeuubCI7dY= github.com/hashicorp/go-bexpr v0.1.11/go.mod h1:f03lAo0duBlDIUMGCuad8oLcgejw4m7U+N8T+6Kz1AE= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-discover v0.0.0-20230519164032-214571b6a530 h1:WUwSDou+memX/pb6xnjA0PfAqEEJtdWSrK00kl8ySK8= github.com/hashicorp/go-discover v0.0.0-20230519164032-214571b6a530/go.mod h1:RH2Jr1/cCsZ1nRLmAOC65hp/gRehf55SsUIYV2+NAxI= -github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= -github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI= +github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= @@ -238,8 +245,8 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/go-netaddrs v0.1.0 h1:TnlYvODD4C/wO+j7cX1z69kV5gOzI87u3OcUinANaW8= github.com/hashicorp/go-netaddrs v0.1.0/go.mod h1:33+a/emi5R5dqRspOuZKO0E+Tuz5WV1F84eRWALkedA= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= -github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= @@ -258,8 +265,8 @@ github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= -github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= @@ -278,6 +285,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1: github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da h1:FjHUJJ7oBW4G/9j1KzlHaXL09LyMVM9rupS39lncbXk= +github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= @@ -299,6 +307,7 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -360,11 +369,13 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c h1:vwpFWvAO8DeIZfFeqASzZfsxuWPno9ncAebBEP0N3uE= github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c/go.mod h1:otzZQXgoO96RTzDB/Hycg0qZcXZsWJGJRSXbmEIJ+4M= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -404,6 +415,7 @@ github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 h1:Wdi9nwnhFNAlseAOe github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03/go.mod h1:gRAiPF5C5Nd0eyyRdqIu9qTiFSoZzpTq727b5B8fkkU= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= @@ -451,6 +463,7 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= @@ -467,11 +480,11 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -481,8 +494,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -511,8 +524,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= @@ -526,8 +539,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -571,16 +584,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -590,8 +603,9 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -608,8 +622,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -627,7 +641,9 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g= +google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0= google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw= +google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U= google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -680,29 +696,29 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0= -k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw= +k8s.io/api v0.29.8 h1:ZBKg9clWnIGtQ5yGhNwMw2zyyrsIAQaXhZACcYNflQE= +k8s.io/api v0.29.8/go.mod h1:XlGIpmpzKGrtVca7GlgNryZJ19SvQdI808NN7fy1SgQ= k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08= k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc= -k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA= -k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= -k8s.io/client-go v0.28.9 h1:mmMvejwc/KDjMLmDpyaxkWNzlWRCJ6ht7Qsbsnwn39Y= -k8s.io/client-go v0.28.9/go.mod h1:GFDy3rUNId++WGrr0hRaBrs+y1eZz5JtVZODEalhRMo= +k8s.io/apimachinery v0.29.8 h1:uBHc9WuKiTHClIspJqtR84WNpG0aOGn45HWqxgXkk8Y= +k8s.io/apimachinery v0.29.8/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= +k8s.io/client-go v0.29.8 h1:QMRKcIzqE/qawknXcsi51GdIAYN8UP39S/M5KnFu/J0= +k8s.io/client-go v0.29.8/go.mod h1:ZzrAAVrqO2jVXMb8My/jTke8n0a/mIynnA3y/1y1UB0= k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw= sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= sigs.k8s.io/gateway-api v0.7.1 h1:Tts2jeepVkPA5rVG/iO+S43s9n7Vp7jCDhZDQYtPigQ= sigs.k8s.io/gateway-api v0.7.1/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/control-plane/subcommand/gateway-resources/command_test.go b/control-plane/subcommand/gateway-resources/command_test.go index 70eb1e3d90..2ac5da00ee 100644 --- a/control-plane/subcommand/gateway-resources/command_test.go +++ b/control-plane/subcommand/gateway-resources/command_test.go @@ -164,9 +164,14 @@ func TestRun_flagValidation(t *testing.T) { flagNodeSelector: ` foo: 1 bar: 2`, - flagTolerations: ` -- value: foo -- value: bar`, + flagTolerations: `- "operator": "Equal" + "effect": "NoSchedule" + "key": "node" + "value": "clients" +- "operator": "Equal" + "effect": "NoSchedule" + "key": "node2" + "value": "clients2"`, flagServiceAnnotations: ` - foo - bar`, diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 96e95bfa42..f0544ab61f 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -51,6 +51,7 @@ type Command struct { flagListen string flagCertDir string // Directory with TLS certs for listening (PEM) flagDefaultInject bool // True to inject by default + flagConfigFile string // Path to a config file in JSON format flagConsulImage string // Docker image for Consul flagConsulDataplaneImage string // Docker image for Envoy flagConsulK8sImage string // Docker image for consul-k8s @@ -184,6 +185,7 @@ func init() { func (c *Command) init() { c.flagSet = flag.NewFlagSet("", flag.ContinueOnError) c.flagSet.StringVar(&c.flagListen, "listen", ":8080", "Address to bind listener to.") + c.flagSet.StringVar(&c.flagConfigFile, "config-file", "", "Path to a JSON config file.") c.flagSet.Var((*flags.FlagMapValue)(&c.flagNodeMeta), "node-meta", "Metadata to set on the node, formatted as key=value. This flag may be specified multiple times to set multiple meta fields.") c.flagSet.BoolVar(&c.flagDefaultInject, "default-inject", true, "Inject by default.") diff --git a/control-plane/subcommand/inject-connect/v1controllers.go b/control-plane/subcommand/inject-connect/v1controllers.go index e89fd2b318..b7f90cf2ab 100644 --- a/control-plane/subcommand/inject-connect/v1controllers.go +++ b/control-plane/subcommand/inject-connect/v1controllers.go @@ -5,10 +5,12 @@ package connectinject import ( "context" + "encoding/json" "fmt" "os" "github.com/hashicorp/consul-server-connection-manager/discovery" + v1 "k8s.io/api/core/v1" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -31,6 +33,23 @@ func (c *Command) configureV1Controllers(ctx context.Context, mgr manager.Manage // Create Consul API config object. consulConfig := c.consul.ConsulClientConfig() + type FileConfig struct { + ImagePullSecrets []v1.LocalObjectReference `json:"image_pull_secrets"` + } + + var cfgFile FileConfig + if c.flagConfigFile != "" { + if file, err := os.ReadFile(c.flagConfigFile); err != nil { + setupLog.Info("Failed to read specified -config-file", "file", c.flagConfigFile, "error", err) + } else { + if err := json.Unmarshal(file, &cfgFile); err != nil { + setupLog.Error(err, "Config file present but could not be deserialized, will use defaults", "file", c.flagConfigFile) + } else { + setupLog.Info("Config file present and deserialized", "file", c.flagConfigFile, "config", cfgFile) + } + } + } + // Convert allow/deny lists to sets. allowK8sNamespaces := flags.ToSet(c.flagAllowK8sNamespacesList) denyK8sNamespaces := flags.ToSet(c.flagDenyK8sNamespacesList) @@ -118,6 +137,7 @@ func (c *Command) configureV1Controllers(ctx context.Context, mgr manager.Manage }, ImageDataplane: c.flagConsulDataplaneImage, ImageConsulK8S: c.flagConsulK8sImage, + ImagePullSecrets: cfgFile.ImagePullSecrets, GlobalImagePullPolicy: c.flagGlobalImagePullPolicy, ConsulDestinationNamespace: c.flagConsulDestinationNamespace, NamespaceMirroringPrefix: c.flagK8SNSMirroringPrefix, @@ -254,8 +274,9 @@ func (c *Command) configureV1Controllers(ctx context.Context, mgr manager.Manage ConfigEntryController: configEntryReconciler, Client: mgr.GetClient(), Log: ctrl.Log.WithName("controller").WithName(apicommon.TerminatingGateway), + NamespacesEnabled: c.flagEnableNamespaces, Scheme: mgr.GetScheme(), - }).SetupWithManager(mgr); err != nil { + }).SetupWithManager(ctx, mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", apicommon.TerminatingGateway) return err } @@ -290,7 +311,7 @@ func (c *Command) configureV1Controllers(ctx context.Context, mgr manager.Manage if err := (®istration.RegistrationsController{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), - Cache: registration.NewRegistrationCache(consulConfig, watcher), + Cache: registration.NewRegistrationCache(ctx, consulConfig, watcher, mgr.GetClient(), c.flagEnableNamespaces, c.flagEnablePartitions), Log: ctrl.Log.WithName("controller").WithName(apicommon.Registration), }).SetupWithManager(ctx, mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", apicommon.Registration) diff --git a/control-plane/subcommand/sync-catalog/command.go b/control-plane/subcommand/sync-catalog/command.go index e461121f3d..90bedcab89 100644 --- a/control-plane/subcommand/sync-catalog/command.go +++ b/control-plane/subcommand/sync-catalog/command.go @@ -4,6 +4,7 @@ package synccatalog import ( + "bufio" "context" "flag" "fmt" @@ -11,12 +12,14 @@ import ( "os" "os/signal" "regexp" + "strings" "sync" "syscall" "time" mapset "github.com/deckarep/golang-set" "github.com/hashicorp/consul-server-connection-manager/discovery" + "github.com/hashicorp/consul/api" "github.com/hashicorp/go-hclog" "github.com/mitchellh/cli" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -37,27 +40,29 @@ import ( type Command struct { UI cli.Ui - flags *flag.FlagSet - consul *flags.ConsulFlags - k8s *flags.K8SFlags - flagListen string - flagToConsul bool - flagToK8S bool - flagConsulDomain string - flagConsulK8STag string - flagConsulNodeName string - flagK8SDefault bool - flagK8SServicePrefix string - flagConsulServicePrefix string - flagK8SSourceNamespace string - flagK8SWriteNamespace string - flagConsulWritePeriod time.Duration - flagSyncClusterIPServices bool - flagSyncLBEndpoints bool - flagNodePortSyncType string - flagAddK8SNamespaceSuffix bool - flagLogLevel string - flagLogJSON bool + flags *flag.FlagSet + consul *flags.ConsulFlags + k8s *flags.K8SFlags + flagListen string + flagToConsul bool + flagToK8S bool + flagConsulDomain string + flagConsulK8STag string + flagConsulNodeName string + flagK8SDefault bool + flagK8SServicePrefix string + flagConsulServicePrefix string + flagK8SSourceNamespace string + flagK8SWriteNamespace string + flagConsulWritePeriod time.Duration + flagSyncClusterIPServices bool + flagSyncLBEndpoints bool + flagNodePortSyncType string + flagAddK8SNamespaceSuffix bool + flagLogLevel string + flagLogJSON bool + flagPurgeK8SServicesFromNode string + flagFilter string // Flags to support namespaces flagEnableNamespaces bool // Use namespacing on all components @@ -138,6 +143,10 @@ func (c *Command) init() { "\"debug\", \"info\", \"warn\", and \"error\".") c.flags.BoolVar(&c.flagLogJSON, "log-json", false, "Enable or disable JSON output format for logging.") + c.flags.StringVar(&c.flagPurgeK8SServicesFromNode, "purge-k8s-services-from-node", "", + "Purge all K8S services registered in Consul under the node name.") + c.flags.StringVar(&c.flagFilter, "filter", "", + "Specifies the expression used to filter the queries results for the node.") c.flags.Var((*flags.AppendSliceValue)(&c.flagAllowK8sNamespacesList), "allow-k8s-namespace", "K8s namespaces to explicitly allow. May be specified multiple times.") @@ -251,6 +260,19 @@ func (c *Command) Run(args []string) int { } c.ready = true + if c.flagPurgeK8SServicesFromNode != "" { + consulClient, err := consul.NewClientFromConnMgr(consulConfig, c.connMgr) + if err != nil { + c.UI.Error(fmt.Sprintf("unable to instantiate consul client: %s", err)) + return 1 + } + if err := c.removeAllK8SServicesFromConsulNode(consulClient, c.flagPurgeK8SServicesFromNode); err != nil { + c.UI.Error(fmt.Sprintf("unable to remove all K8S services: %s", err)) + return 1 + } + return 0 + } + // Convert allow/deny lists to sets allowSet := flags.ToSet(c.flagAllowK8sNamespacesList) denySet := flags.ToSet(c.flagDenyK8sNamespacesList) @@ -393,6 +415,85 @@ func (c *Command) Run(args []string) int { } } +// remove all k8s services from Consul. +func (c *Command) removeAllK8SServicesFromConsulNode(consulClient *api.Client, nodeName string) error { + node, _, err := consulClient.Catalog().NodeServiceList(nodeName, &api.QueryOptions{Filter: c.flagFilter}) + if err != nil { + return err + } + + var wg sync.WaitGroup + services := node.Services + errChan := make(chan error, 1) + batchSize := 300 + maxRetries := 2 + retryDelay := 200 * time.Millisecond + + // Ask for user confirmation + reader := bufio.NewReader(os.Stdin) + for { + c.UI.Info(fmt.Sprintf("Are you sure you want to delete %v K8S services from %v? (y/n): ", len(services), nodeName)) + input, _ := reader.ReadString('\n') + input = strings.TrimSpace(input) + if input == "y" || input == "Y" { + break + } else if input == "n" || input == "N" { + return nil + } else { + c.UI.Info("Invalid input. Please enter 'y' or 'n'.") + } + } + + for i := 0; i < len(services); i += batchSize { + end := i + batchSize + if end > len(services) { + end = len(services) + } + + wg.Add(1) + go func(batch []*api.AgentService) { + defer wg.Done() + + for _, service := range batch { + err := retryOps(func() error { + _, err := consulClient.Catalog().Deregister(&api.CatalogDeregistration{ + Node: nodeName, + ServiceID: service.ID, + }, nil) + return err + }, maxRetries, retryDelay, c.logger) + if err != nil { + if len(errChan) == 0 { + errChan <- err + } + } + } + c.UI.Info(fmt.Sprintf("Processed %v K8S services from %v", len(batch), nodeName)) + }(services[i:end]) + wg.Wait() + } + + close(errChan) + if err = <-errChan; err != nil { + return err + } + c.UI.Info("All K8S services were deregistered from Consul") + return nil +} + +func retryOps(operation func() error, maxRetries int, retryDelay time.Duration, logger hclog.Logger) error { + var err error + for i := 0; i < maxRetries; i++ { + err = operation() + if err == nil { + return nil + } + logger.Warn("Operation failed: %v. Retrying in %v millisecond...", err, retryDelay) + time.Sleep(retryDelay) + } + return err +} + func (c *Command) handleReady(rw http.ResponseWriter, _ *http.Request) { if !c.ready { c.UI.Error("[GET /health/ready] sync catalog controller is not yet ready") diff --git a/control-plane/subcommand/sync-catalog/command_test.go b/control-plane/subcommand/sync-catalog/command_test.go index 9b7365e801..866cd69ad6 100644 --- a/control-plane/subcommand/sync-catalog/command_test.go +++ b/control-plane/subcommand/sync-catalog/command_test.go @@ -11,6 +11,7 @@ import ( "testing" "time" + "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/hashicorp/go-hclog" "github.com/mitchellh/cli" @@ -571,6 +572,164 @@ func TestRun_ToConsulChangingFlags(t *testing.T) { } } +// Test services could be de-registered from Consul. +func TestRemoveAllK8SServicesFromConsul(t *testing.T) { + t.Parallel() + + k8s, testClient := completeSetup(t) + consulClient := testClient.APIClient + + // Create a mock reader to simulate user input + input := "y\n" + reader, writer, err := os.Pipe() + require.NoError(t, err) + oldStdin := os.Stdin + os.Stdin = reader + defer func() { os.Stdin = oldStdin }() + + // Write the simulated user input to the mock reader + go func() { + defer writer.Close() + _, err := writer.WriteString(input) + require.NoError(t, err) + }() + + // Run the command. + ui := cli.NewMockUi() + cmd := Command{ + UI: ui, + clientset: k8s, + logger: hclog.New(&hclog.LoggerOptions{ + Name: t.Name(), + Level: hclog.Debug, + }), + flagAllowK8sNamespacesList: []string{"*"}, + connMgr: testClient.Watcher, + } + + // create two services in k8s + _, err = k8s.CoreV1().Services("bar").Create(context.Background(), lbService("foo", "1.1.1.1"), metav1.CreateOptions{}) + require.NoError(t, err) + + _, err = k8s.CoreV1().Services("baz").Create(context.Background(), lbService("foo", "2.2.2.2"), metav1.CreateOptions{}) + require.NoError(t, err) + + longRunningChan := runCommandAsynchronously(&cmd, []string{ + "-addresses", "127.0.0.1", + "-http-port", strconv.Itoa(testClient.Cfg.HTTPPort), + "-consul-write-interval", "100ms", + "-add-k8s-namespace-suffix", + }) + defer stopCommand(t, &cmd, longRunningChan) + + // check that the name of the service is namespaced + retry.Run(t, func(r *retry.R) { + svc, _, err := consulClient.Catalog().Service("foo-bar", "k8s", nil) + require.NoError(r, err) + require.Len(r, svc, 1) + require.Equal(r, "1.1.1.1", svc[0].ServiceAddress) + svc, _, err = consulClient.Catalog().Service("foo-baz", "k8s", nil) + require.NoError(r, err) + require.Len(r, svc, 1) + require.Equal(r, "2.2.2.2", svc[0].ServiceAddress) + }) + + exitChan := runCommandAsynchronously(&cmd, []string{ + "-addresses", "127.0.0.1", + "-http-port", strconv.Itoa(testClient.Cfg.HTTPPort), + "-purge-k8s-services-from-node=k8s-sync", + }) + stopCommand(t, &cmd, exitChan) + + retry.Run(t, func(r *retry.R) { + serviceList, _, err := consulClient.Catalog().NodeServiceList("k8s-sync", &api.QueryOptions{AllowStale: false}) + require.NoError(r, err) + require.Len(r, serviceList.Services, 0) + }) +} + +// Test services could be de-registered from Consul with filter. +func TestRemoveAllK8SServicesFromConsulWithFilter(t *testing.T) { + t.Parallel() + + k8s, testClient := completeSetup(t) + consulClient := testClient.APIClient + + // Create a mock reader to simulate user input + input := "y\n" + reader, writer, err := os.Pipe() + require.NoError(t, err) + oldStdin := os.Stdin + os.Stdin = reader + defer func() { os.Stdin = oldStdin }() + + // Write the simulated user input to the mock reader + go func() { + defer writer.Close() + _, err := writer.WriteString(input) + require.NoError(t, err) + }() + + // Run the command. + ui := cli.NewMockUi() + cmd := Command{ + UI: ui, + clientset: k8s, + logger: hclog.New(&hclog.LoggerOptions{ + Name: t.Name(), + Level: hclog.Debug, + }), + flagAllowK8sNamespacesList: []string{"*"}, + connMgr: testClient.Watcher, + } + + // create two services in k8s + _, err = k8s.CoreV1().Services("bar").Create(context.Background(), lbService("foo", "1.1.1.1"), metav1.CreateOptions{}) + require.NoError(t, err) + _, err = k8s.CoreV1().Services("baz").Create(context.Background(), lbService("foo", "2.2.2.2"), metav1.CreateOptions{}) + require.NoError(t, err) + _, err = k8s.CoreV1().Services("bat").Create(context.Background(), lbService("foo", "3.3.3.3"), metav1.CreateOptions{}) + require.NoError(t, err) + + longRunningChan := runCommandAsynchronously(&cmd, []string{ + "-addresses", "127.0.0.1", + "-http-port", strconv.Itoa(testClient.Cfg.HTTPPort), + "-consul-write-interval", "100ms", + "-add-k8s-namespace-suffix", + }) + defer stopCommand(t, &cmd, longRunningChan) + + // check that the name of the service is namespaced + retry.Run(t, func(r *retry.R) { + svc, _, err := consulClient.Catalog().Service("foo-bar", "k8s", nil) + require.NoError(r, err) + require.Len(r, svc, 1) + require.Equal(r, "1.1.1.1", svc[0].ServiceAddress) + svc, _, err = consulClient.Catalog().Service("foo-baz", "k8s", nil) + require.NoError(r, err) + require.Len(r, svc, 1) + require.Equal(r, "2.2.2.2", svc[0].ServiceAddress) + svc, _, err = consulClient.Catalog().Service("foo-bat", "k8s", nil) + require.NoError(r, err) + require.Len(r, svc, 1) + require.Equal(r, "3.3.3.3", svc[0].ServiceAddress) + }) + + exitChan := runCommandAsynchronously(&cmd, []string{ + "-addresses", "127.0.0.1", + "-http-port", strconv.Itoa(testClient.Cfg.HTTPPort), + "-purge-k8s-services-from-node=k8s-sync", + "-filter=baz in ID", + }) + stopCommand(t, &cmd, exitChan) + + retry.Run(t, func(r *retry.R) { + serviceList, _, err := consulClient.Catalog().NodeServiceList("k8s-sync", &api.QueryOptions{AllowStale: false}) + require.NoError(r, err) + require.Len(r, serviceList.Services, 2) + }) +} + // Set up test consul agent and fake kubernetes cluster client. func completeSetup(t *testing.T) (*fake.Clientset, *test.TestServerClient) { k8s := fake.NewSimpleClientset() diff --git a/version/version.go b/version/version.go index e5d773c66d..7423ad92f1 100644 --- a/version/version.go +++ b/version/version.go @@ -17,7 +17,7 @@ var ( // // Version must conform to the format expected by // github.com/hashicorp/go-version for tests to work. - Version = "1.6.0" + Version = "1.5.2" // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release