diff --git a/pkg/reconciler/common/releases.go b/pkg/reconciler/common/releases.go index 7041b9264e..2b757132e7 100644 --- a/pkg/reconciler/common/releases.go +++ b/pkg/reconciler/common/releases.go @@ -49,6 +49,10 @@ var cache = map[string]mf.Manifest{} // version known to the operator is returned. func TargetVersion(instance v1alpha1.KComponent) string { version := instance.GetSpec().GetVersion() + if strings.EqualFold(version, LATEST_VERSION) { + return getLatestRelease(instance, version) + } + if len(instance.GetSpec().GetManifests()) == 0 { if version == "" { return latestRelease(instance) @@ -262,6 +266,11 @@ func componentDir(instance v1alpha1.KComponent) string { return "" } +func componentIngressDir() string { + koDataDir := os.Getenv(KoEnvKey) + return filepath.Join(koDataDir, "ingress") +} + func additionalManifestPath(instance v1alpha1.KComponent) string { // Create the comma-separated string for URLs in spec.additionalManifests addManifests := instance.GetSpec().GetAdditionalManifests() @@ -324,11 +333,25 @@ func SanitizeSemver(version string) string { return fmt.Sprintf("v%s", version) } +// allIngressReleases returns the all the available release versions +// available under kodata directory for Knative component. +func allIngressReleases() ([]string, error) { + // List all the directories available under kodata + pathname := componentIngressDir() + return allReleasesUnderPath(pathname) +} + // allReleases returns the all the available release versions // available under kodata directory for Knative component. func allReleases(instance v1alpha1.KComponent) ([]string, error) { // List all the directories available under kodata pathname := componentDir(instance) + return allReleasesUnderPath(pathname) +} + +// allComponentReleases returns the all the available release versions +// available under kodata directory for a certain path. +func allReleasesUnderPath(pathname string) ([]string, error) { fileList, err := ioutil.ReadDir(pathname) if err != nil { return nil, err @@ -346,7 +369,7 @@ func allReleases(instance v1alpha1.KComponent) ([]string, error) { } } if len(releaseTags) == 0 { - return nil, fmt.Errorf("unable to find any version number for %v", instance) + return nil, fmt.Errorf("unable to find any version number under the path %v", pathname) } // This function makes sure the versions are sorted in a descending order. @@ -363,6 +386,17 @@ func latestRelease(instance v1alpha1.KComponent) string { return getLatestRelease(instance, "") } +// GetLatestIngressRelease returns the latest release tag available under kodata directory for the ingress +// based on spec.version. +func GetLatestIngressRelease(version string) string { + // The versions are in a descending order, so the first one will be the latest version. + vers, err := allIngressReleases() + if err != nil { + panic(err) + } + return getLatestReleaseFromList(vers, version) +} + // getLatestRelease returns the latest release tag available under kodata directory for Knative component // based on spec.version. func getLatestRelease(instance v1alpha1.KComponent, version string) string { @@ -371,11 +405,27 @@ func getLatestRelease(instance v1alpha1.KComponent, version string) string { if err != nil { panic(err) } + return getLatestReleaseFromList(vers, version) +} +// getLatestReleaseFromList returns the latest release tag available under kodata directory for Knative component +// based on spec.version. +func getLatestReleaseFromList(vers []string, version string) string { if version == "" { return vers[0] } + if strings.EqualFold(version, LATEST_VERSION) { + // If spec.version is set to latest, look up if the directory latest is available. + // If not, return the newest available version instead. + for _, val := range vers { + if val == version { + return val + } + } + return vers[0] + } + for _, val := range vers { if strings.HasPrefix(val, version) && semver.MajorMinor(SanitizeSemver(val)) == semver.MajorMinor(SanitizeSemver(version)) { diff --git a/pkg/reconciler/common/releases_test.go b/pkg/reconciler/common/releases_test.go index 1889bbbf44..1a7193c9b5 100644 --- a/pkg/reconciler/common/releases_test.go +++ b/pkg/reconciler/common/releases_test.go @@ -282,6 +282,35 @@ func TestTargetVersion(t *testing.T) { } } +func TestTargetVersionNoLatestDir(t *testing.T) { + koPath := "testdata/kodata-no-latest" + + tests := []struct { + name string + component v1alpha1.KComponent + expected string + }{{ + name: "serving CR with the version latest", + component: &v1alpha1.KnativeServing{ + Spec: v1alpha1.KnativeServingSpec{ + CommonSpec: v1alpha1.CommonSpec{ + Version: "latest", + }, + }, + }, + expected: "0.16.1", + }} + + os.Setenv(KoEnvKey, koPath) + defer os.Unsetenv(KoEnvKey) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + version := TargetVersion(test.component) + util.AssertEqual(t, version, test.expected) + }) + } +} + func TestGetLatestRelease(t *testing.T) { koPath := "testdata/kodata" diff --git a/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-core.yaml b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-core.yaml new file mode 100644 index 0000000000..77327c36c7 --- /dev/null +++ b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-core.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving + labels: + serving.knative.dev/release: "v0.16.0" diff --git a/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-hpa.yaml b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-hpa.yaml new file mode 100644 index 0000000000..77327c36c7 --- /dev/null +++ b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.0/serving-hpa.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving + labels: + serving.knative.dev/release: "v0.16.0" diff --git a/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-core.yaml b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-core.yaml new file mode 100644 index 0000000000..c46b0d3444 --- /dev/null +++ b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-core.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving-core + labels: + serving.knative.dev/release: "v0.16.1" diff --git a/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-crd.yaml b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-crd.yaml new file mode 100644 index 0000000000..b52af042af --- /dev/null +++ b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-crd.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving-crd + labels: + serving.knative.dev/release: "v0.16.1" diff --git a/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-hpa.yaml b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-hpa.yaml new file mode 100644 index 0000000000..d1572a7c93 --- /dev/null +++ b/pkg/reconciler/common/testdata/kodata-no-latest/knative-serving/0.16.1/serving-hpa.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving-hpa + labels: + serving.knative.dev/release: "v0.16.1" diff --git a/pkg/reconciler/knativeserving/ingress/ingress.go b/pkg/reconciler/knativeserving/ingress/ingress.go index 30a64a98d2..c36f9b05bb 100644 --- a/pkg/reconciler/knativeserving/ingress/ingress.go +++ b/pkg/reconciler/knativeserving/ingress/ingress.go @@ -20,6 +20,7 @@ import ( "context" "os" "path/filepath" + "strings" mf "github.com/manifestival/manifestival" "golang.org/x/mod/semver" @@ -92,7 +93,13 @@ func getIngress(version string, manifest *mf.Manifest) error { } koDataDir := os.Getenv(common.KoEnvKey) // Ingresses are saved in the directory named major.minor. We remove the patch number. - ingressVersion := semver.MajorMinor(common.SanitizeSemver(version))[1:] + ingressVersion := common.LATEST_VERSION + if !strings.EqualFold(version, common.LATEST_VERSION) { + ingressVersion = semver.MajorMinor(common.SanitizeSemver(version))[1:] + } + + // This line can make sure a valid available ingress version is returned. + ingressVersion = common.GetLatestIngressRelease(ingressVersion) ingressPath := filepath.Join(koDataDir, "ingress", ingressVersion) m, err := common.FetchManifest(ingressPath) if err != nil { diff --git a/pkg/reconciler/knativeserving/ingress/ingress_test.go b/pkg/reconciler/knativeserving/ingress/ingress_test.go index 9842d23ec4..e5627f2ebf 100644 --- a/pkg/reconciler/knativeserving/ingress/ingress_test.go +++ b/pkg/reconciler/knativeserving/ingress/ingress_test.go @@ -129,6 +129,64 @@ func TestAppendInstalledIngresses(t *testing.T) { } } +func TestAppendTargetIngresses(t *testing.T) { + os.Setenv(common.KoEnvKey, "testdata/kodata") + defer os.Unsetenv(common.KoEnvKey) + + tests := []struct { + name string + instance servingv1alpha1.KnativeServing + expectedIngressPath string + expectedErr error + }{{ + name: "Available target ingresses", + instance: servingv1alpha1.KnativeServing{ + Spec: servingv1alpha1.KnativeServingSpec{ + CommonSpec: servingv1alpha1.CommonSpec{ + Version: "0.21.0", + }, + }, + }, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.21", + expectedErr: nil, + }, { + name: "Unavailable target ingresses", + instance: servingv1alpha1.KnativeServing{ + Spec: servingv1alpha1.KnativeServingSpec{ + CommonSpec: servingv1alpha1.CommonSpec{ + Version: "0.12.1", + }, + }, + }, + expectedErr: fmt.Errorf("stat testdata/kodata/ingress/0.12: no such file or directory"), + }, { + name: "Get the latest target ingresses when the directory latest is unavailable", + instance: servingv1alpha1.KnativeServing{ + Spec: servingv1alpha1.KnativeServingSpec{ + CommonSpec: servingv1alpha1.CommonSpec{ + Version: "latest", + }, + }, + }, + expectedIngressPath: os.Getenv(common.KoEnvKey) + "/ingress/0.22", + expectedErr: nil, + }} + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + manifest, _ := mf.ManifestFrom(mf.Slice{}) + err := AppendTargetIngresses(context.TODO(), &manifest, &tt.instance) + if err != nil { + util.AssertEqual(t, err.Error(), tt.expectedErr.Error()) + util.AssertEqual(t, len(manifest.Resources()), 0) + } else { + util.AssertEqual(t, err, tt.expectedErr) + util.AssertEqual(t, util.DeepMatchWithPath(manifest, tt.expectedIngressPath), true) + } + }) + } +} + func TestGetIngressWithFilters(t *testing.T) { os.Setenv(common.KoEnvKey, "testdata/kodata") defer os.Unsetenv(common.KoEnvKey) diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress deleted file mode 120000 index 49c89e9216..0000000000 --- a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress +++ /dev/null @@ -1 +0,0 @@ -../../../../../../cmd/operator/kodata/ingress \ No newline at end of file diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml new file mode 100644 index 0000000000..36e1061201 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/kourier.yaml @@ -0,0 +1,362 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "endpoints", "services", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 3scale-kourier + labels: + networking.knative.dev/ingress-provider: kourier +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 3scale-kourier +subjects: + - kind: ServiceAccount + name: 3scale-kourier + namespace: knative-serving + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier +spec: + replicas: 1 + selector: + matchLabels: + app: 3scale-kourier-control + template: + metadata: + labels: + app: 3scale-kourier-control + spec: + containers: + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:072e2bb12eae88d5fde8b2fa77d20542ce0f4708d9e09a59c3b65c499462a8fc + name: kourier-control + env: + - name: CERTS_SECRET_NAMESPACE + value: "" + - name: CERTS_SECRET_NAME + value: "" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: "knative.dev/samples" + - name: KOURIER_GATEWAY_NAMESPACE + value: "kourier-system" + ports: + - name: http2-xds + containerPort: 18000 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + restartPolicy: Always + serviceAccountName: 3scale-kourier +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier +spec: + ports: + - name: grpc-xds + port: 18000 + protocol: TCP + targetPort: 18000 + selector: + app: 3scale-kourier-control + type: ClusterIP + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier +spec: + selector: + matchLabels: + app: 3scale-kourier-gateway + template: + metadata: + labels: + app: 3scale-kourier-gateway + spec: + containers: + - args: + - --base-id 1 + - -c /tmp/config/envoy-bootstrap.yaml + - --log-level info + command: + - /usr/local/bin/envoy + image: docker.io/maistra/proxyv2-ubi8:2.0.0 + name: kourier-gateway + ports: + - name: http2-external + containerPort: 8080 + protocol: TCP + - name: http2-internal + containerPort: 8081 + protocol: TCP + - name: https-external + containerPort: 8443 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + volumeMounts: + - name: config-volume + mountPath: /tmp/config + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "curl -X POST --unix /tmp/envoy.admin http://localhost/healthcheck/fail; sleep 15"] + readinessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + volumes: + - name: config-volume + configMap: + name: kourier-bootstrap + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: 3scale-kourier-gateway + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-internal + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + selector: + app: 3scale-kourier-gateway + type: ClusterIP +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + cds_config: + ads: {} + lds_config: + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.http_connection_manager + config: + stat_prefix: stats_server + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + http_filters: + - name: envoy.router + config: {} + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + connect_timeout: 1s + hosts: + - socket_address: + address: "kourier-control.knative-serving" + port_value: 18000 + http2_protocol_options: {} + type: STRICT_DNS + admin: + access_log_path: "/dev/stdout" + address: + pipe: + path: /tmp/envoy.admin + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml new file mode 100644 index 0000000000..00575a12be --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-contour.yaml @@ -0,0 +1,140 @@ +# Not used directly, this lets the knative-serving service account reconcile +# HTTPProxy resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-contour-core + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/controller: "true" +rules: + - apiGroups: ["projectcontour.io"] + resources: ["httpproxies"] + verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-contour + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/release: "v0.19.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # timeout-policy-idle sets TimeoutPolicy.Idle in contour HTTPProxy spec + timeout-policy-idle: "infinity" + + # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec + timeou-policy-response: "infinity" + + # If auto-TLS is disabled fallback to the following certificate + # + # An operator is required to setup a TLSCertificateDelegation + # for this secret to be used + default-tls-secret: "some-namespace/some-secret" + + # visibility contains the configuration for how to expose services + # of assorted visibilities. Each entry is keyed by the visibility + # and contains two keys: + # 1. the "class" value to pass to the Contour class annotations, + # 2. the namespace/name of the Contour Envoy service. + visibility: | + ExternalIP: + class: contour-external + service: contour-external/envoy + ClusterLocal: + class: contour-internal + service: contour-internal/envoy + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: contour-ingress-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour +spec: + replicas: 1 + selector: + matchLabels: + app: contour-ingress-controller + template: + metadata: + labels: + app: contour-ingress-controller + spec: + serviceAccountName: controller + containers: + - name: controller + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:bdff6f57bbded077639f223459acd92a9b2639ffb0f8569736019c2e0ece9612 + resources: + requests: + cpu: 40m + memory: 40Mi + limits: + cpu: 400m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/net-contour + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml new file mode 100644 index 0000000000..174839d513 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.19/net-istio.yaml @@ -0,0 +1,532 @@ +# Generated when HEAD was 6d3c16ed030af079d882d8ef2f9d0f2925c425df +# +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # These are the permissions needed by the Istio Ingress implementation. + name: knative-serving-istio + labels: + serving.knative.dev/release: "v0.19.0" + serving.knative.dev/controller: "true" + networking.knative.dev/ingress-provider: istio +rules: + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "gateways"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the shared Gateway for all Knative routes to use. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A cluster local gateway to allow pods outside of the mesh to access +# Services and Routes not exposing through an ingress. If the users +# do have a service mesh setup, this isn't required. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cluster-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: cluster-local-gateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 8081 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: v1 +kind: Service +metadata: + name: knative-local-gateway + namespace: istio-system + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + type: ClusterIP + selector: + istio: ingressgateway + ports: + - name: http2 + port: 80 + targetPort: 8081 + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + mtls: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "istio-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + mtls: + mode: PERMISSIVE + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: istio-webhook-certs + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no cluster-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: networking-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + # This must be outside of the mesh to probe the gateways. + # NOTE: this is allowed here and not elsewhere because + # this is the Istio controller, and so it may be Istio-aware. + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.19.0" + spec: + serviceAccountName: controller + containers: + - name: networking-istio + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:824a65ea309850962629c778aafa4dc2f9c8a807c817089236d468a773153d73 + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + +# Unlike other controllers, this doesn't need a Service defined for metrics and +# profiling because it opts out of the mesh (see annotation above). + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-webhook + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + role: istio-webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: istio-webhook + role: istio-webhook + serving.knative.dev/release: "v0.19.0" + spec: + serviceAccountName: controller + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:c8bf9cf76139083d6623c40215426c8998acd46eb156cc7ff998c8c2b9e4051c + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + - name: WEBHOOK_NAME + value: istio-webhook + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: istio-webhook + namespace: knative-serving + labels: + role: istio-webhook + serving.knative.dev/release: "v0.19.0" + networking.knative.dev/ingress-provider: istio +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app: istio-webhook + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml new file mode 100644 index 0000000000..b4f71db2ee --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/kourier.yaml @@ -0,0 +1,378 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "endpoints", "services", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 3scale-kourier + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 3scale-kourier +subjects: + - kind: ServiceAccount + name: 3scale-kourier + namespace: knative-serving + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +spec: + replicas: 1 + selector: + matchLabels: + app: 3scale-kourier-control + template: + metadata: + labels: + app: 3scale-kourier-control + spec: + containers: + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:ca4090e564c601bc32a487f586ad3d748d682d0e62cfce1c0c80ee0858a735e0 + name: kourier-control + env: + - name: CERTS_SECRET_NAMESPACE + value: "" + - name: CERTS_SECRET_NAME + value: "" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: "knative.dev/samples" + - name: KOURIER_GATEWAY_NAMESPACE + value: "kourier-system" + ports: + - name: http2-xds + containerPort: 18000 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + restartPolicy: Always + serviceAccountName: 3scale-kourier +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +spec: + ports: + - name: grpc-xds + port: 18000 + protocol: TCP + targetPort: 18000 + selector: + app: 3scale-kourier-control + type: ClusterIP + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +spec: + selector: + matchLabels: + app: 3scale-kourier-gateway + template: + metadata: + labels: + app: 3scale-kourier-gateway + spec: + containers: + - args: + - --base-id 1 + - -c /tmp/config/envoy-bootstrap.yaml + - --log-level info + command: + - /usr/local/bin/envoy + image: docker.io/maistra/proxyv2-ubi8:2.0.0 + name: kourier-gateway + ports: + - name: http2-external + containerPort: 8080 + protocol: TCP + - name: http2-internal + containerPort: 8081 + protocol: TCP + - name: https-external + containerPort: 8443 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + volumeMounts: + - name: config-volume + mountPath: /tmp/config + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "curl -X POST --unix /tmp/envoy.admin http://localhost/healthcheck/fail; sleep 15"] + readinessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + volumes: + - name: config-volume + configMap: + name: kourier-bootstrap + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: 3scale-kourier-gateway + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-internal + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + selector: + app: 3scale-kourier-gateway + type: ClusterIP +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.20.0" +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + cds_config: + ads: {} + lds_config: + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + connect_timeout: 1s + type: strict_dns + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "kourier-control.knative-serving" + port_value: 18000 + http2_protocol_options: {} + type: STRICT_DNS + admin: + access_log_path: "/dev/stdout" + address: + pipe: + path: /tmp/envoy.admin + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml new file mode 100644 index 0000000000..53bdf8c883 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-contour.yaml @@ -0,0 +1,138 @@ +# Not used directly, this lets the knative-serving service account reconcile +# HTTPProxy resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-contour-core + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/controller: "true" +rules: + - apiGroups: ["projectcontour.io"] + resources: ["httpproxies"] + verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] + +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-contour + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/release: "v0.20.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # timeout-policy-idle sets TimeoutPolicy.Idle in contour HTTPProxy spec + timeout-policy-idle: "infinity" + + # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec + timeou-policy-response: "infinity" + + # If auto-TLS is disabled fallback to the following certificate + # + # An operator is required to setup a TLSCertificateDelegation + # for this secret to be used + default-tls-secret: "some-namespace/some-secret" + + # visibility contains the configuration for how to expose services + # of assorted visibilities. Each entry is keyed by the visibility + # and contains two keys: + # 1. the "class" value to pass to the Contour class annotations, + # 2. the namespace/name of the Contour Envoy service. + visibility: | + ExternalIP: + class: contour-external + service: contour-external/envoy + ClusterLocal: + class: contour-internal + service: contour-internal/envoy + +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: contour-ingress-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour +spec: + replicas: 1 + selector: + matchLabels: + app: contour-ingress-controller + template: + metadata: + labels: + app: contour-ingress-controller + spec: + serviceAccountName: controller + containers: + - name: controller + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:5654ef5be4f506909bba6cbb59e7049d6c4bfc866066f2546bcabd2ff547307f + resources: + requests: + cpu: 40m + memory: 40Mi + limits: + cpu: 400m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/net-contour + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all +--- + diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml new file mode 100644 index 0000000000..7d86670be2 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.20/net-istio.yaml @@ -0,0 +1,517 @@ +# Generated when HEAD was 9f0302e48909925303ccbdc2da86ca9b93d2cff0 +# +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # These are the permissions needed by the Istio Ingress implementation. + name: knative-serving-istio + labels: + serving.knative.dev/release: "v0.20.0" + serving.knative.dev/controller: "true" + networking.knative.dev/ingress-provider: istio +rules: + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "gateways"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the shared Gateway for all Knative routes to use. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A cluster local gateway to allow pods outside of the mesh to access +# Services and Routes not exposing through an ingress. If the users +# do have a service mesh setup, this isn't required. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 8081 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: v1 +kind: Service +metadata: + name: knative-local-gateway + namespace: istio-system + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + type: ClusterIP + selector: + istio: ingressgateway + ports: + - name: http2 + port: 80 + targetPort: 8081 + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + mtls: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "istio-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + mtls: + mode: PERMISSIVE + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: istio-webhook-certs + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no knative-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + + # If true, knative will use the Istio VirtualService's status to determine + # endpoint readiness. Otherwise, probe as usual. + enable-virtualservice-status: "false" + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: networking-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + # This must be outside of the mesh to probe the gateways. + # NOTE: this is allowed here and not elsewhere because + # this is the Istio controller, and so it may be Istio-aware. + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.20.0" + spec: + serviceAccountName: controller + containers: + - name: networking-istio + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:f3791f496a075898d20b51b179c193dcb55d3acd3006815853dd7f07b6e63425 + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + +# Unlike other controllers, this doesn't need a Service defined for metrics and +# profiling because it opts out of the mesh (see annotation above). + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-webhook + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + role: istio-webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: istio-webhook + role: istio-webhook + serving.knative.dev/release: "v0.20.0" + spec: + serviceAccountName: controller + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:d044519f9b1f1e9eff45cf9657d73b6b3d943266eda5684ff5b9cd3c312dfebb + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + - name: WEBHOOK_NAME + value: istio-webhook + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: istio-webhook + namespace: knative-serving + labels: + role: istio-webhook + serving.knative.dev/release: "v0.20.0" + networking.knative.dev/ingress-provider: istio +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app: istio-webhook + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml new file mode 100644 index 0000000000..4efa510c1f --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/kourier.yaml @@ -0,0 +1,393 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + cds_config: + ads: {} + lds_config: + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + connect_timeout: 1s + type: strict_dns + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "kourier-control.knative-serving" + port_value: 18000 + http2_protocol_options: {} + type: STRICT_DNS + admin: + access_log_path: "/dev/stdout" + address: + pipe: + path: /tmp/envoy.admin + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "endpoints", "services", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 3scale-kourier + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 3scale-kourier +subjects: + - kind: ServiceAccount + name: 3scale-kourier + namespace: knative-serving + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +spec: + replicas: 1 + selector: + matchLabels: + app: 3scale-kourier-control + template: + metadata: + labels: + app: 3scale-kourier-control + spec: + containers: + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:5ec9c41be4475d325e3cba284f3725d6147ca1f0ac766cd9ff22f97c36a9def5 + name: kourier-control + env: + - name: CERTS_SECRET_NAMESPACE + value: "" + - name: CERTS_SECRET_NAME + value: "" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: "knative.dev/samples" + - name: KOURIER_GATEWAY_NAMESPACE + value: "kourier-system" + ports: + - name: http2-xds + containerPort: 18000 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + restartPolicy: Always + serviceAccountName: 3scale-kourier +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +spec: + ports: + - name: grpc-xds + port: 18000 + protocol: TCP + targetPort: 18000 + selector: + app: 3scale-kourier-control + type: ClusterIP + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +spec: + selector: + matchLabels: + app: 3scale-kourier-gateway + template: + metadata: + labels: + app: 3scale-kourier-gateway + spec: + containers: + - args: + - --base-id 1 + - -c /tmp/config/envoy-bootstrap.yaml + - --log-level info + command: + - /usr/local/bin/envoy + image: docker.io/envoyproxy/envoy:v1.16-latest + name: kourier-gateway + ports: + - name: http2-external + containerPort: 8080 + protocol: TCP + - name: http2-internal + containerPort: 8081 + protocol: TCP + - name: https-external + containerPort: 8443 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + volumeMounts: + - name: config-volume + mountPath: /tmp/config + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "curl -X POST --unix /tmp/envoy.admin http://localhost/healthcheck/fail; sleep 15"] + readinessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + volumes: + - name: config-volume + configMap: + name: kourier-bootstrap + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: 3scale-kourier-gateway + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-internal + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.21.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + selector: + app: 3scale-kourier-gateway + type: ClusterIP + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml new file mode 100644 index 0000000000..4ffdbfbf33 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-contour.yaml @@ -0,0 +1,138 @@ +# Not used directly, this lets the knative-serving service account reconcile +# HTTPProxy resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-contour-core + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/controller: "true" +rules: + - apiGroups: ["projectcontour.io"] + resources: ["httpproxies"] + verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] + +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-contour + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/release: "v0.21.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # timeout-policy-idle sets TimeoutPolicy.Idle in contour HTTPProxy spec + timeout-policy-idle: "infinity" + + # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec + timeou-policy-response: "infinity" + + # If auto-TLS is disabled fallback to the following certificate + # + # An operator is required to setup a TLSCertificateDelegation + # for this secret to be used + default-tls-secret: "some-namespace/some-secret" + + # visibility contains the configuration for how to expose services + # of assorted visibilities. Each entry is keyed by the visibility + # and contains two keys: + # 1. the "class" value to pass to the Contour class annotations, + # 2. the namespace/name of the Contour Envoy service. + visibility: | + ExternalIP: + class: contour-external + service: contour-external/envoy + ClusterLocal: + class: contour-internal + service: contour-internal/envoy + +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: contour-ingress-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour +spec: + replicas: 1 + selector: + matchLabels: + app: contour-ingress-controller + template: + metadata: + labels: + app: contour-ingress-controller + spec: + serviceAccountName: controller + containers: + - name: controller + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:61d2fcbe586e99d755447550d465897ddd1c54157399fd79e51547ed75108c3a + resources: + requests: + cpu: 40m + memory: 40Mi + limits: + cpu: 400m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/net-contour + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all +--- + diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml new file mode 100644 index 0000000000..e5ee1a1762 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.21/net-istio.yaml @@ -0,0 +1,535 @@ +# Generated when HEAD was 59b2af9679f7997fffd9befb57dedec35e1a302d +# +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # These are the permissions needed by the Istio Ingress implementation. + name: knative-serving-istio + labels: + serving.knative.dev/release: "v0.21.0" + serving.knative.dev/controller: "true" + networking.knative.dev/ingress-provider: istio +rules: + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "gateways"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the shared Gateway for all Knative routes to use. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A cluster local gateway to allow pods outside of the mesh to access +# Services and Routes not exposing through an ingress. If the users +# do have a service mesh setup, this isn't required. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 8081 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: v1 +kind: Service +metadata: + name: knative-local-gateway + namespace: istio-system + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + type: ClusterIP + selector: + istio: ingressgateway + ports: + - name: http2 + port: 80 + targetPort: 8081 + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + 8443: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + 8443: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "istio-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + portLevelMtls: + 8443: + mode: PERMISSIVE + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: istio-webhook-certs + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no knative-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + + # If true, knative will use the Istio VirtualService's status to determine + # endpoint readiness. Otherwise, probe as usual. + enable-virtualservice-status: "false" + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: networking-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + # This must be outside of the mesh to probe the gateways. + # NOTE: this is allowed here and not elsewhere because + # this is the Istio controller, and so it may be Istio-aware. + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.21.0" + spec: + serviceAccountName: controller + containers: + - name: networking-istio + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:5555b83528d9f694268c521c78caae0a9c31c7e1c98795d854f6fe990d561312 + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + +# Unlike other controllers, this doesn't need a Service defined for metrics and +# profiling because it opts out of the mesh (see annotation above). + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-webhook + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + role: istio-webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: istio-webhook + role: istio-webhook + serving.knative.dev/release: "v0.21.0" + spec: + serviceAccountName: controller + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:203acf3ac797f1e66a6ea3aa02a7060d199af521d7fbc5633ef79a05a4aec8fa + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + - name: WEBHOOK_NAME + value: istio-webhook + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: istio-webhook + namespace: knative-serving + labels: + role: istio-webhook + serving.knative.dev/release: "v0.21.0" + networking.knative.dev/ingress-provider: istio +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app: istio-webhook + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml new file mode 100644 index 0000000000..342f6822c6 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/kourier.yaml @@ -0,0 +1,393 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + cds_config: + ads: {} + lds_config: + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + connect_timeout: 1s + type: strict_dns + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "kourier-control.knative-serving" + port_value: 18000 + http2_protocol_options: {} + type: STRICT_DNS + admin: + access_log_path: "/dev/stdout" + address: + pipe: + path: /tmp/envoy.admin + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 3scale-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "endpoints", "services", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 3scale-kourier + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 3scale-kourier +subjects: + - kind: ServiceAccount + name: 3scale-kourier + namespace: knative-serving + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +spec: + replicas: 1 + selector: + matchLabels: + app: 3scale-kourier-control + template: + metadata: + labels: + app: 3scale-kourier-control + spec: + containers: + - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:7f10e56399b567a59bac93e8c59912acd073d9a1e3b3c0f763284083d0707e47 + name: kourier-control + env: + - name: CERTS_SECRET_NAMESPACE + value: "" + - name: CERTS_SECRET_NAME + value: "" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: "knative.dev/samples" + - name: KOURIER_GATEWAY_NAMESPACE + value: "kourier-system" + ports: + - name: http2-xds + containerPort: 18000 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + restartPolicy: Always + serviceAccountName: 3scale-kourier +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-control + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +spec: + ports: + - name: grpc-xds + port: 18000 + protocol: TCP + targetPort: 18000 + selector: + app: 3scale-kourier-control + type: ClusterIP + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +spec: + selector: + matchLabels: + app: 3scale-kourier-gateway + template: + metadata: + labels: + app: 3scale-kourier-gateway + spec: + containers: + - args: + - --base-id 1 + - -c /tmp/config/envoy-bootstrap.yaml + - --log-level info + command: + - /usr/local/bin/envoy + image: docker.io/envoyproxy/envoy:v1.16-latest + name: kourier-gateway + ports: + - name: http2-external + containerPort: 8080 + protocol: TCP + - name: http2-internal + containerPort: 8081 + protocol: TCP + - name: https-external + containerPort: 8443 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + volumeMounts: + - name: config-volume + mountPath: /tmp/config + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "curl -X POST --unix /tmp/envoy.admin http://localhost/healthcheck/fail; sleep 15"] + readinessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + volumes: + - name: config-volume + configMap: + name: kourier-bootstrap + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: 3scale-kourier-gateway + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-internal + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + serving.knative.dev/release: "v0.22.0" +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + selector: + app: 3scale-kourier-gateway + type: ClusterIP + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml new file mode 100644 index 0000000000..fb6acbc0dc --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-contour.yaml @@ -0,0 +1,138 @@ +# Not used directly, this lets the knative-serving service account reconcile +# HTTPProxy resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-contour-core + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/controller: "true" +rules: + - apiGroups: ["projectcontour.io"] + resources: ["httpproxies"] + verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] + +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-contour + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour + serving.knative.dev/release: "v0.22.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # timeout-policy-idle sets TimeoutPolicy.Idle in contour HTTPProxy spec + timeout-policy-idle: "infinity" + + # timeout-policy-response sets TimeoutPolicy.Response in contour HTTPProxy spec + timeout-policy-response: "infinity" + + # If auto-TLS is disabled fallback to the following certificate + # + # An operator is required to setup a TLSCertificateDelegation + # for this secret to be used + default-tls-secret: "some-namespace/some-secret" + + # visibility contains the configuration for how to expose services + # of assorted visibilities. Each entry is keyed by the visibility + # and contains two keys: + # 1. the "class" value to pass to the Contour class annotations, + # 2. the namespace/name of the Contour Envoy service. + visibility: | + ExternalIP: + class: contour-external + service: contour-external/envoy + ClusterLocal: + class: contour-internal + service: contour-internal/envoy + +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: contour-ingress-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: contour +spec: + replicas: 1 + selector: + matchLabels: + app: contour-ingress-controller + template: + metadata: + labels: + app: contour-ingress-controller + spec: + serviceAccountName: controller + containers: + - name: controller + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-contour/cmd/controller@sha256:705ac18c11352a874ed35d7404eed1792d599bbd5fcdaed7b945484b1d567bd9 + resources: + requests: + cpu: 40m + memory: 40Mi + limits: + cpu: 400m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/net-contour + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all +--- + diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml new file mode 100644 index 0000000000..8796c156de --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/ingress/0.22/net-istio.yaml @@ -0,0 +1,535 @@ +# Generated when HEAD was 191bc5fe5a4b35b64f70577c3e44e44fb699cc5f +# +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # These are the permissions needed by the Istio Ingress implementation. + name: knative-serving-istio + labels: + serving.knative.dev/release: "v0.22.1" + serving.knative.dev/controller: "true" + networking.knative.dev/ingress-provider: istio +rules: + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "gateways", "destinationrules"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the shared Gateway for all Knative routes to use. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A cluster local gateway to allow pods outside of the mesh to access +# Services and Routes not exposing through an ingress. If the users +# do have a service mesh setup, this isn't required. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 8081 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: v1 +kind: Service +metadata: + name: knative-local-gateway + namespace: istio-system + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + type: ClusterIP + selector: + istio: ingressgateway + ports: + - name: http2 + port: 80 + targetPort: 8081 + +--- +# Allows the Webhooks to be reached by kube-api with or without +# sidecar injection and with mTLS PERMISSIVE and STRICT. +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: webhook + portLevelMtls: + 8443: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "domainmapping-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: domainmapping-webhook + portLevelMtls: + 8443: + mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "istio-webhook" + namespace: "knative-serving" + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + portLevelMtls: + 8443: + mode: PERMISSIVE + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + objectSelector: + matchExpressions: + - {key: "serving.knative.dev/configuration", operator: Exists} + name: webhook.istio.networking.internal.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.istio.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: istio-webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.istio.networking.internal.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: istio-webhook-certs + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no knative-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + + # If true, knative will use the Istio VirtualService's status to determine + # endpoint readiness. Otherwise, probe as usual. + enable-virtualservice-status: "false" + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: networking-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + # This must be outside of the mesh to probe the gateways. + # NOTE: this is allowed here and not elsewhere because + # this is the Istio controller, and so it may be Istio-aware. + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.22.1" + spec: + serviceAccountName: controller + containers: + - name: networking-istio + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:ff8680da52ef47b8573ebc3393cbfa2f0f14b05c1e02232807f22699adbef57a + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + +# Unlike other controllers, this doesn't need a Service defined for metrics and +# profiling because it opts out of the mesh (see annotation above). + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-webhook + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: istio-webhook + role: istio-webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: istio-webhook + role: istio-webhook + serving.knative.dev/release: "v0.22.1" + spec: + serviceAccountName: controller + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:1e371db6b1a9f9265fc7a55d15d98c935c0c28925ffde351fb3b93f331c5a08e + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + - name: METRICS_DOMAIN + value: knative.dev/net-istio + - name: WEBHOOK_NAME + value: istio-webhook + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: istio-webhook + namespace: knative-serving + labels: + role: istio-webhook + serving.knative.dev/release: "v0.22.1" + networking.knative.dev/ingress-provider: istio +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app: istio-webhook + +--- diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/0.22.0/serving-core.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/0.22.0/serving-core.yaml new file mode 100644 index 0000000000..3618239f08 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/0.22.0/serving-core.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving-core + labels: + serving.knative.dev/release: "v0.22.0" diff --git a/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/latest/serving-core.yaml b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/latest/serving-core.yaml new file mode 100644 index 0000000000..3618239f08 --- /dev/null +++ b/pkg/reconciler/knativeserving/ingress/testdata/kodata/knative-serving/latest/serving-core.yaml @@ -0,0 +1,20 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving-core + labels: + serving.knative.dev/release: "v0.22.0"