From f53dd07a26d4d47b6f5988b288cfcc750fe014b7 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Wed, 24 Jun 2020 21:47:54 +0000 Subject: [PATCH 01/25] Working on conditionally enabling mtls. --- cmd/allocator/main.go | 9 +++++++++ cmd/allocator/main_test.go | 13 ++++++++++--- pkg/util/runtime/features.go | 4 ++++ test/e2e/allocator_test.go | 8 ++++++-- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 1f31bc6120..3d9bd203f0 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -177,11 +177,14 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I kubeClient, gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health)) + mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + stop := signals.NewStopChannel() h := serviceHandler{ allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return allocator.Allocate(gsa, stop) }, + mTLSEnabled: mTLSEnabled, } kubeInformerFactory.Start(stop) @@ -239,6 +242,10 @@ func (h *serviceHandler) getTLSCert(ch *tls.ClientHelloInfo) (*tls.Certificate, // verifyClientCertificate verifies that the client certificate is accepted // This method is used as GetConfigForClient is cross lang incompatible. func (h *serviceHandler) verifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + if !h.mTLSEnabled { + return nil + } + opts := x509.VerifyOptions{ Roots: h.caCertPool, CurrentTime: time.Now(), @@ -323,6 +330,8 @@ type serviceHandler struct { tlsMutex sync.RWMutex tlsCert *tls.Certificate + + mTLSEnabled bool } // Allocate implements the Allocate gRPC method definition diff --git a/cmd/allocator/main_test.go b/cmd/allocator/main_test.go index f6257b4b7f..fe7ea8db86 100644 --- a/cmd/allocator/main_test.go +++ b/cmd/allocator/main_test.go @@ -48,6 +48,7 @@ func TestAllocateHandler(t *testing.T) { }, }, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{ @@ -75,6 +76,7 @@ func TestAllocateHandlerReturnsError(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return nil, k8serror.NewBadRequest("error") }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -93,7 +95,8 @@ func TestGetTlsCert(t *testing.T) { assert.Nil(t, err, "expected (serverCert2, serverKey2) to create a cert") h := serviceHandler{ - tlsCert: &cert1, + tlsCert: &cert1, + mTLSEnabled: true, } retrievedCert1, err := h.getTLSCert(nil) @@ -123,6 +126,7 @@ func TestHandlingStatus(t *testing.T) { Code: http.StatusUnprocessableEntity, }, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -146,6 +150,7 @@ func TestBadReturnType(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return &corev1.Secret{}, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -170,7 +175,8 @@ func TestVerifyClientCertificateSucceeds(t *testing.T) { assert.True(t, certPool.AppendCertsFromPEM(crt)) h := serviceHandler{ - caCertPool: certPool, + caCertPool: certPool, + mTLSEnabled: true, } block, _ := pem.Decode(crt) @@ -185,7 +191,8 @@ func TestVerifyClientCertificateFails(t *testing.T) { crt := []byte(clientCert) certPool := x509.NewCertPool() h := serviceHandler{ - caCertPool: certPool, + caCertPool: certPool, + mTLSEnabled: true, } block, _ := pem.Decode(crt) diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index 0e75937c35..8f59b32e96 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,6 +34,9 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" + // FeatureMTLSEnabled is a feature flag to enable/disable mTLS in the allocator. + FeatureMTLSEnabled Feature = "MTLSEnabled" + // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" ) @@ -46,6 +49,7 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, + FeatureMTLSEnabled: true, } // featureGates is the storage of what features are enabled diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 9a324b4612..14dba93a7a 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -31,6 +31,7 @@ import ( pb "agones.dev/agones/pkg/allocation/go" agonesv1 "agones.dev/agones/pkg/apis/agones/v1" multiclusterv1 "agones.dev/agones/pkg/apis/multicluster/v1" + "agones.dev/agones/pkg/util/runtime" e2e "agones.dev/agones/test/e2e/framework" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -221,6 +222,8 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { + mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) if err != nil { @@ -246,8 +249,9 @@ func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []b } tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: rootCA, + Certificates: []tls.Certificate{cert}, + RootCAs: rootCA, + InsecureSkipVerify: !mTLSEnabled, } return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil From fe9fb5abad3d6e61ef7bf8a5c86f24a339b976b2 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 02:40:24 +0000 Subject: [PATCH 02/25] Removed the need for having certificates with mTLS disabled. --- cmd/allocator/main.go | 7 +++---- pkg/gameserverallocations/allocator.go | 5 +++++ test/e2e/allocator_test.go | 8 +++++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 3d9bd203f0..748c28b571 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -223,6 +223,9 @@ func readTLSCert() (*tls.Certificate, error) { // getServerOptions returns a list of GRPC server options. // Current options are TLS certs and opencensus stats handler. func (h *serviceHandler) getServerOptions() []grpc.ServerOption { + if !h.mTLSEnabled { + return []grpc.ServerOption{grpc.StatsHandler(&ocgrpc.ServerHandler{})} + } cfg := &tls.Config{ GetCertificate: h.getTLSCert, @@ -242,10 +245,6 @@ func (h *serviceHandler) getTLSCert(ch *tls.ClientHelloInfo) (*tls.Certificate, // verifyClientCertificate verifies that the client certificate is accepted // This method is used as GetConfigForClient is cross lang incompatible. func (h *serviceHandler) verifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - if !h.mTLSEnabled { - return nil - } - opts := x509.VerifyOptions{ Roots: h.caCertPool, CurrentTime: time.Now(), diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index 44bcbebdd8..3ebb14990f 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -364,6 +364,11 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { + mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + if !mTLSEnabled { + return grpc.WithInsecure(), nil + } + clientCert, clientKey, caCert, err := c.getClientCertificates(namespace, connectionInfo.SecretName) if err != nil { return nil, err diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 14dba93a7a..5f47a17bc1 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -223,6 +223,9 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + if !mTLSEnabled { + return grpc.WithInsecure(), nil + } kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) @@ -249,9 +252,8 @@ func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []b } tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: rootCA, - InsecureSkipVerify: !mTLSEnabled, + Certificates: []tls.Certificate{cert}, + RootCAs: rootCA, } return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil From ef22f25c217087f0b44ffa145a80d1a9ae9dcbd7 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 04:26:22 +0000 Subject: [PATCH 03/25] Fixed bug with mTLS enabling in the controller test. --- pkg/gameserverallocations/controller_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index d801ad5569..6d84f8d4aa 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -32,6 +32,7 @@ import ( "agones.dev/agones/pkg/gameservers" agtesting "agones.dev/agones/pkg/testing" "agones.dev/agones/pkg/util/apiserver" + "agones.dev/agones/pkg/util/runtime" "agones.dev/agones/pkg/util/signals" "github.com/heptiolabs/healthcheck" "github.com/pkg/errors" @@ -1161,6 +1162,7 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() + runtime.ParseFeatures("") t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From 7e037d5854564b7c4f3522876141e3fe9f13716e Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 04:50:50 +0000 Subject: [PATCH 04/25] Checked error value from runtime feature parsing in controller_test.go --- pkg/gameserverallocations/controller_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index 6d84f8d4aa..32427ea744 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -1162,7 +1162,8 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() - runtime.ParseFeatures("") + err := runtime.ParseFeatures("") + assert.NoError(t, err) t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From 997ad33bd723e1fe8473721b1726164939ca36ee Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 20:33:12 +0000 Subject: [PATCH 05/25] Changed flag name and added it to the documentation. --- cloudbuild.yaml | 4 ++++ cmd/allocator/main.go | 8 ++++---- cmd/allocator/main_test.go | 13 +++---------- pkg/gameserverallocations/allocator.go | 4 ++-- pkg/util/runtime/features.go | 6 +++--- site/content/en/docs/Guides/feature-stages.md | 1 + test/e2e/allocator_test.go | 4 ++-- 7 files changed, 19 insertions(+), 21 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index a7005fa170..e1ff5cb65b 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -232,7 +232,11 @@ steps: # - name: 'e2e-runner' +<<<<<<< HEAD args: ['PlayerTracking=true&ContainerPortAllocation=false', 'e2e-test-cluster'] +======= + args: ['PlayerTracking=true&ContainerPortAllocation=true&AllocatorMTLSDisabled=true', 'e2e-test-cluster'] +>>>>>>> d563119b... Changed flag name and added it to the documentation. id: e2e-feature-gates waitFor: - push-images diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 748c28b571..1547cb3b1a 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -177,14 +177,14 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I kubeClient, gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health)) - mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) stop := signals.NewStopChannel() h := serviceHandler{ allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return allocator.Allocate(gsa, stop) }, - mTLSEnabled: mTLSEnabled, + mTLSDisabled: mTLSDisabled, } kubeInformerFactory.Start(stop) @@ -223,7 +223,7 @@ func readTLSCert() (*tls.Certificate, error) { // getServerOptions returns a list of GRPC server options. // Current options are TLS certs and opencensus stats handler. func (h *serviceHandler) getServerOptions() []grpc.ServerOption { - if !h.mTLSEnabled { + if h.mTLSDisabled { return []grpc.ServerOption{grpc.StatsHandler(&ocgrpc.ServerHandler{})} } @@ -330,7 +330,7 @@ type serviceHandler struct { tlsMutex sync.RWMutex tlsCert *tls.Certificate - mTLSEnabled bool + mTLSDisabled bool } // Allocate implements the Allocate gRPC method definition diff --git a/cmd/allocator/main_test.go b/cmd/allocator/main_test.go index fe7ea8db86..f6257b4b7f 100644 --- a/cmd/allocator/main_test.go +++ b/cmd/allocator/main_test.go @@ -48,7 +48,6 @@ func TestAllocateHandler(t *testing.T) { }, }, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{ @@ -76,7 +75,6 @@ func TestAllocateHandlerReturnsError(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return nil, k8serror.NewBadRequest("error") }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -95,8 +93,7 @@ func TestGetTlsCert(t *testing.T) { assert.Nil(t, err, "expected (serverCert2, serverKey2) to create a cert") h := serviceHandler{ - tlsCert: &cert1, - mTLSEnabled: true, + tlsCert: &cert1, } retrievedCert1, err := h.getTLSCert(nil) @@ -126,7 +123,6 @@ func TestHandlingStatus(t *testing.T) { Code: http.StatusUnprocessableEntity, }, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -150,7 +146,6 @@ func TestBadReturnType(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return &corev1.Secret{}, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -175,8 +170,7 @@ func TestVerifyClientCertificateSucceeds(t *testing.T) { assert.True(t, certPool.AppendCertsFromPEM(crt)) h := serviceHandler{ - caCertPool: certPool, - mTLSEnabled: true, + caCertPool: certPool, } block, _ := pem.Decode(crt) @@ -191,8 +185,7 @@ func TestVerifyClientCertificateFails(t *testing.T) { crt := []byte(clientCert) certPool := x509.NewCertPool() h := serviceHandler{ - caCertPool: certPool, - mTLSEnabled: true, + caCertPool: certPool, } block, _ := pem.Decode(crt) diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index 3ebb14990f..2f9565b4f1 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -364,8 +364,8 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { - mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) - if !mTLSEnabled { + mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) + if mTLSDisabled { return grpc.WithInsecure(), nil } diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index 8f59b32e96..ed34a49519 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,8 +34,8 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" - // FeatureMTLSEnabled is a feature flag to enable/disable mTLS in the allocator. - FeatureMTLSEnabled Feature = "MTLSEnabled" + // FeatureAllocatorMTLSDisabled is a feature flag to enable/disable mTLS in the allocator. + FeatureAllocatorMTLSDisabled Feature = "AllocatorMTLSDisabled" // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" @@ -49,7 +49,7 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, - FeatureMTLSEnabled: true, + FeatureAllocatorMTLSDisabled: false, } // featureGates is the storage of what features are enabled diff --git a/site/content/en/docs/Guides/feature-stages.md b/site/content/en/docs/Guides/feature-stages.md index c1970f8e34..49aa5bedc7 100644 --- a/site/content/en/docs/Guides/feature-stages.md +++ b/site/content/en/docs/Guides/feature-stages.md @@ -31,6 +31,7 @@ The current set of `alpha` and `beta` feature gates are: | Example Gate (not in use) | `Example` | Disabled | None | 0.13.0 | | [Port Allocations to Multiple Containers]({{< ref "/docs/Reference/gameserver.md" >}}) | `ContainerPortAllocation` | Disabled | `Alpha` | 1.6.0 | | [Player Tracking]({{< ref "/docs/Guides/player-tracking.md" >}}) | `PlayerTracking` | Disabled | `Alpha` | 1.6.0 | +| MTLS in the Allocator | `AllocatorMTLSDisabled` | Disabled | `Alpha` | 1.7.0 | *Multicluster Allocation was started before this process was in place, and therefore does not have a feature gate and cannot be disabled. {{% /feature %}} diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 5f47a17bc1..e66a51ad02 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -222,8 +222,8 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { - mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) - if !mTLSEnabled { + mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) + if mTLSDisabled { return grpc.WithInsecure(), nil } From f33d47f6bc48ba43bfc81f93414b579cf537383c Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 21:29:30 +0000 Subject: [PATCH 06/25] Removed feature parsing in controller_test.go --- pkg/gameserverallocations/controller_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index 32427ea744..d801ad5569 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -32,7 +32,6 @@ import ( "agones.dev/agones/pkg/gameservers" agtesting "agones.dev/agones/pkg/testing" "agones.dev/agones/pkg/util/apiserver" - "agones.dev/agones/pkg/util/runtime" "agones.dev/agones/pkg/util/signals" "github.com/heptiolabs/healthcheck" "github.com/pkg/errors" @@ -1162,8 +1161,6 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() - err := runtime.ParseFeatures("") - assert.NoError(t, err) t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From 935b07383deebd56632f224c570fef2668827e48 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 09:40:09 +0000 Subject: [PATCH 07/25] Transitioned to using Helm for configuration. --- cloudbuild.yaml | 4 - cmd/allocator/main.go | 136 +++++++++--------- cmd/allocator/metrics.go | 6 + cmd/controller/main.go | 8 +- install/helm/agones/templates/controller.yaml | 2 + .../agones/templates/service/allocation.yaml | 2 + install/helm/agones/values.yaml | 2 + pkg/gameserverallocations/allocator.go | 7 +- pkg/gameserverallocations/controller.go | 4 +- pkg/gameserverallocations/controller_test.go | 2 +- pkg/util/runtime/features.go | 4 - test/e2e/allocator_test.go | 6 - 12 files changed, 96 insertions(+), 87 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index e1ff5cb65b..a7005fa170 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -232,11 +232,7 @@ steps: # - name: 'e2e-runner' -<<<<<<< HEAD args: ['PlayerTracking=true&ContainerPortAllocation=false', 'e2e-test-cluster'] -======= - args: ['PlayerTracking=true&ContainerPortAllocation=true&AllocatorMTLSDisabled=true', 'e2e-test-cluster'] ->>>>>>> d563119b... Changed flag name and added it to the documentation. id: e2e-feature-gates waitFor: - push-images diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 1547cb3b1a..9a1b2e2b7c 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -88,64 +88,66 @@ func main() { return err }) - h := newServiceHandler(kubeClient, agonesClient, health) - - // creates a new file watcher for client certificate folder - watcher, err := fsnotify.NewWatcher() - if err != nil { - logger.WithError(err).Fatal("could not create watcher for client certs") - } - defer watcher.Close() // nolint: errcheck - if err := watcher.Add(certDir); err != nil { - logger.WithError(err).Fatalf("cannot watch folder %s for secret changes", certDir) - } - - watcherTLS, err := fsnotify.NewWatcher() - if err != nil { - logger.WithError(err).Fatal("could not create watcher for tls certs") - } - defer watcherTLS.Close() // nolint: errcheck - if err := watcherTLS.Add(tlsDir); err != nil { - logger.WithError(err).Fatalf("cannot watch folder %s for secret changes", tlsDir) - } + h := newServiceHandler(kubeClient, agonesClient, health, conf.MTLSDisabled) listener, err := net.Listen("tcp", fmt.Sprintf(":%s", sslPort)) if err != nil { logger.WithError(err).Fatalf("failed to listen on TCP port %s", sslPort) } - // Watching for the events in certificate directory for updating certificates, when there is a change - go func() { - for { - select { - // watch for events - case event := <-watcherTLS.Events: - tlsCert, err := readTLSCert() - if err != nil { - logger.WithError(err).Error("could not load TLS cert; keeping old one") - } else { - h.tlsMutex.Lock() - h.tlsCert = tlsCert - h.tlsMutex.Unlock() - } - logger.Infof("Tls directory change event %v", event) - case event := <-watcher.Events: - h.certMutex.Lock() - caCertPool, err := getCACertPool(certDir) - if err != nil { - logger.WithError(err).Error("could not load CA certs; keeping old ones") - } else { - h.caCertPool = caCertPool - } - logger.Infof("Certificate directory change event %v", event) - h.certMutex.Unlock() + if !h.mTLSDisabled { + // creates a new file watcher for client certificate folder + watcher, err := fsnotify.NewWatcher() + if err != nil { + logger.WithError(err).Fatal("could not create watcher for client certs") + } + defer watcher.Close() // nolint: errcheck + if err := watcher.Add(certDir); err != nil { + logger.WithError(err).Fatalf("cannot watch folder %s for secret changes", certDir) + } - // watch for errors - case err := <-watcher.Errors: - logger.WithError(err).Error("error watching for certificate directory") - } + watcherTLS, err := fsnotify.NewWatcher() + if err != nil { + logger.WithError(err).Fatal("could not create watcher for tls certs") } - }() + defer watcherTLS.Close() // nolint: errcheck + if err := watcherTLS.Add(tlsDir); err != nil { + logger.WithError(err).Fatalf("cannot watch folder %s for secret changes", tlsDir) + } + + // Watching for the events in certificate directory for updating certificates, when there is a change + go func() { + for { + select { + // watch for events + case event := <-watcherTLS.Events: + tlsCert, err := readTLSCert() + if err != nil { + logger.WithError(err).Error("could not load TLS cert; keeping old one") + } else { + h.tlsMutex.Lock() + h.tlsCert = tlsCert + h.tlsMutex.Unlock() + } + logger.Infof("Tls directory change event %v", event) + case event := <-watcher.Events: + h.certMutex.Lock() + caCertPool, err := getCACertPool(certDir) + if err != nil { + logger.WithError(err).Error("could not load CA certs; keeping old ones") + } else { + h.caCertPool = caCertPool + } + logger.Infof("Certificate directory change event %v", event) + h.certMutex.Unlock() + + // watch for errors + case err := <-watcher.Errors: + logger.WithError(err).Error("error watching for certificate directory") + } + } + }() + } opts := h.getServerOptions() @@ -165,7 +167,7 @@ func main() { logger.WithError(err).Fatal("allocation service crashed") } -func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.Interface, health healthcheck.Handler) *serviceHandler { +func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.Interface, health healthcheck.Handler, mTLSDisabled bool) *serviceHandler { defaultResync := 30 * time.Second agonesInformerFactory := externalversions.NewSharedInformerFactory(agonesClient, defaultResync) kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, defaultResync) @@ -175,9 +177,7 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I agonesInformerFactory.Multicluster().V1().GameServerAllocationPolicies(), kubeInformerFactory.Core().V1().Secrets(), kubeClient, - gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health)) - - mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) + gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health), mTLSDisabled) stop := signals.NewStopChannel() h := serviceHandler{ @@ -193,21 +193,23 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I logger.WithError(err).Fatal("starting allocator failed.") } - caCertPool, err := getCACertPool(certDir) - if err != nil { - logger.WithError(err).Fatal("could not load CA certs.") - } - h.certMutex.Lock() - h.caCertPool = caCertPool - h.certMutex.Unlock() + if !h.mTLSDisabled { + caCertPool, err := getCACertPool(certDir) + if err != nil { + logger.WithError(err).Fatal("could not load CA certs.") + } + h.certMutex.Lock() + h.caCertPool = caCertPool + h.certMutex.Unlock() - tlsCert, err := readTLSCert() - if err != nil { - logger.WithError(err).Fatal("could not load TLS certs.") + tlsCert, err := readTLSCert() + if err != nil { + logger.WithError(err).Fatal("could not load TLS certs.") + } + h.tlsMutex.Lock() + h.tlsCert = tlsCert + h.tlsMutex.Unlock() } - h.tlsMutex.Lock() - h.tlsCert = tlsCert - h.tlsMutex.Unlock() return &h } diff --git a/cmd/allocator/metrics.go b/cmd/allocator/metrics.go index 09ad8b2dbc..8c45175dc7 100644 --- a/cmd/allocator/metrics.go +++ b/cmd/allocator/metrics.go @@ -32,6 +32,7 @@ const ( enablePrometheusMetricsFlag = "prometheus-exporter" projectIDFlag = "gcp-project-id" stackdriverLabels = "stackdriver-labels" + mTLSDisabledFlag = "disable-mtls" ) func init() { @@ -43,6 +44,7 @@ type config struct { Stackdriver bool GCPProjectID string StackdriverLabels string + MTLSDisabled bool } func parseEnvFlags() config { @@ -51,11 +53,13 @@ func parseEnvFlags() config { viper.SetDefault(enableStackdriverMetricsFlag, false) viper.SetDefault(projectIDFlag, "") viper.SetDefault(stackdriverLabels, "") + viper.SetDefault(mTLSDisabledFlag, false) pflag.Bool(enablePrometheusMetricsFlag, viper.GetBool(enablePrometheusMetricsFlag), "Flag to activate metrics of Agones. Can also use PROMETHEUS_EXPORTER env variable.") pflag.Bool(enableStackdriverMetricsFlag, viper.GetBool(enableStackdriverMetricsFlag), "Flag to activate stackdriver monitoring metrics for Agones. Can also use STACKDRIVER_EXPORTER env variable.") pflag.String(projectIDFlag, viper.GetString(projectIDFlag), "GCP ProjectID used for Stackdriver, if not specified ProjectID from Application Default Credentials would be used. Can also use GCP_PROJECT_ID env variable.") pflag.String(stackdriverLabels, viper.GetString(stackdriverLabels), "A set of default labels to add to all stackdriver metrics generated. By default metadata are automatically added using Kubernetes API and GCP metadata enpoint.") + pflag.Bool(mTLSDisabledFlag, viper.GetBool(mTLSDisabledFlag), "Flag to enable/disable mTLS in the allocator.") runtime.FeaturesBindFlags() pflag.Parse() @@ -64,6 +68,7 @@ func parseEnvFlags() config { runtime.Must(viper.BindEnv(enableStackdriverMetricsFlag)) runtime.Must(viper.BindEnv(projectIDFlag)) runtime.Must(viper.BindEnv(stackdriverLabels)) + runtime.Must(viper.BindEnv(mTLSDisabledFlag)) runtime.Must(viper.BindPFlags(pflag.CommandLine)) runtime.Must(runtime.FeaturesBindEnv()) @@ -74,6 +79,7 @@ func parseEnvFlags() config { Stackdriver: viper.GetBool(enableStackdriverMetricsFlag), GCPProjectID: viper.GetString(projectIDFlag), StackdriverLabels: viper.GetString(stackdriverLabels), + MTLSDisabled: viper.GetBool(mTLSDisabledFlag), } } diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 84135de06e..9041a03a11 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -76,6 +76,7 @@ const ( logLevelFlag = "log-level" logSizeLimitMBFlag = "log-size-limit-mb" kubeconfigFlag = "kubeconfig" + mTLSDisabledFlag = "disable-mtls" defaultResync = 30 * time.Second ) @@ -209,7 +210,7 @@ func main() { gsSetController := gameserversets.NewController(wh, health, gsCounter, kubeClient, extClient, agonesClient, agonesInformerFactory) fleetController := fleets.NewController(wh, health, kubeClient, extClient, agonesClient, agonesInformerFactory) - gasController := gameserverallocations.NewController(api, health, gsCounter, kubeClient, kubeInformerFactory, agonesClient, agonesInformerFactory) + gasController := gameserverallocations.NewController(api, health, gsCounter, kubeClient, kubeInformerFactory, agonesClient, agonesInformerFactory, ctlConf.MTLSDisabled) fasController := fleetautoscalers.NewController(wh, health, kubeClient, extClient, agonesClient, agonesInformerFactory) @@ -240,6 +241,7 @@ func parseEnvFlags() config { } base := filepath.Dir(exec) + viper.SetDefault(mTLSDisabledFlag, false) viper.SetDefault(sidecarImageFlag, "gcr.io/agones-images/agones-sdk:"+pkg.Version) viper.SetDefault(sidecarCPURequestFlag, "0") viper.SetDefault(sidecarCPULimitFlag, "0") @@ -261,6 +263,7 @@ func parseEnvFlags() config { viper.SetDefault(logLevelFlag, "Info") viper.SetDefault(logSizeLimitMBFlag, 10000) // 10 GB, will be split into 100 MB chunks + pflag.Bool(mTLSDisabledFlag, viper.GetBool(mTLSDisabledFlag), "Flag to enable/disable mTLS for the allocator.") pflag.String(sidecarImageFlag, viper.GetString(sidecarImageFlag), "Flag to overwrite the GameServer sidecar image that is used. Can also use SIDECAR env variable") pflag.String(sidecarCPULimitFlag, viper.GetString(sidecarCPULimitFlag), "Flag to overwrite the GameServer sidecar container's cpu limit. Can also use SIDECAR_CPU_LIMIT env variable") pflag.String(sidecarCPURequestFlag, viper.GetString(sidecarCPURequestFlag), "Flag to overwrite the GameServer sidecar container's cpu request. Can also use SIDECAR_CPU_REQUEST env variable") @@ -287,6 +290,7 @@ func parseEnvFlags() config { pflag.Parse() viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_")) + runtime.Must(viper.BindEnv(mTLSDisabledFlag)) runtime.Must(viper.BindEnv(sidecarImageFlag)) runtime.Must(viper.BindEnv(sidecarCPULimitFlag)) runtime.Must(viper.BindEnv(sidecarCPURequestFlag)) @@ -357,6 +361,7 @@ func parseEnvFlags() config { LogLevel: viper.GetString(logLevelFlag), LogSizeLimitMB: int(viper.GetInt32(logSizeLimitMBFlag)), StackdriverLabels: viper.GetString(stackdriverLabels), + MTLSDisabled: viper.GetBool(mTLSDisabledFlag), } } @@ -384,6 +389,7 @@ type config struct { LogDir string LogLevel string LogSizeLimitMB int + MTLSDisabled bool } // validate ensures the ctlConfig data is valid. diff --git a/install/helm/agones/templates/controller.yaml b/install/helm/agones/templates/controller.yaml index e4f74e967e..00362f0f4b 100644 --- a/install/helm/agones/templates/controller.yaml +++ b/install/helm/agones/templates/controller.yaml @@ -120,6 +120,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DISABLE_MTLS + value: {{ .Values.agones.disableMTLS | quote }} - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/install/helm/agones/templates/service/allocation.yaml b/install/helm/agones/templates/service/allocation.yaml index b2db0cfd5a..78ce706a8c 100644 --- a/install/helm/agones/templates/service/allocation.yaml +++ b/install/helm/agones/templates/service/allocation.yaml @@ -118,6 +118,8 @@ spec: value: {{ .Values.agones.metrics.stackdriverProjectID | quote }} - name: STACKDRIVER_LABELS value: {{ .Values.agones.metrics.stackdriverLabels | quote }} + - name: DISABLE_MTLS + value: {{ .Values.agones.disableMTLS | quote }} - name: POD_NAME valueFrom: fieldRef: diff --git a/install/helm/agones/values.yaml b/install/helm/agones/values.yaml index 45d10f7ea8..28370af588 100644 --- a/install/helm/agones/values.yaml +++ b/install/helm/agones/values.yaml @@ -34,6 +34,7 @@ agones: sdk: agones-sdk createPriorityClass: true priorityClassName: agones-system + disableMTLS: false controller: resources: {} nodeSelector: {} @@ -126,6 +127,7 @@ agones: serviceType: LoadBalancer annotations: {} generateTLS: true + disableMTLS: false image: registry: gcr.io/agones-images tag: 1.7.0 diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index 2f9565b4f1..743c2f3bc0 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -107,6 +107,7 @@ type Allocator struct { readyGameServerCache *ReadyGameServerCache topNGameServerCount int remoteAllocationCallback func(string, grpc.DialOption, *pb.AllocationRequest) (*pb.AllocationResponse, error) + mTLSDisabled bool } // request is an async request for allocation @@ -124,7 +125,7 @@ type response struct { // NewAllocator creates an instance off Allocator func NewAllocator(policyInformer multiclusterinformerv1.GameServerAllocationPolicyInformer, secretInformer informercorev1.SecretInformer, - kubeClient kubernetes.Interface, readyGameServerCache *ReadyGameServerCache) *Allocator { + kubeClient kubernetes.Interface, readyGameServerCache *ReadyGameServerCache, mTLSDisabled bool) *Allocator { ah := &Allocator{ pendingRequests: make(chan request, maxBatchQueue), allocationPolicyLister: policyInformer.Lister(), @@ -143,6 +144,7 @@ func NewAllocator(policyInformer multiclusterinformerv1.GameServerAllocationPoli grpcClient := pb.NewAllocationServiceClient(conn) return grpcClient.Allocate(context.Background(), request) }, + mTLSDisabled: mTLSDisabled, } ah.baseLogger = runtime.NewLoggerWithType(ah) @@ -364,8 +366,7 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { - mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) - if mTLSDisabled { + if c.mTLSDisabled { return grpc.WithInsecure(), nil } diff --git a/pkg/gameserverallocations/controller.go b/pkg/gameserverallocations/controller.go index 546a37287c..83fcfac990 100644 --- a/pkg/gameserverallocations/controller.go +++ b/pkg/gameserverallocations/controller.go @@ -58,6 +58,7 @@ func NewController(apiServer *apiserver.APIServer, kubeInformerFactory informers.SharedInformerFactory, agonesClient versioned.Interface, agonesInformerFactory externalversions.SharedInformerFactory, + mTLSDisabled bool, ) *Controller { c := &Controller{ api: apiServer, @@ -65,7 +66,8 @@ func NewController(apiServer *apiserver.APIServer, agonesInformerFactory.Multicluster().V1().GameServerAllocationPolicies(), kubeInformerFactory.Core().V1().Secrets(), kubeClient, - NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), counter, health)), + NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), counter, health), + mTLSDisabled), } c.baseLogger = runtime.NewLoggerWithType(c) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index d801ad5569..992112dce2 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -1342,7 +1342,7 @@ func newFakeController() (*Controller, agtesting.Mocks) { m.Mux = http.NewServeMux() counter := gameservers.NewPerNodeCounter(m.KubeInformerFactory, m.AgonesInformerFactory) api := apiserver.NewAPIServer(m.Mux) - c := NewController(api, healthcheck.NewHandler(), counter, m.KubeClient, m.KubeInformerFactory, m.AgonesClient, m.AgonesInformerFactory) + c := NewController(api, healthcheck.NewHandler(), counter, m.KubeClient, m.KubeInformerFactory, m.AgonesClient, m.AgonesInformerFactory, false) c.allocator.topNGameServerCount = 1 c.recorder = m.FakeRecorder c.allocator.recorder = m.FakeRecorder diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index ed34a49519..0e75937c35 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,9 +34,6 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" - // FeatureAllocatorMTLSDisabled is a feature flag to enable/disable mTLS in the allocator. - FeatureAllocatorMTLSDisabled Feature = "AllocatorMTLSDisabled" - // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" ) @@ -49,7 +46,6 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, - FeatureAllocatorMTLSDisabled: false, } // featureGates is the storage of what features are enabled diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index e66a51ad02..9a324b4612 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -31,7 +31,6 @@ import ( pb "agones.dev/agones/pkg/allocation/go" agonesv1 "agones.dev/agones/pkg/apis/agones/v1" multiclusterv1 "agones.dev/agones/pkg/apis/multicluster/v1" - "agones.dev/agones/pkg/util/runtime" e2e "agones.dev/agones/test/e2e/framework" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -222,11 +221,6 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { - mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) - if mTLSDisabled { - return grpc.WithInsecure(), nil - } - kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) if err != nil { From 4d3b31e645def7146e84d32cd411e089de516456 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 09:50:35 +0000 Subject: [PATCH 08/25] Reordered struct members. --- cmd/allocator/metrics.go | 2 +- cmd/controller/main.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/allocator/metrics.go b/cmd/allocator/metrics.go index 8c45175dc7..7580efa307 100644 --- a/cmd/allocator/metrics.go +++ b/cmd/allocator/metrics.go @@ -40,11 +40,11 @@ func init() { } type config struct { + MTLSDisabled bool PrometheusMetrics bool Stackdriver bool GCPProjectID string StackdriverLabels string - MTLSDisabled bool } func parseEnvFlags() config { diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 9041a03a11..57fd60e38f 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -378,6 +378,7 @@ type config struct { AlwaysPullSidecar bool PrometheusMetrics bool Stackdriver bool + MTLSDisabled bool StackdriverLabels string KeyFile string CertFile string @@ -389,7 +390,6 @@ type config struct { LogDir string LogLevel string LogSizeLimitMB int - MTLSDisabled bool } // validate ensures the ctlConfig data is valid. From 571ed75212bc0bcff42f57f8bc9910ecf4aa26e4 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 10:03:54 +0000 Subject: [PATCH 09/25] Removed non-existent feature gate documentation. --- site/content/en/docs/Guides/feature-stages.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/content/en/docs/Guides/feature-stages.md b/site/content/en/docs/Guides/feature-stages.md index 49aa5bedc7..c1970f8e34 100644 --- a/site/content/en/docs/Guides/feature-stages.md +++ b/site/content/en/docs/Guides/feature-stages.md @@ -31,7 +31,6 @@ The current set of `alpha` and `beta` feature gates are: | Example Gate (not in use) | `Example` | Disabled | None | 0.13.0 | | [Port Allocations to Multiple Containers]({{< ref "/docs/Reference/gameserver.md" >}}) | `ContainerPortAllocation` | Disabled | `Alpha` | 1.6.0 | | [Player Tracking]({{< ref "/docs/Guides/player-tracking.md" >}}) | `PlayerTracking` | Disabled | `Alpha` | 1.6.0 | -| MTLS in the Allocator | `AllocatorMTLSDisabled` | Disabled | `Alpha` | 1.7.0 | *Multicluster Allocation was started before this process was in place, and therefore does not have a feature gate and cannot be disabled. {{% /feature %}} From d90ac89558bd69f37879d968eae6e36fbe262855 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 17:14:37 +0000 Subject: [PATCH 10/25] Ran gen-install to add new configuration parameters. --- install/yaml/install.yaml | 961 ++++++++++++++++++++------------------ 1 file changed, 494 insertions(+), 467 deletions(-) diff --git a/install/yaml/install.yaml b/install/yaml/install.yaml index dc5994728a..996f6b1365 100644 --- a/install/yaml/install.yaml +++ b/install/yaml/install.yaml @@ -1,17 +1,4 @@ --- -# Source: agones/templates/service/allocation.yaml -# Create a ServiceAccount that will be bound to the above role -apiVersion: v1 -kind: ServiceAccount -metadata: - name: agones-allocator - namespace: agones-system - labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm ---- # Source: agones/templates/serviceaccounts/controller.yaml # Copyright 2018 Google LLC All Rights Reserved. # @@ -35,7 +22,102 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agones-controller + namespace: agones-system + labels: + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["create", "delete", "list", "watch"] +- apiGroups: [""] + resources: ["nodes", "secrets"] + verbs: ["list", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get"] +- apiGroups: ["agones.dev"] + resources: ["gameservers", "gameserversets"] + verbs: ["create", "delete", "get", "list", "update", "watch"] +- apiGroups: ["agones.dev"] + resources: ["gameservers"] + verbs: ["patch"] +- apiGroups: ["agones.dev"] + resources: ["fleets"] + verbs: ["get", "list", "update", "watch"] +- apiGroups: ["agones.dev"] + resources: ["fleets/status", "gameserversets/status"] + verbs: ["update"] +- apiGroups: ["multicluster.agones.dev"] + resources: ["gameserverallocationpolicies"] + verbs: ["create", "delete", "get", "list", "update", "watch"] +- apiGroups: ["autoscaling.agones.dev"] + resources: ["fleetautoscalers"] + verbs: ["get", "list", "update", "watch"] +- apiGroups: ["autoscaling.agones.dev"] + resources: ["fleetautoscalers/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agones-controller-access + namespace: agones-system + labels: + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +subjects: +- kind: User + name: system:serviceaccount:agones-system:agones-controller + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agones-controller +--- +# +# RBACs for APIService +# +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agones-controller:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: agones-controller + namespace: agones-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agones-controller-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: agones-controller + namespace: agones-system + --- # Source: agones/templates/serviceaccounts/sdk.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -60,70 +142,46 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm ---- -# Source: agones/templates/extensions.yaml -apiVersion: v1 -kind: Secret -metadata: - name: agones-manual-cert - namespace: agones-system - labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Helm" -type: Opaque -data: - server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBemdWVDkwZWp4Tm53Q28vT2pNRDI2ZlU0ZHJrU2Vmd2RRZ3dpYmlmYWw4cms2WTBWCnZPSVYxSCtsUm93ZTA2bVdOdVI1Rk9YRkEwZlhsdnhDS0tZVlFwU1BFSzJZU3loL2FTbkpRTDZxbzhlQVlUSkIKa09ZTEI1Q2J6SXppV2VvUWZPWU44TWxFbjhiWEpkaWVKaEhIOFVueWp0eW9UbHh6aFptWCtwZnRoVWRlYTNWawp6TzIxbjQrUUUzUlg1ZjEzMkZURmN1cVhPVUEvcGk4Y2NBTkdjM3pqTGVaSnZBOW9kUEVoR2Y3Z0M4ZXlBNjhTClZjc2grUGp6MGx3OTVBUHZsTXYxam1xVVJGV2NFU1RMYVEwRng1S3dSeVYwemlabVV2QUFGMlp4RFpoSFVjb0YKUEhBd1RsNzVOQWhuSHBNbExOcDVMN3RjVmR5VDhCMkdScytzbFFJREFRQUJBb0lCQUVvVTVHS1E0alRRNFY0Swo1QXo4L2t5V254MGg0NkQxcFZld29WalcvK1dCVWRzaG5tVnpMc0pndS8rb054V0piN2lCWTRDK05wKzlYNnF0ClB1VDdBNzRUU1hhSDFiR0ErSC9LUk5JQlBiN3k2QmtMUjBSaFZDbitOK2ZQNlR6SHkvSDlqNW03NWU5R1F1c2EKLzVOVTVYN0FSblpVcGppM1Nkc0twZm00VS9LT1YrcDJqV1NQWDdIT0J1L0tZYTFqdmVDdDZKTVBRMzZLQlhrUgpNbFZDa0FEY3ZBQUd1T2JwYS9zbTBNQTYzK2loZGVTWWhrRVhLcXhINEF6M1BWREx3UDgwVDhmNVZxd1dZbW5xCkwvQmc2SG5WNUdIbmxUWEErV2VwTmJIa29rTjlHMEg2bTBJdGo0YWwzYkdUQjRqZUJDSlpwNUZIVzVvYko0cVAKV2tjZlhjRUNnWUVBOFVJWnZkTlNzU3BSWlZUZTRoaHRYbmNPcHRGVGRvVktJelR1VVZLZktlOU9CNWkzMkI5dQo0aEROcEJEcWtnRWt0ZzRSOC9jbjU3ejZaVWRVQ2NvYmpXUWJKTFhFNXdwN0h0ZjdqQ0duTDJRbUljcDIwcmJGCkhyRTJsSHIwb05yM01MVXJ1QnZBclZCM0xMR21PRWduM05RdzlhSndnLzU0MkVEUzd4NXYzWGtDZ1lFQTJwd0cKSGlHWVhUSmZZTmcvK1NtRHVTRFdGZTRpTVBUUncxVFQ4NXVHRTlVRXJZUFFkOE9xWVFRT2dJQVQ3eHAxejBvcQo2cG1zalBPNkhabmc5b0hLZUFPL0pQZVN1WEUrYko4SFlLcDdXOTI5RitMR0pvcWl0T0xQTW0vOU9vdllEQ3ZoCjYrcURZNUxOUkhkQWVUcXd3STJ5dWdmNFluQmpZNnpJZkJwNUxQMENnWUVBeXJydjVKcVNienVQUUdaTUVKUFUKTzhBeCtLNEh3NTJIeWdQdGl6cXhjc3lidGpoM3JFM2xvR1BjV2RTNU9FMXJxdXd4Mjk5QmtqTXoraTB4Q2pUaQphRExKdUZSaURIKzdMQlQwVlRIbVNpV1BBWEFmM3pza2M0RVl5elp6SUVRLzJaYzBFTGFKZDFvWmV0NGhQa1FyCjh4My9zamw0OFFIQ1RINVVnZ2tDbVlrQ2dZQWZLL3BQVjVrRFNRaUNwYk5Sa3hMZVZnbFE3VGpnNURmNDgyS1oKclFhTVUyYXNXMHhobDN2M0EzNFI0ckYwK2Ivc3cvV2txQzhMbGtGbXNTZDczdndBNnYvWmhKZmVhNEJzT3F6eApvcjJlVnRyOHlmQlpWSkZvMjZLUjNaZ3RQZjJibHJKTFVwQlRwWDR4a2hPV2RjRDRZL3dsUExlMVNiTlNaalBjClJtWWEvUUtCZ1FDNmE3ek5BU1AwQTBxTVBocXlKWmxiZzRGOFdNUnRnSEZmc3kvaUx3ZGlFVUd1Q2hRV1VMa2MKaHpQV3BqRDB6d3JTeFp0eWhTTDBiNlRIbnFUaWluMjNPdnRJTmxWaVptb3M1bVdXMFZlR3NiSG5KdVJhM1RIeQpFalNrU1A0bVI3dEpsSm9rYm9aK2xZTDdnQUJIbjJFUm5Ec3FYOG9FVTZRcERQMXJaaFlTemc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + heritage: Tiller --- -# Source: agones/templates/service/allocation.yaml -# Allocation CA -apiVersion: v1 -kind: Secret +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: allocator-client-ca + name: agones-sdk namespace: agones-system labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Helm" -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["agones.dev"] + resources: ["gameservers"] + verbs: ["list", "update", "watch"] --- -# Source: agones/templates/service/allocation.yaml -# Allocation TLS certs -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: - name: allocator-tls - namespace: agones-system + name: agones-sdk-access + namespace: default labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Helm" -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBK2l5WndvdlJYNExCY2RVL3MzRWE1eE9CVU9RajFCRC9CcEQ3S2h6RzdKZzh6L3RBCmZsSkJQc3VhWTFaWVBydktwYkhRcDg3VUZWT2ZQNWM5a2ord0g3QjlkeHlDYkl1c1pPKzkxMFJFT09sNmlhYUoKMSsrdUVZOXNuKzhUcHlkT0c3WlV5YmQ2dkVnZnoyTzdKRnJja0Rkanc5OFFFclF4RnA3djhOeHRTek8rdGwyOApKR2UxVVUzRnhMU1U0dXU3b3FjUDg0VklqaktXWGpsZFZqb00vc2E5ajN1bi9nalp0MTB0MUoxM0V2Q1c0cW8vCkZnWFBLTzJTbnF4YTN1R2l3eUhyV1BzZmQyRjErbCt0d1hkNklLM2hxWDhWa0VzUUd0Qmp5aXBGcUliQXlIMEEKeGRJQ1NhK2tiQ1pQVkRWeGE0YTQ5RXlPTEMzUzVmbXIwU3lkVHdJREFRQUJBb0lCQVFDK1JQV2NsU0prZGRvUwpiWkhKTkJpMTdvdkhyZnZoNmh0TUx6QVhVMU9uMWhGS1RWazd1ZXVOaXVTYzhLcWs2OGF3UnBEZlQ5clZiWWdNCm9VWmUyTGxuSUtBTDIwOEdweVF5a0hQZUtUbUozMmtuRDlaK3VQZTJ1MUp1UVRLOVNwT0pXQjhjVzhPcE4yR2EKSmN2TFZwK3h2NjdNNWZZZmc1UmlFL2VCUk9TSzhBc0ZFMUlTNmpSRzRVaC84U1dSUUdEYzlReU1Lc3lNbFNVZwphajB4ZWtsWUZDWXl0WUtCMnBaSGw0N1lUK1kzalR6cXN1ekhxK1hIM1hkT043bDk3eHZYZWJPTEJZRWorMGI1Cml4NEJ1bEJIQS9WRk93eXU2LzRKalptRHB1dVRpNnpNbVMyYXV0OW1EY3VoOUZjem1qQ0ZMcnAyWmJiMC9acDQKRkttZXRJR0JBb0dCQVAwSzk4V3kyN2xyVklrQ2JVTnpoNkdzeUhGSXZZYXY0cTJsSzJZVGdKRld2a0tGemFKagpmYWRZMHRmUHV6V3dPUU9nWkl3aW94TElOVFNSa0llbCtrQnFVMkNIblZOc3F4M05nSWk0S0g3K1ltS2ZFMFJtCkRaamV0YTlpTW52a0IyQXVSRUhDSEplVThYd2JNR2JnaXJNSmhlZmIwREJlY2xmZmwrbk8wSlFSQW9HQkFQMFoKRFBoU2RsQnBRMDFQcDVSNmpwaW1KaEIrNXNaejhsZXNiRlpSMDc2VHI5STJXQm1vY2t2dmZYWi8vWkRxSllaYgpoWkxEN09NdjFELy9MMDFvK1ZTaGRwNVovL05samw3NG5nV3VoY01GYmVLMjdhVmEyQTRmak1VMGE2a3NCZXM3CmkxZTRIOTJLOHpHVk9vOTV3dXhub3RtVEY1SHpncE9CUFhLY0NmdGZBb0dCQUlId3ZlZWh2ejlxSkZEdkZCak4KSE5zakZSTkhYVHZxMmlaOWFOblVMZk4wYmVOUFBwZWpLNFZpRVhPTlV2OXc3UFkxeVN4RkpTU2g5dUIxMTVndwozVjl5dWpvWnFlcUxKUnY2eVlScnZTL3BoYkJMSytPMTNFbWlJLzVhR0w2U0RFK1JzcTlwOUxES1pXOXJydUZGCmNUUWJNYzRzaks0cDhlRzZDaEtnaDI5aEFvR0JBTkdUK01WM296a2FzUHhIeFVDUjY1cERtcWwySzZxUlFFK1IKRzNTdTlXT043NzFsK3JYa1lpQzNBM0Vvc3ROWTBCSGRuMUhVbzBmTXh6am5Ha2hEY0pLLzBQVjNHUlozTmRrMgpqY091ckZ5OUZpenh4UDl6cGd5cjIybEE2eFYrdXJmNjZudU1uL1pYcE9HZDdJdjZDNHF1bG84TDJpeWxNNjdwCkNmVHBlT3FKQW9HQUF4cit6Qm1wSkNMbjJZcXJQRVRSUTE2K2Vna1ovMElIQWh4KzhTVlZnN2hjc2Z0MmJLSEoKWUJ2bVBlRnNaNjFTdmRHbXRtT2pqMkUremtFekZvQzhHWXpOU0hsbjFLYTh3UnNlVmI1UlJkWiswSnB5ZUFCWQpOVVlISDVjcWgxamdnQlg4eXExSmdPcDN1REZLQVFJelpCWnZXZ01YRFUwY2thS1pHQkxsQUYwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +subjects: +- kind: User + name: system:serviceaccount:default:agones-sdk + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agones-sdk --- -# Source: agones/templates/service/allocation.yaml -# Allocation TLS CA -apiVersion: v1 -kind: Secret -metadata: - name: allocator-tls-ca - namespace: agones-system - labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Helm" -data: - tls-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + --- # Source: agones/templates/crds/fleet.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -149,7 +207,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: additionalPrinterColumns: - JSONPath: .spec.scheduling @@ -359,6 +417,7 @@ spec: statusReplicasPath: .status.replicas # labelSelectorPath defines the JSONPath inside of a custom resource that corresponds to Scale.Status.Selector. labelSelectorPath: .status.labelSelector + --- # Source: agones/templates/crds/fleetautoscaler.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -384,7 +443,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: group: autoscaling.agones.dev version: v1 @@ -444,6 +503,7 @@ spec: subresources: # status enables the status subresource. status: {} + --- # Source: agones/templates/crds/gameserver.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -469,7 +529,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: group: agones.dev version: v1 @@ -644,6 +704,7 @@ spec: type: integer title: The initial player capacity of this Game Server minimum: 0 + --- # Source: agones/templates/crds/gameserverallocationpolicy.yaml # Copyright 2019 Google LLC All Rights Reserved. @@ -670,7 +731,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller name: gameserverallocationpolicies.multicluster.agones.dev spec: group: multicluster.agones.dev @@ -740,6 +801,7 @@ status: plural: "" conditions: [] storedVersions: [] + --- # Source: agones/templates/crds/gameserverset.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -765,7 +827,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: additionalPrinterColumns: - JSONPath: .spec.scheduling @@ -970,105 +1032,232 @@ spec: statusReplicasPath: .status.replicas # labelSelectorPath defines the JSONPath inside of a custom resource that corresponds to Scale.Status.Selector. labelSelectorPath: .status.labelSelector + +--- +# Source: agones/templates/service.yaml +# Copyright 2018 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: agones-controller-service + namespace: agones-system + labels: + agones.dev/role: controller + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +spec: + selector: + agones.dev/role: controller + ports: + - name: webhooks + port: 443 + targetPort: 8081 + - name: web + port: 8080 --- # Source: agones/templates/service/allocation.yaml -# Create a ClusterRole in that grants access to the agones allocation api -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +# Copyright 2019 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Define a Service for the agones-allocator +apiVersion: v1 +kind: Service metadata: name: agones-allocator namespace: agones-system labels: + component: allocator app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["allocation.agones.dev"] - resources: ["gameserverallocations"] - verbs: ["create"] -- apiGroups: [""] - resources: ["nodes", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["agones.dev"] - resources: ["gameservers", "gameserversets"] - verbs: ["get", "list", "update", "watch"] -- apiGroups: ["agones.dev"] - resources: ["gameservers"] - verbs: ["patch"] -- apiGroups: ["multicluster.agones.dev"] - resources: ["gameserverallocationpolicies"] - verbs: ["get", "list", "watch"] + heritage: Tiller +spec: + selector: + multicluster.agones.dev/role: allocator + ports: + - port: 443 + name: https + targetPort: 8443 + protocol: TCP + type: LoadBalancer + --- -# Source: agones/templates/serviceaccounts/controller.yaml +# Deploy a pod to run the agones-allocator code +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agones-allocator + namespace: agones-system + labels: + multicluster.agones.dev/role: allocator + app: agones + release: agones-manual + heritage: Tiller +spec: + replicas: 3 + selector: + matchLabels: + multicluster.agones.dev/role: allocator + app: agones + release: agones-manual + heritage: Tiller + template: + metadata: + annotations: + labels: + multicluster.agones.dev/role: allocator + app: agones + release: agones-manual + heritage: Tiller + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: agones.dev/agones-system + operator: Exists + weight: 1 + + tolerations: + - effect: NoExecute + key: agones.dev/agones-system + operator: Equal + value: "true" + + serviceAccountName: agones-allocator + volumes: + - name: tls + secret: + secretName: allocator-tls + - name: client-ca + secret: + secretName: allocator-client-ca + containers: + - name: agones-allocator + image: "gcr.io/agones-images/agones-allocator:1.7.0" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 3 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 8080 + env: + - name: PROMETHEUS_EXPORTER + value: "true" + - name: STACKDRIVER_EXPORTER + value: "false" + - name: GCP_PROJECT_ID + value: "" + - name: STACKDRIVER_LABELS + value: "" + - name: DISABLE_MTLS + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: "agones-allocator" + - name: FEATURE_GATES + value: "" + ports: + - name: https + containerPort: 8443 + volumeMounts: + - mountPath: /home/allocator/tls + name: tls + readOnly: true + - mountPath: /home/allocator/client-ca + name: client-ca + readOnly: true + +--- +# Create a ClusterRole in that grants access to the agones allocation api apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: agones-controller + name: agones-allocator namespace: agones-system labels: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["create", "delete", "list", "watch"] +- apiGroups: ["allocation.agones.dev"] + resources: ["gameserverallocations"] + verbs: ["create"] - apiGroups: [""] resources: ["nodes", "secrets"] - verbs: ["list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get"] + verbs: ["get", "list", "watch"] - apiGroups: ["agones.dev"] resources: ["gameservers", "gameserversets"] - verbs: ["create", "delete", "get", "list", "update", "watch"] + verbs: ["get", "list", "update", "watch"] - apiGroups: ["agones.dev"] resources: ["gameservers"] verbs: ["patch"] -- apiGroups: ["agones.dev"] - resources: ["fleets"] - verbs: ["get", "list", "update", "watch"] -- apiGroups: ["agones.dev"] - resources: ["fleets/status", "gameserversets/status"] - verbs: ["update"] - apiGroups: ["multicluster.agones.dev"] resources: ["gameserverallocationpolicies"] - verbs: ["create", "delete", "get", "list", "update", "watch"] -- apiGroups: ["autoscaling.agones.dev"] - resources: ["fleetautoscalers"] - verbs: ["get", "list", "update", "watch"] -- apiGroups: ["autoscaling.agones.dev"] - resources: ["fleetautoscalers/status"] - verbs: ["update"] + verbs: ["get", "list", "watch"] + --- -# Source: agones/templates/serviceaccounts/sdk.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +# Create a ServiceAccount that will be bound to the above role +apiVersion: v1 +kind: ServiceAccount metadata: - name: agones-sdk + name: agones-allocator namespace: agones-system labels: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["agones.dev"] - resources: ["gameservers"] - verbs: ["list", "update", "watch"] + heritage: Tiller + --- -# Source: agones/templates/service/allocation.yaml # Bind the agones-allocator ServiceAccount to the agones-allocator ClusterRole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1079,7 +1268,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller subjects: - kind: ServiceAccount name: agones-allocator @@ -1088,194 +1277,55 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: agones-allocator + --- -# Source: agones/templates/serviceaccounts/controller.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agones-controller-access - namespace: agones-system - labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -subjects: -- kind: User - name: system:serviceaccount:agones-system:agones-controller - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: agones-controller ---- -# Source: agones/templates/serviceaccounts/controller.yaml -# -# RBACs for APIService -# -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agones-controller:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: agones-controller - namespace: agones-system ---- -# Source: agones/templates/serviceaccounts/controller.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: agones-controller-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: agones-controller - namespace: agones-system ---- -# Source: agones/templates/serviceaccounts/sdk.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: agones-sdk-access - namespace: default - labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -subjects: -- kind: User - name: system:serviceaccount:default:agones-sdk - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: agones-sdk ---- -# Source: agones/templates/ping.yaml +# Allocation CA apiVersion: v1 -kind: Service +kind: Secret metadata: - name: agones-ping-http-service + name: allocator-client-ca namespace: agones-system labels: - component: ping - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -spec: - selector: - agones.dev/role: ping - ports: - - port: 80 - name: http - targetPort: 8080 - protocol: TCP - type: LoadBalancer + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Tiller" +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + + --- -# Source: agones/templates/ping.yaml +# Allocation TLS certs apiVersion: v1 -kind: Service +kind: Secret +type: kubernetes.io/tls metadata: - name: agones-ping-udp-service + name: allocator-tls namespace: agones-system labels: - component: ping - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -spec: - selector: - agones.dev/role: ping - ports: - - port: 50000 - name: udp - targetPort: 8080 - protocol: UDP - type: LoadBalancer ---- -# Source: agones/templates/service.yaml -# Copyright 2018 Google LLC All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Tiller" +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBK2l5WndvdlJYNExCY2RVL3MzRWE1eE9CVU9RajFCRC9CcEQ3S2h6RzdKZzh6L3RBCmZsSkJQc3VhWTFaWVBydktwYkhRcDg3VUZWT2ZQNWM5a2ord0g3QjlkeHlDYkl1c1pPKzkxMFJFT09sNmlhYUoKMSsrdUVZOXNuKzhUcHlkT0c3WlV5YmQ2dkVnZnoyTzdKRnJja0Rkanc5OFFFclF4RnA3djhOeHRTek8rdGwyOApKR2UxVVUzRnhMU1U0dXU3b3FjUDg0VklqaktXWGpsZFZqb00vc2E5ajN1bi9nalp0MTB0MUoxM0V2Q1c0cW8vCkZnWFBLTzJTbnF4YTN1R2l3eUhyV1BzZmQyRjErbCt0d1hkNklLM2hxWDhWa0VzUUd0Qmp5aXBGcUliQXlIMEEKeGRJQ1NhK2tiQ1pQVkRWeGE0YTQ5RXlPTEMzUzVmbXIwU3lkVHdJREFRQUJBb0lCQVFDK1JQV2NsU0prZGRvUwpiWkhKTkJpMTdvdkhyZnZoNmh0TUx6QVhVMU9uMWhGS1RWazd1ZXVOaXVTYzhLcWs2OGF3UnBEZlQ5clZiWWdNCm9VWmUyTGxuSUtBTDIwOEdweVF5a0hQZUtUbUozMmtuRDlaK3VQZTJ1MUp1UVRLOVNwT0pXQjhjVzhPcE4yR2EKSmN2TFZwK3h2NjdNNWZZZmc1UmlFL2VCUk9TSzhBc0ZFMUlTNmpSRzRVaC84U1dSUUdEYzlReU1Lc3lNbFNVZwphajB4ZWtsWUZDWXl0WUtCMnBaSGw0N1lUK1kzalR6cXN1ekhxK1hIM1hkT043bDk3eHZYZWJPTEJZRWorMGI1Cml4NEJ1bEJIQS9WRk93eXU2LzRKalptRHB1dVRpNnpNbVMyYXV0OW1EY3VoOUZjem1qQ0ZMcnAyWmJiMC9acDQKRkttZXRJR0JBb0dCQVAwSzk4V3kyN2xyVklrQ2JVTnpoNkdzeUhGSXZZYXY0cTJsSzJZVGdKRld2a0tGemFKagpmYWRZMHRmUHV6V3dPUU9nWkl3aW94TElOVFNSa0llbCtrQnFVMkNIblZOc3F4M05nSWk0S0g3K1ltS2ZFMFJtCkRaamV0YTlpTW52a0IyQXVSRUhDSEplVThYd2JNR2JnaXJNSmhlZmIwREJlY2xmZmwrbk8wSlFSQW9HQkFQMFoKRFBoU2RsQnBRMDFQcDVSNmpwaW1KaEIrNXNaejhsZXNiRlpSMDc2VHI5STJXQm1vY2t2dmZYWi8vWkRxSllaYgpoWkxEN09NdjFELy9MMDFvK1ZTaGRwNVovL05samw3NG5nV3VoY01GYmVLMjdhVmEyQTRmak1VMGE2a3NCZXM3CmkxZTRIOTJLOHpHVk9vOTV3dXhub3RtVEY1SHpncE9CUFhLY0NmdGZBb0dCQUlId3ZlZWh2ejlxSkZEdkZCak4KSE5zakZSTkhYVHZxMmlaOWFOblVMZk4wYmVOUFBwZWpLNFZpRVhPTlV2OXc3UFkxeVN4RkpTU2g5dUIxMTVndwozVjl5dWpvWnFlcUxKUnY2eVlScnZTL3BoYkJMSytPMTNFbWlJLzVhR0w2U0RFK1JzcTlwOUxES1pXOXJydUZGCmNUUWJNYzRzaks0cDhlRzZDaEtnaDI5aEFvR0JBTkdUK01WM296a2FzUHhIeFVDUjY1cERtcWwySzZxUlFFK1IKRzNTdTlXT043NzFsK3JYa1lpQzNBM0Vvc3ROWTBCSGRuMUhVbzBmTXh6am5Ha2hEY0pLLzBQVjNHUlozTmRrMgpqY091ckZ5OUZpenh4UDl6cGd5cjIybEE2eFYrdXJmNjZudU1uL1pYcE9HZDdJdjZDNHF1bG84TDJpeWxNNjdwCkNmVHBlT3FKQW9HQUF4cit6Qm1wSkNMbjJZcXJQRVRSUTE2K2Vna1ovMElIQWh4KzhTVlZnN2hjc2Z0MmJLSEoKWUJ2bVBlRnNaNjFTdmRHbXRtT2pqMkUremtFekZvQzhHWXpOU0hsbjFLYTh3UnNlVmI1UlJkWiswSnB5ZUFCWQpOVVlISDVjcWgxamdnQlg4eXExSmdPcDN1REZLQVFJelpCWnZXZ01YRFUwY2thS1pHQkxsQUYwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= -apiVersion: v1 -kind: Service -metadata: - name: agones-controller-service - namespace: agones-system - labels: - agones.dev/role: controller - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -spec: - selector: - agones.dev/role: controller - ports: - - name: webhooks - port: 443 - targetPort: 8081 - - name: web - port: 8080 --- -# Source: agones/templates/service/allocation.yaml -# Copyright 2019 Google LLC All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# Define a Service for the agones-allocator +# Allocation TLS CA apiVersion: v1 -kind: Service +kind: Secret metadata: - name: agones-allocator + name: allocator-tls-ca namespace: agones-system labels: - component: allocator - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -spec: - selector: - multicluster.agones.dev/role: allocator - ports: - - port: 443 - name: https - targetPort: 8443 - protocol: TCP - type: LoadBalancer + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Tiller" +data: + tls-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + --- # Source: agones/templates/controller.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1302,14 +1352,14 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: selector: matchLabels: agones.dev/role: controller app: agones release: agones-manual - heritage: Helm + heritage: Tiller replicas: 1 strategy: type: Recreate @@ -1324,7 +1374,7 @@ spec: agones.dev/role: controller app: agones release: agones-manual - heritage: Helm + heritage: Tiller spec: affinity: nodeAffinity: @@ -1334,11 +1384,13 @@ spec: - key: agones.dev/agones-system operator: Exists weight: 1 + tolerations: - effect: NoExecute key: agones.dev/agones-system operator: Equal value: "true" + priorityClassName: agones-system serviceAccountName: agones-controller containers: @@ -1392,6 +1444,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DISABLE_MTLS + value: "false" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -1419,6 +1473,7 @@ spec: secretName: agones-manual-cert - name: logs emptyDir: {} + --- # Source: agones/templates/ping.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1444,14 +1499,14 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: selector: matchLabels: agones.dev/role: ping app: agones release: agones-manual - heritage: Helm + heritage: Tiller replicas: 2 template: metadata: @@ -1459,7 +1514,7 @@ spec: agones.dev/role: ping app: agones release: agones-manual - heritage: Helm + heritage: Tiller spec: affinity: nodeAffinity: @@ -1469,11 +1524,13 @@ spec: - key: agones.dev/agones-system operator: Exists weight: 1 + tolerations: - effect: NoExecute key: agones.dev/agones-system operator: Equal value: "true" + priorityClassName: agones-system containers: - name: agones-ping @@ -1495,128 +1552,47 @@ spec: - name: FEATURE_GATES value: "" --- -# Source: agones/templates/service/allocation.yaml -# Deploy a pod to run the agones-allocator code -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Service metadata: - name: agones-allocator + name: agones-ping-http-service namespace: agones-system labels: - multicluster.agones.dev/role: allocator + component: ping app: agones + chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller spec: - replicas: 3 selector: - matchLabels: - multicluster.agones.dev/role: allocator - app: agones - release: agones-manual - heritage: Helm - template: - metadata: - annotations: - labels: - multicluster.agones.dev/role: allocator - app: agones - release: agones-manual - heritage: Helm - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/path: "/metrics" - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: agones.dev/agones-system - operator: Exists - weight: 1 - tolerations: - - effect: NoExecute - key: agones.dev/agones-system - operator: Equal - value: "true" - serviceAccountName: agones-allocator - volumes: - - name: tls - secret: - secretName: allocator-tls - - name: client-ca - secret: - secretName: allocator-client-ca - containers: - - name: agones-allocator - image: "gcr.io/agones-images/agones-allocator:1.7.0" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - failureThreshold: 3 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 8080 - env: - - name: PROMETHEUS_EXPORTER - value: "true" - - name: STACKDRIVER_EXPORTER - value: "false" - - name: GCP_PROJECT_ID - value: "" - - name: STACKDRIVER_LABELS - value: "" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONTAINER_NAME - value: "agones-allocator" - - name: FEATURE_GATES - value: "" - ports: - - name: https - containerPort: 8443 - volumeMounts: - - mountPath: /home/allocator/tls - name: tls - readOnly: true - - mountPath: /home/allocator/client-ca - name: client-ca - readOnly: true + agones.dev/role: ping + ports: + - port: 80 + name: http + targetPort: 8080 + protocol: TCP + type: LoadBalancer --- -# Source: agones/templates/extensions.yaml -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1.allocation.agones.dev - labels: - component: controller - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Helm -spec: - group: allocation.agones.dev - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: agones-controller-service - namespace: agones-system - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - version: v1 +apiVersion: v1 +kind: Service +metadata: + name: agones-ping-udp-service + namespace: agones-system + labels: + component: ping + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +spec: + selector: + agones.dev/role: ping + ports: + - port: 50000 + name: udp + targetPort: 8080 + protocol: UDP + type: LoadBalancer --- # Source: agones/templates/extensions.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1631,49 +1607,28 @@ spec: # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and -# limitations under the License. ---- -# Source: agones/templates/extensions.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration +# limitations under the License. +--- +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService metadata: - name: agones-mutation-webhook + name: v1.allocation.agones.dev labels: component: controller app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm -webhooks: - - name: mutations.agones.dev - failurePolicy: Fail - clientConfig: - service: - name: agones-controller-service - namespace: agones-system - path: /mutate - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - rules: - - apiGroups: - - agones.dev - resources: - - "gameservers" - - "fleets" - apiVersions: - - "v1" - operations: - - CREATE ---- -# Source: agones/templates/priority-class.yaml -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass -metadata: - name: agones-system -value: 1000000 -globalDefault: false -description: "This priority class should be used for Agones service pods only." ---- -# Source: agones/templates/extensions.yaml + heritage: Tiller +spec: + group: allocation.agones.dev + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: agones-controller-service + namespace: agones-system + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + version: v1 +--- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: @@ -1683,7 +1638,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Helm + heritage: Tiller webhooks: - name: validations.agones.dev failurePolicy: Fail @@ -1721,4 +1676,76 @@ webhooks: - "v1" operations: - CREATE - - UPDATE + - UPDATE + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: agones-mutation-webhook + labels: + component: controller + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Tiller +webhooks: + - name: mutations.agones.dev + failurePolicy: Fail + clientConfig: + service: + name: agones-controller-service + namespace: agones-system + path: /mutate + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + rules: + - apiGroups: + - agones.dev + resources: + - "gameservers" + - "fleets" + apiVersions: + - "v1" + operations: + - CREATE +--- +apiVersion: v1 +kind: Secret +metadata: + name: agones-manual-cert + namespace: agones-system + labels: + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Tiller" +type: Opaque +data: + server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBemdWVDkwZWp4Tm53Q28vT2pNRDI2ZlU0ZHJrU2Vmd2RRZ3dpYmlmYWw4cms2WTBWCnZPSVYxSCtsUm93ZTA2bVdOdVI1Rk9YRkEwZlhsdnhDS0tZVlFwU1BFSzJZU3loL2FTbkpRTDZxbzhlQVlUSkIKa09ZTEI1Q2J6SXppV2VvUWZPWU44TWxFbjhiWEpkaWVKaEhIOFVueWp0eW9UbHh6aFptWCtwZnRoVWRlYTNWawp6TzIxbjQrUUUzUlg1ZjEzMkZURmN1cVhPVUEvcGk4Y2NBTkdjM3pqTGVaSnZBOW9kUEVoR2Y3Z0M4ZXlBNjhTClZjc2grUGp6MGx3OTVBUHZsTXYxam1xVVJGV2NFU1RMYVEwRng1S3dSeVYwemlabVV2QUFGMlp4RFpoSFVjb0YKUEhBd1RsNzVOQWhuSHBNbExOcDVMN3RjVmR5VDhCMkdScytzbFFJREFRQUJBb0lCQUVvVTVHS1E0alRRNFY0Swo1QXo4L2t5V254MGg0NkQxcFZld29WalcvK1dCVWRzaG5tVnpMc0pndS8rb054V0piN2lCWTRDK05wKzlYNnF0ClB1VDdBNzRUU1hhSDFiR0ErSC9LUk5JQlBiN3k2QmtMUjBSaFZDbitOK2ZQNlR6SHkvSDlqNW03NWU5R1F1c2EKLzVOVTVYN0FSblpVcGppM1Nkc0twZm00VS9LT1YrcDJqV1NQWDdIT0J1L0tZYTFqdmVDdDZKTVBRMzZLQlhrUgpNbFZDa0FEY3ZBQUd1T2JwYS9zbTBNQTYzK2loZGVTWWhrRVhLcXhINEF6M1BWREx3UDgwVDhmNVZxd1dZbW5xCkwvQmc2SG5WNUdIbmxUWEErV2VwTmJIa29rTjlHMEg2bTBJdGo0YWwzYkdUQjRqZUJDSlpwNUZIVzVvYko0cVAKV2tjZlhjRUNnWUVBOFVJWnZkTlNzU3BSWlZUZTRoaHRYbmNPcHRGVGRvVktJelR1VVZLZktlOU9CNWkzMkI5dQo0aEROcEJEcWtnRWt0ZzRSOC9jbjU3ejZaVWRVQ2NvYmpXUWJKTFhFNXdwN0h0ZjdqQ0duTDJRbUljcDIwcmJGCkhyRTJsSHIwb05yM01MVXJ1QnZBclZCM0xMR21PRWduM05RdzlhSndnLzU0MkVEUzd4NXYzWGtDZ1lFQTJwd0cKSGlHWVhUSmZZTmcvK1NtRHVTRFdGZTRpTVBUUncxVFQ4NXVHRTlVRXJZUFFkOE9xWVFRT2dJQVQ3eHAxejBvcQo2cG1zalBPNkhabmc5b0hLZUFPL0pQZVN1WEUrYko4SFlLcDdXOTI5RitMR0pvcWl0T0xQTW0vOU9vdllEQ3ZoCjYrcURZNUxOUkhkQWVUcXd3STJ5dWdmNFluQmpZNnpJZkJwNUxQMENnWUVBeXJydjVKcVNienVQUUdaTUVKUFUKTzhBeCtLNEh3NTJIeWdQdGl6cXhjc3lidGpoM3JFM2xvR1BjV2RTNU9FMXJxdXd4Mjk5QmtqTXoraTB4Q2pUaQphRExKdUZSaURIKzdMQlQwVlRIbVNpV1BBWEFmM3pza2M0RVl5elp6SUVRLzJaYzBFTGFKZDFvWmV0NGhQa1FyCjh4My9zamw0OFFIQ1RINVVnZ2tDbVlrQ2dZQWZLL3BQVjVrRFNRaUNwYk5Sa3hMZVZnbFE3VGpnNURmNDgyS1oKclFhTVUyYXNXMHhobDN2M0EzNFI0ckYwK2Ivc3cvV2txQzhMbGtGbXNTZDczdndBNnYvWmhKZmVhNEJzT3F6eApvcjJlVnRyOHlmQlpWSkZvMjZLUjNaZ3RQZjJibHJKTFVwQlRwWDR4a2hPV2RjRDRZL3dsUExlMVNiTlNaalBjClJtWWEvUUtCZ1FDNmE3ek5BU1AwQTBxTVBocXlKWmxiZzRGOFdNUnRnSEZmc3kvaUx3ZGlFVUd1Q2hRV1VMa2MKaHpQV3BqRDB6d3JTeFp0eWhTTDBiNlRIbnFUaWluMjNPdnRJTmxWaVptb3M1bVdXMFZlR3NiSG5KdVJhM1RIeQpFalNrU1A0bVI3dEpsSm9rYm9aK2xZTDdnQUJIbjJFUm5Ec3FYOG9FVTZRcERQMXJaaFlTemc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + +--- +# Source: agones/templates/priority-class.yaml + +apiVersion: scheduling.k8s.io/v1beta1 +kind: PriorityClass +metadata: + name: agones-system +value: 1000000 +globalDefault: false +description: "This priority class should be used for Agones service pods only." +--- +# Source: agones/templates/hooks/pre_delete_hook.yaml + + +--- +# Source: agones/templates/hooks/sa.yaml + + +--- +# Source: agones/templates/hooks/scripts.yaml + + +--- +# Source: agones/templates/tests/test-runner.yaml + From 889fa3fc631c4927652de8408712ce89eafeb701 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Wed, 24 Jun 2020 21:47:54 +0000 Subject: [PATCH 11/25] Working on conditionally enabling mtls. --- cmd/allocator/main.go | 6 ++++++ cmd/allocator/main_test.go | 13 ++++++++++--- pkg/util/runtime/features.go | 4 ++++ test/e2e/allocator_test.go | 8 ++++++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 9a1b2e2b7c..f8cb14f5e6 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -179,6 +179,8 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I kubeClient, gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health), mTLSDisabled) + mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + stop := signals.NewStopChannel() h := serviceHandler{ allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { @@ -247,6 +249,10 @@ func (h *serviceHandler) getTLSCert(ch *tls.ClientHelloInfo) (*tls.Certificate, // verifyClientCertificate verifies that the client certificate is accepted // This method is used as GetConfigForClient is cross lang incompatible. func (h *serviceHandler) verifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + if !h.mTLSEnabled { + return nil + } + opts := x509.VerifyOptions{ Roots: h.caCertPool, CurrentTime: time.Now(), diff --git a/cmd/allocator/main_test.go b/cmd/allocator/main_test.go index f6257b4b7f..fe7ea8db86 100644 --- a/cmd/allocator/main_test.go +++ b/cmd/allocator/main_test.go @@ -48,6 +48,7 @@ func TestAllocateHandler(t *testing.T) { }, }, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{ @@ -75,6 +76,7 @@ func TestAllocateHandlerReturnsError(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return nil, k8serror.NewBadRequest("error") }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -93,7 +95,8 @@ func TestGetTlsCert(t *testing.T) { assert.Nil(t, err, "expected (serverCert2, serverKey2) to create a cert") h := serviceHandler{ - tlsCert: &cert1, + tlsCert: &cert1, + mTLSEnabled: true, } retrievedCert1, err := h.getTLSCert(nil) @@ -123,6 +126,7 @@ func TestHandlingStatus(t *testing.T) { Code: http.StatusUnprocessableEntity, }, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -146,6 +150,7 @@ func TestBadReturnType(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return &corev1.Secret{}, nil }, + mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -170,7 +175,8 @@ func TestVerifyClientCertificateSucceeds(t *testing.T) { assert.True(t, certPool.AppendCertsFromPEM(crt)) h := serviceHandler{ - caCertPool: certPool, + caCertPool: certPool, + mTLSEnabled: true, } block, _ := pem.Decode(crt) @@ -185,7 +191,8 @@ func TestVerifyClientCertificateFails(t *testing.T) { crt := []byte(clientCert) certPool := x509.NewCertPool() h := serviceHandler{ - caCertPool: certPool, + caCertPool: certPool, + mTLSEnabled: true, } block, _ := pem.Decode(crt) diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index 0e75937c35..8f59b32e96 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,6 +34,9 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" + // FeatureMTLSEnabled is a feature flag to enable/disable mTLS in the allocator. + FeatureMTLSEnabled Feature = "MTLSEnabled" + // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" ) @@ -46,6 +49,7 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, + FeatureMTLSEnabled: true, } // featureGates is the storage of what features are enabled diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 9a324b4612..14dba93a7a 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -31,6 +31,7 @@ import ( pb "agones.dev/agones/pkg/allocation/go" agonesv1 "agones.dev/agones/pkg/apis/agones/v1" multiclusterv1 "agones.dev/agones/pkg/apis/multicluster/v1" + "agones.dev/agones/pkg/util/runtime" e2e "agones.dev/agones/test/e2e/framework" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -221,6 +222,8 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { + mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) if err != nil { @@ -246,8 +249,9 @@ func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []b } tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: rootCA, + Certificates: []tls.Certificate{cert}, + RootCAs: rootCA, + InsecureSkipVerify: !mTLSEnabled, } return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil From 452c1e49551f57856be79b780ef25eae6ca2161f Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 02:40:24 +0000 Subject: [PATCH 12/25] Removed the need for having certificates with mTLS disabled. --- cmd/allocator/main.go | 4 ---- test/e2e/allocator_test.go | 8 +++++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index f8cb14f5e6..332b7fa887 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -249,10 +249,6 @@ func (h *serviceHandler) getTLSCert(ch *tls.ClientHelloInfo) (*tls.Certificate, // verifyClientCertificate verifies that the client certificate is accepted // This method is used as GetConfigForClient is cross lang incompatible. func (h *serviceHandler) verifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - if !h.mTLSEnabled { - return nil - } - opts := x509.VerifyOptions{ Roots: h.caCertPool, CurrentTime: time.Now(), diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 14dba93a7a..5f47a17bc1 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -223,6 +223,9 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + if !mTLSEnabled { + return grpc.WithInsecure(), nil + } kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) @@ -249,9 +252,8 @@ func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []b } tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: rootCA, - InsecureSkipVerify: !mTLSEnabled, + Certificates: []tls.Certificate{cert}, + RootCAs: rootCA, } return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil From 1a0e0b2bc4a9fec8e82397b1ad5d86222dd0deeb Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 04:26:22 +0000 Subject: [PATCH 13/25] Fixed bug with mTLS enabling in the controller test. --- pkg/gameserverallocations/controller_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index 992112dce2..ad5f68a8ba 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -32,6 +32,7 @@ import ( "agones.dev/agones/pkg/gameservers" agtesting "agones.dev/agones/pkg/testing" "agones.dev/agones/pkg/util/apiserver" + "agones.dev/agones/pkg/util/runtime" "agones.dev/agones/pkg/util/signals" "github.com/heptiolabs/healthcheck" "github.com/pkg/errors" @@ -1161,6 +1162,7 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() + runtime.ParseFeatures("") t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From 4e15cd9a8951b878d94177c7ef7ad6383cafe832 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 04:50:50 +0000 Subject: [PATCH 14/25] Checked error value from runtime feature parsing in controller_test.go --- pkg/gameserverallocations/controller_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index ad5f68a8ba..c953d9cb0a 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -1162,7 +1162,8 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() - runtime.ParseFeatures("") + err := runtime.ParseFeatures("") + assert.NoError(t, err) t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From b20305c6bf94341048d1faec118c7131cef8dfab Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 20:33:12 +0000 Subject: [PATCH 15/25] Changed flag name and added it to the documentation. --- cmd/allocator/main.go | 2 +- cmd/allocator/main_test.go | 13 +++---------- pkg/util/runtime/features.go | 6 +++--- site/content/en/docs/Guides/feature-stages.md | 1 + test/e2e/allocator_test.go | 4 ++-- 5 files changed, 10 insertions(+), 16 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 332b7fa887..9f3e908fe5 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -179,7 +179,7 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I kubeClient, gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health), mTLSDisabled) - mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) + mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) stop := signals.NewStopChannel() h := serviceHandler{ diff --git a/cmd/allocator/main_test.go b/cmd/allocator/main_test.go index fe7ea8db86..f6257b4b7f 100644 --- a/cmd/allocator/main_test.go +++ b/cmd/allocator/main_test.go @@ -48,7 +48,6 @@ func TestAllocateHandler(t *testing.T) { }, }, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{ @@ -76,7 +75,6 @@ func TestAllocateHandlerReturnsError(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return nil, k8serror.NewBadRequest("error") }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -95,8 +93,7 @@ func TestGetTlsCert(t *testing.T) { assert.Nil(t, err, "expected (serverCert2, serverKey2) to create a cert") h := serviceHandler{ - tlsCert: &cert1, - mTLSEnabled: true, + tlsCert: &cert1, } retrievedCert1, err := h.getTLSCert(nil) @@ -126,7 +123,6 @@ func TestHandlingStatus(t *testing.T) { Code: http.StatusUnprocessableEntity, }, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -150,7 +146,6 @@ func TestBadReturnType(t *testing.T) { allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { return &corev1.Secret{}, nil }, - mTLSEnabled: true, } request := &pb.AllocationRequest{} @@ -175,8 +170,7 @@ func TestVerifyClientCertificateSucceeds(t *testing.T) { assert.True(t, certPool.AppendCertsFromPEM(crt)) h := serviceHandler{ - caCertPool: certPool, - mTLSEnabled: true, + caCertPool: certPool, } block, _ := pem.Decode(crt) @@ -191,8 +185,7 @@ func TestVerifyClientCertificateFails(t *testing.T) { crt := []byte(clientCert) certPool := x509.NewCertPool() h := serviceHandler{ - caCertPool: certPool, - mTLSEnabled: true, + caCertPool: certPool, } block, _ := pem.Decode(crt) diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index 8f59b32e96..ed34a49519 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,8 +34,8 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" - // FeatureMTLSEnabled is a feature flag to enable/disable mTLS in the allocator. - FeatureMTLSEnabled Feature = "MTLSEnabled" + // FeatureAllocatorMTLSDisabled is a feature flag to enable/disable mTLS in the allocator. + FeatureAllocatorMTLSDisabled Feature = "AllocatorMTLSDisabled" // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" @@ -49,7 +49,7 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, - FeatureMTLSEnabled: true, + FeatureAllocatorMTLSDisabled: false, } // featureGates is the storage of what features are enabled diff --git a/site/content/en/docs/Guides/feature-stages.md b/site/content/en/docs/Guides/feature-stages.md index c1970f8e34..49aa5bedc7 100644 --- a/site/content/en/docs/Guides/feature-stages.md +++ b/site/content/en/docs/Guides/feature-stages.md @@ -31,6 +31,7 @@ The current set of `alpha` and `beta` feature gates are: | Example Gate (not in use) | `Example` | Disabled | None | 0.13.0 | | [Port Allocations to Multiple Containers]({{< ref "/docs/Reference/gameserver.md" >}}) | `ContainerPortAllocation` | Disabled | `Alpha` | 1.6.0 | | [Player Tracking]({{< ref "/docs/Guides/player-tracking.md" >}}) | `PlayerTracking` | Disabled | `Alpha` | 1.6.0 | +| MTLS in the Allocator | `AllocatorMTLSDisabled` | Disabled | `Alpha` | 1.7.0 | *Multicluster Allocation was started before this process was in place, and therefore does not have a feature gate and cannot be disabled. {{% /feature %}} diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index 5f47a17bc1..e66a51ad02 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -222,8 +222,8 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { - mTLSEnabled := runtime.FeatureEnabled(runtime.FeatureMTLSEnabled) - if !mTLSEnabled { + mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) + if mTLSDisabled { return grpc.WithInsecure(), nil } From 72b3db1a0c92862dd760dd506250c71b8c59e370 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Thu, 25 Jun 2020 21:29:30 +0000 Subject: [PATCH 16/25] Removed feature parsing in controller_test.go --- pkg/gameserverallocations/controller_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index c953d9cb0a..992112dce2 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -32,7 +32,6 @@ import ( "agones.dev/agones/pkg/gameservers" agtesting "agones.dev/agones/pkg/testing" "agones.dev/agones/pkg/util/apiserver" - "agones.dev/agones/pkg/util/runtime" "agones.dev/agones/pkg/util/signals" "github.com/heptiolabs/healthcheck" "github.com/pkg/errors" @@ -1162,8 +1161,6 @@ func TestMultiClusterAllocationFromRemote(t *testing.T) { func TestCreateRestClientError(t *testing.T) { t.Parallel() - err := runtime.ParseFeatures("") - assert.NoError(t, err) t.Run("Missing secret", func(t *testing.T) { c, _ := newFakeController() From 5f98c646a66813608d89fc3922e03563e62bda4e Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 09:40:09 +0000 Subject: [PATCH 17/25] Transitioned to using Helm for configuration. --- cloudbuild.yaml | 3 +-- cmd/allocator/main.go | 2 -- cmd/allocator/metrics.go | 1 + cmd/controller/main.go | 1 + pkg/util/runtime/features.go | 4 ---- test/e2e/allocator_test.go | 6 ------ 6 files changed, 3 insertions(+), 14 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index a7005fa170..1fcfc593f7 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -189,7 +189,6 @@ steps: - lint - ensure-build-sdk-image-base - htmltest-restore-cache - - build-sdks dir: "build" args: [ "-j", "5", "--output-sync=target", "test" ] @@ -228,7 +227,7 @@ steps: - GO111MODULE=on # -# Run the e2e tests with FeatureGates inverted compared to Stable +# Run the e2e tests with FeatureGates # - name: 'e2e-runner' diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 9f3e908fe5..9a1b2e2b7c 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -179,8 +179,6 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I kubeClient, gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health), mTLSDisabled) - mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) - stop := signals.NewStopChannel() h := serviceHandler{ allocationCallback: func(gsa *allocationv1.GameServerAllocation) (k8sruntime.Object, error) { diff --git a/cmd/allocator/metrics.go b/cmd/allocator/metrics.go index 7580efa307..0bc54bbe0e 100644 --- a/cmd/allocator/metrics.go +++ b/cmd/allocator/metrics.go @@ -45,6 +45,7 @@ type config struct { Stackdriver bool GCPProjectID string StackdriverLabels string + MTLSDisabled bool } func parseEnvFlags() config { diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 57fd60e38f..0024f70870 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -390,6 +390,7 @@ type config struct { LogDir string LogLevel string LogSizeLimitMB int + MTLSDisabled bool } // validate ensures the ctlConfig data is valid. diff --git a/pkg/util/runtime/features.go b/pkg/util/runtime/features.go index ed34a49519..0e75937c35 100644 --- a/pkg/util/runtime/features.go +++ b/pkg/util/runtime/features.go @@ -34,9 +34,6 @@ const ( // FeaturePlayerTracking is a feature flag to enable/disable player tracking features. FeaturePlayerTracking Feature = "PlayerTracking" - // FeatureAllocatorMTLSDisabled is a feature flag to enable/disable mTLS in the allocator. - FeatureAllocatorMTLSDisabled Feature = "AllocatorMTLSDisabled" - // FeatureContainerPortAllocation is a feature flag to enable/disable allocating ports to several containers in a pod FeatureContainerPortAllocation Feature = "ContainerPortAllocation" ) @@ -49,7 +46,6 @@ var ( FeatureExample: true, FeaturePlayerTracking: false, FeatureContainerPortAllocation: true, - FeatureAllocatorMTLSDisabled: false, } // featureGates is the storage of what features are enabled diff --git a/test/e2e/allocator_test.go b/test/e2e/allocator_test.go index e66a51ad02..9a324b4612 100644 --- a/test/e2e/allocator_test.go +++ b/test/e2e/allocator_test.go @@ -31,7 +31,6 @@ import ( pb "agones.dev/agones/pkg/allocation/go" agonesv1 "agones.dev/agones/pkg/apis/agones/v1" multiclusterv1 "agones.dev/agones/pkg/apis/multicluster/v1" - "agones.dev/agones/pkg/util/runtime" e2e "agones.dev/agones/test/e2e/framework" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -222,11 +221,6 @@ func getAllocatorEndpoint(t *testing.T) (string, int32) { // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func createRemoteClusterDialOption(namespace, clientSecretName string, tlsCA []byte) (grpc.DialOption, error) { - mTLSDisabled := runtime.FeatureEnabled(runtime.FeatureAllocatorMTLSDisabled) - if mTLSDisabled { - return grpc.WithInsecure(), nil - } - kubeCore := framework.KubeClient.CoreV1() clientSecret, err := kubeCore.Secrets(namespace).Get(clientSecretName, metav1.GetOptions{}) if err != nil { From 25929ef48f9b577970d65675d02a12513eaecdc7 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 09:50:35 +0000 Subject: [PATCH 18/25] Reordered struct members. --- cmd/allocator/metrics.go | 1 - cmd/controller/main.go | 1 - 2 files changed, 2 deletions(-) diff --git a/cmd/allocator/metrics.go b/cmd/allocator/metrics.go index 0bc54bbe0e..7580efa307 100644 --- a/cmd/allocator/metrics.go +++ b/cmd/allocator/metrics.go @@ -45,7 +45,6 @@ type config struct { Stackdriver bool GCPProjectID string StackdriverLabels string - MTLSDisabled bool } func parseEnvFlags() config { diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 0024f70870..57fd60e38f 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -390,7 +390,6 @@ type config struct { LogDir string LogLevel string LogSizeLimitMB int - MTLSDisabled bool } // validate ensures the ctlConfig data is valid. From 1ce60108fecf2e14576e21f2918f0506650a9e83 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 10:03:54 +0000 Subject: [PATCH 19/25] Removed non-existent feature gate documentation. --- site/content/en/docs/Guides/feature-stages.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/content/en/docs/Guides/feature-stages.md b/site/content/en/docs/Guides/feature-stages.md index 49aa5bedc7..c1970f8e34 100644 --- a/site/content/en/docs/Guides/feature-stages.md +++ b/site/content/en/docs/Guides/feature-stages.md @@ -31,7 +31,6 @@ The current set of `alpha` and `beta` feature gates are: | Example Gate (not in use) | `Example` | Disabled | None | 0.13.0 | | [Port Allocations to Multiple Containers]({{< ref "/docs/Reference/gameserver.md" >}}) | `ContainerPortAllocation` | Disabled | `Alpha` | 1.6.0 | | [Player Tracking]({{< ref "/docs/Guides/player-tracking.md" >}}) | `PlayerTracking` | Disabled | `Alpha` | 1.6.0 | -| MTLS in the Allocator | `AllocatorMTLSDisabled` | Disabled | `Alpha` | 1.7.0 | *Multicluster Allocation was started before this process was in place, and therefore does not have a feature gate and cannot be disabled. {{% /feature %}} From b61078e4b26390a03b5bbea3b81c915dee02aafb Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 18:17:04 +0000 Subject: [PATCH 20/25] Reverted changes to {cloudbuild,install}.yaml --- cloudbuild.yaml | 3 +- install/yaml/install.yaml | 961 ++++++++++++++++++-------------------- 2 files changed, 469 insertions(+), 495 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 1fcfc593f7..a7005fa170 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -189,6 +189,7 @@ steps: - lint - ensure-build-sdk-image-base - htmltest-restore-cache + - build-sdks dir: "build" args: [ "-j", "5", "--output-sync=target", "test" ] @@ -227,7 +228,7 @@ steps: - GO111MODULE=on # -# Run the e2e tests with FeatureGates +# Run the e2e tests with FeatureGates inverted compared to Stable # - name: 'e2e-runner' diff --git a/install/yaml/install.yaml b/install/yaml/install.yaml index 996f6b1365..dc5994728a 100644 --- a/install/yaml/install.yaml +++ b/install/yaml/install.yaml @@ -1,4 +1,17 @@ --- +# Source: agones/templates/service/allocation.yaml +# Create a ServiceAccount that will be bound to the above role +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agones-allocator + namespace: agones-system + labels: + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +--- # Source: agones/templates/serviceaccounts/controller.yaml # Copyright 2018 Google LLC All Rights Reserved. # @@ -22,102 +35,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agones-controller - namespace: agones-system - labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["create", "delete", "list", "watch"] -- apiGroups: [""] - resources: ["nodes", "secrets"] - verbs: ["list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get"] -- apiGroups: ["agones.dev"] - resources: ["gameservers", "gameserversets"] - verbs: ["create", "delete", "get", "list", "update", "watch"] -- apiGroups: ["agones.dev"] - resources: ["gameservers"] - verbs: ["patch"] -- apiGroups: ["agones.dev"] - resources: ["fleets"] - verbs: ["get", "list", "update", "watch"] -- apiGroups: ["agones.dev"] - resources: ["fleets/status", "gameserversets/status"] - verbs: ["update"] -- apiGroups: ["multicluster.agones.dev"] - resources: ["gameserverallocationpolicies"] - verbs: ["create", "delete", "get", "list", "update", "watch"] -- apiGroups: ["autoscaling.agones.dev"] - resources: ["fleetautoscalers"] - verbs: ["get", "list", "update", "watch"] -- apiGroups: ["autoscaling.agones.dev"] - resources: ["fleetautoscalers/status"] - verbs: ["update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agones-controller-access - namespace: agones-system - labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -subjects: -- kind: User - name: system:serviceaccount:agones-system:agones-controller - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: agones-controller ---- -# -# RBACs for APIService -# -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agones-controller:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: agones-controller - namespace: agones-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: agones-controller-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: agones-controller - namespace: agones-system - + heritage: Helm --- # Source: agones/templates/serviceaccounts/sdk.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -142,46 +60,70 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +# Source: agones/templates/extensions.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agones-manual-cert + namespace: agones-system + labels: + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Helm" +type: Opaque +data: + server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBemdWVDkwZWp4Tm53Q28vT2pNRDI2ZlU0ZHJrU2Vmd2RRZ3dpYmlmYWw4cms2WTBWCnZPSVYxSCtsUm93ZTA2bVdOdVI1Rk9YRkEwZlhsdnhDS0tZVlFwU1BFSzJZU3loL2FTbkpRTDZxbzhlQVlUSkIKa09ZTEI1Q2J6SXppV2VvUWZPWU44TWxFbjhiWEpkaWVKaEhIOFVueWp0eW9UbHh6aFptWCtwZnRoVWRlYTNWawp6TzIxbjQrUUUzUlg1ZjEzMkZURmN1cVhPVUEvcGk4Y2NBTkdjM3pqTGVaSnZBOW9kUEVoR2Y3Z0M4ZXlBNjhTClZjc2grUGp6MGx3OTVBUHZsTXYxam1xVVJGV2NFU1RMYVEwRng1S3dSeVYwemlabVV2QUFGMlp4RFpoSFVjb0YKUEhBd1RsNzVOQWhuSHBNbExOcDVMN3RjVmR5VDhCMkdScytzbFFJREFRQUJBb0lCQUVvVTVHS1E0alRRNFY0Swo1QXo4L2t5V254MGg0NkQxcFZld29WalcvK1dCVWRzaG5tVnpMc0pndS8rb054V0piN2lCWTRDK05wKzlYNnF0ClB1VDdBNzRUU1hhSDFiR0ErSC9LUk5JQlBiN3k2QmtMUjBSaFZDbitOK2ZQNlR6SHkvSDlqNW03NWU5R1F1c2EKLzVOVTVYN0FSblpVcGppM1Nkc0twZm00VS9LT1YrcDJqV1NQWDdIT0J1L0tZYTFqdmVDdDZKTVBRMzZLQlhrUgpNbFZDa0FEY3ZBQUd1T2JwYS9zbTBNQTYzK2loZGVTWWhrRVhLcXhINEF6M1BWREx3UDgwVDhmNVZxd1dZbW5xCkwvQmc2SG5WNUdIbmxUWEErV2VwTmJIa29rTjlHMEg2bTBJdGo0YWwzYkdUQjRqZUJDSlpwNUZIVzVvYko0cVAKV2tjZlhjRUNnWUVBOFVJWnZkTlNzU3BSWlZUZTRoaHRYbmNPcHRGVGRvVktJelR1VVZLZktlOU9CNWkzMkI5dQo0aEROcEJEcWtnRWt0ZzRSOC9jbjU3ejZaVWRVQ2NvYmpXUWJKTFhFNXdwN0h0ZjdqQ0duTDJRbUljcDIwcmJGCkhyRTJsSHIwb05yM01MVXJ1QnZBclZCM0xMR21PRWduM05RdzlhSndnLzU0MkVEUzd4NXYzWGtDZ1lFQTJwd0cKSGlHWVhUSmZZTmcvK1NtRHVTRFdGZTRpTVBUUncxVFQ4NXVHRTlVRXJZUFFkOE9xWVFRT2dJQVQ3eHAxejBvcQo2cG1zalBPNkhabmc5b0hLZUFPL0pQZVN1WEUrYko4SFlLcDdXOTI5RitMR0pvcWl0T0xQTW0vOU9vdllEQ3ZoCjYrcURZNUxOUkhkQWVUcXd3STJ5dWdmNFluQmpZNnpJZkJwNUxQMENnWUVBeXJydjVKcVNienVQUUdaTUVKUFUKTzhBeCtLNEh3NTJIeWdQdGl6cXhjc3lidGpoM3JFM2xvR1BjV2RTNU9FMXJxdXd4Mjk5QmtqTXoraTB4Q2pUaQphRExKdUZSaURIKzdMQlQwVlRIbVNpV1BBWEFmM3pza2M0RVl5elp6SUVRLzJaYzBFTGFKZDFvWmV0NGhQa1FyCjh4My9zamw0OFFIQ1RINVVnZ2tDbVlrQ2dZQWZLL3BQVjVrRFNRaUNwYk5Sa3hMZVZnbFE3VGpnNURmNDgyS1oKclFhTVUyYXNXMHhobDN2M0EzNFI0ckYwK2Ivc3cvV2txQzhMbGtGbXNTZDczdndBNnYvWmhKZmVhNEJzT3F6eApvcjJlVnRyOHlmQlpWSkZvMjZLUjNaZ3RQZjJibHJKTFVwQlRwWDR4a2hPV2RjRDRZL3dsUExlMVNiTlNaalBjClJtWWEvUUtCZ1FDNmE3ek5BU1AwQTBxTVBocXlKWmxiZzRGOFdNUnRnSEZmc3kvaUx3ZGlFVUd1Q2hRV1VMa2MKaHpQV3BqRDB6d3JTeFp0eWhTTDBiNlRIbnFUaWluMjNPdnRJTmxWaVptb3M1bVdXMFZlR3NiSG5KdVJhM1RIeQpFalNrU1A0bVI3dEpsSm9rYm9aK2xZTDdnQUJIbjJFUm5Ec3FYOG9FVTZRcERQMXJaaFlTemc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +--- +# Source: agones/templates/service/allocation.yaml +# Allocation CA +apiVersion: v1 +kind: Secret metadata: - name: agones-sdk + name: allocator-client-ca namespace: agones-system labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["agones.dev"] - resources: ["gameservers"] - verbs: ["list", "update", "watch"] + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Helm" +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +# Source: agones/templates/service/allocation.yaml +# Allocation TLS certs +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls metadata: - name: agones-sdk-access - namespace: default + name: allocator-tls + namespace: agones-system labels: - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -subjects: -- kind: User - name: system:serviceaccount:default:agones-sdk - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: agones-sdk + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Helm" +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBK2l5WndvdlJYNExCY2RVL3MzRWE1eE9CVU9RajFCRC9CcEQ3S2h6RzdKZzh6L3RBCmZsSkJQc3VhWTFaWVBydktwYkhRcDg3VUZWT2ZQNWM5a2ord0g3QjlkeHlDYkl1c1pPKzkxMFJFT09sNmlhYUoKMSsrdUVZOXNuKzhUcHlkT0c3WlV5YmQ2dkVnZnoyTzdKRnJja0Rkanc5OFFFclF4RnA3djhOeHRTek8rdGwyOApKR2UxVVUzRnhMU1U0dXU3b3FjUDg0VklqaktXWGpsZFZqb00vc2E5ajN1bi9nalp0MTB0MUoxM0V2Q1c0cW8vCkZnWFBLTzJTbnF4YTN1R2l3eUhyV1BzZmQyRjErbCt0d1hkNklLM2hxWDhWa0VzUUd0Qmp5aXBGcUliQXlIMEEKeGRJQ1NhK2tiQ1pQVkRWeGE0YTQ5RXlPTEMzUzVmbXIwU3lkVHdJREFRQUJBb0lCQVFDK1JQV2NsU0prZGRvUwpiWkhKTkJpMTdvdkhyZnZoNmh0TUx6QVhVMU9uMWhGS1RWazd1ZXVOaXVTYzhLcWs2OGF3UnBEZlQ5clZiWWdNCm9VWmUyTGxuSUtBTDIwOEdweVF5a0hQZUtUbUozMmtuRDlaK3VQZTJ1MUp1UVRLOVNwT0pXQjhjVzhPcE4yR2EKSmN2TFZwK3h2NjdNNWZZZmc1UmlFL2VCUk9TSzhBc0ZFMUlTNmpSRzRVaC84U1dSUUdEYzlReU1Lc3lNbFNVZwphajB4ZWtsWUZDWXl0WUtCMnBaSGw0N1lUK1kzalR6cXN1ekhxK1hIM1hkT043bDk3eHZYZWJPTEJZRWorMGI1Cml4NEJ1bEJIQS9WRk93eXU2LzRKalptRHB1dVRpNnpNbVMyYXV0OW1EY3VoOUZjem1qQ0ZMcnAyWmJiMC9acDQKRkttZXRJR0JBb0dCQVAwSzk4V3kyN2xyVklrQ2JVTnpoNkdzeUhGSXZZYXY0cTJsSzJZVGdKRld2a0tGemFKagpmYWRZMHRmUHV6V3dPUU9nWkl3aW94TElOVFNSa0llbCtrQnFVMkNIblZOc3F4M05nSWk0S0g3K1ltS2ZFMFJtCkRaamV0YTlpTW52a0IyQXVSRUhDSEplVThYd2JNR2JnaXJNSmhlZmIwREJlY2xmZmwrbk8wSlFSQW9HQkFQMFoKRFBoU2RsQnBRMDFQcDVSNmpwaW1KaEIrNXNaejhsZXNiRlpSMDc2VHI5STJXQm1vY2t2dmZYWi8vWkRxSllaYgpoWkxEN09NdjFELy9MMDFvK1ZTaGRwNVovL05samw3NG5nV3VoY01GYmVLMjdhVmEyQTRmak1VMGE2a3NCZXM3CmkxZTRIOTJLOHpHVk9vOTV3dXhub3RtVEY1SHpncE9CUFhLY0NmdGZBb0dCQUlId3ZlZWh2ejlxSkZEdkZCak4KSE5zakZSTkhYVHZxMmlaOWFOblVMZk4wYmVOUFBwZWpLNFZpRVhPTlV2OXc3UFkxeVN4RkpTU2g5dUIxMTVndwozVjl5dWpvWnFlcUxKUnY2eVlScnZTL3BoYkJMSytPMTNFbWlJLzVhR0w2U0RFK1JzcTlwOUxES1pXOXJydUZGCmNUUWJNYzRzaks0cDhlRzZDaEtnaDI5aEFvR0JBTkdUK01WM296a2FzUHhIeFVDUjY1cERtcWwySzZxUlFFK1IKRzNTdTlXT043NzFsK3JYa1lpQzNBM0Vvc3ROWTBCSGRuMUhVbzBmTXh6am5Ha2hEY0pLLzBQVjNHUlozTmRrMgpqY091ckZ5OUZpenh4UDl6cGd5cjIybEE2eFYrdXJmNjZudU1uL1pYcE9HZDdJdjZDNHF1bG84TDJpeWxNNjdwCkNmVHBlT3FKQW9HQUF4cit6Qm1wSkNMbjJZcXJQRVRSUTE2K2Vna1ovMElIQWh4KzhTVlZnN2hjc2Z0MmJLSEoKWUJ2bVBlRnNaNjFTdmRHbXRtT2pqMkUremtFekZvQzhHWXpOU0hsbjFLYTh3UnNlVmI1UlJkWiswSnB5ZUFCWQpOVVlISDVjcWgxamdnQlg4eXExSmdPcDN1REZLQVFJelpCWnZXZ01YRFUwY2thS1pHQkxsQUYwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= --- - +# Source: agones/templates/service/allocation.yaml +# Allocation TLS CA +apiVersion: v1 +kind: Secret +metadata: + name: allocator-tls-ca + namespace: agones-system + labels: + app: agones-manual + chart: "agones-1.7.0" + release: "agones-manual" + heritage: "Helm" +data: + tls-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K --- # Source: agones/templates/crds/fleet.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -207,7 +149,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: additionalPrinterColumns: - JSONPath: .spec.scheduling @@ -417,7 +359,6 @@ spec: statusReplicasPath: .status.replicas # labelSelectorPath defines the JSONPath inside of a custom resource that corresponds to Scale.Status.Selector. labelSelectorPath: .status.labelSelector - --- # Source: agones/templates/crds/fleetautoscaler.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -443,7 +384,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: group: autoscaling.agones.dev version: v1 @@ -503,7 +444,6 @@ spec: subresources: # status enables the status subresource. status: {} - --- # Source: agones/templates/crds/gameserver.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -529,7 +469,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: group: agones.dev version: v1 @@ -704,7 +644,6 @@ spec: type: integer title: The initial player capacity of this Game Server minimum: 0 - --- # Source: agones/templates/crds/gameserverallocationpolicy.yaml # Copyright 2019 Google LLC All Rights Reserved. @@ -731,7 +670,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm name: gameserverallocationpolicies.multicluster.agones.dev spec: group: multicluster.agones.dev @@ -801,7 +740,6 @@ status: plural: "" conditions: [] storedVersions: [] - --- # Source: agones/templates/crds/gameserverset.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -827,7 +765,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: additionalPrinterColumns: - JSONPath: .spec.scheduling @@ -1032,232 +970,105 @@ spec: statusReplicasPath: .status.replicas # labelSelectorPath defines the JSONPath inside of a custom resource that corresponds to Scale.Status.Selector. labelSelectorPath: .status.labelSelector - ---- -# Source: agones/templates/service.yaml -# Copyright 2018 Google LLC All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: agones-controller-service - namespace: agones-system - labels: - agones.dev/role: controller - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -spec: - selector: - agones.dev/role: controller - ports: - - name: webhooks - port: 443 - targetPort: 8081 - - name: web - port: 8080 --- # Source: agones/templates/service/allocation.yaml -# Copyright 2019 Google LLC All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# Define a Service for the agones-allocator -apiVersion: v1 -kind: Service +# Create a ClusterRole in that grants access to the agones allocation api +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: agones-allocator namespace: agones-system labels: - component: allocator app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller -spec: - selector: - multicluster.agones.dev/role: allocator - ports: - - port: 443 - name: https - targetPort: 8443 - protocol: TCP - type: LoadBalancer - ---- -# Deploy a pod to run the agones-allocator code -apiVersion: apps/v1 -kind: Deployment -metadata: - name: agones-allocator - namespace: agones-system - labels: - multicluster.agones.dev/role: allocator - app: agones - release: agones-manual - heritage: Tiller -spec: - replicas: 3 - selector: - matchLabels: - multicluster.agones.dev/role: allocator - app: agones - release: agones-manual - heritage: Tiller - template: - metadata: - annotations: - labels: - multicluster.agones.dev/role: allocator - app: agones - release: agones-manual - heritage: Tiller - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/path: "/metrics" - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: agones.dev/agones-system - operator: Exists - weight: 1 - - tolerations: - - effect: NoExecute - key: agones.dev/agones-system - operator: Equal - value: "true" - - serviceAccountName: agones-allocator - volumes: - - name: tls - secret: - secretName: allocator-tls - - name: client-ca - secret: - secretName: allocator-client-ca - containers: - - name: agones-allocator - image: "gcr.io/agones-images/agones-allocator:1.7.0" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - failureThreshold: 3 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 8080 - env: - - name: PROMETHEUS_EXPORTER - value: "true" - - name: STACKDRIVER_EXPORTER - value: "false" - - name: GCP_PROJECT_ID - value: "" - - name: STACKDRIVER_LABELS - value: "" - - name: DISABLE_MTLS - value: "false" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONTAINER_NAME - value: "agones-allocator" - - name: FEATURE_GATES - value: "" - ports: - - name: https - containerPort: 8443 - volumeMounts: - - mountPath: /home/allocator/tls - name: tls - readOnly: true - - mountPath: /home/allocator/client-ca - name: client-ca - readOnly: true - + heritage: Helm +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["allocation.agones.dev"] + resources: ["gameserverallocations"] + verbs: ["create"] +- apiGroups: [""] + resources: ["nodes", "secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["agones.dev"] + resources: ["gameservers", "gameserversets"] + verbs: ["get", "list", "update", "watch"] +- apiGroups: ["agones.dev"] + resources: ["gameservers"] + verbs: ["patch"] +- apiGroups: ["multicluster.agones.dev"] + resources: ["gameserverallocationpolicies"] + verbs: ["get", "list", "watch"] --- -# Create a ClusterRole in that grants access to the agones allocation api +# Source: agones/templates/serviceaccounts/controller.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: agones-allocator + name: agones-controller namespace: agones-system labels: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] -- apiGroups: ["allocation.agones.dev"] - resources: ["gameserverallocations"] - verbs: ["create"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["create", "delete", "list", "watch"] - apiGroups: [""] resources: ["nodes", "secrets"] - verbs: ["get", "list", "watch"] + verbs: ["list", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get"] - apiGroups: ["agones.dev"] resources: ["gameservers", "gameserversets"] - verbs: ["get", "list", "update", "watch"] + verbs: ["create", "delete", "get", "list", "update", "watch"] - apiGroups: ["agones.dev"] resources: ["gameservers"] verbs: ["patch"] +- apiGroups: ["agones.dev"] + resources: ["fleets"] + verbs: ["get", "list", "update", "watch"] +- apiGroups: ["agones.dev"] + resources: ["fleets/status", "gameserversets/status"] + verbs: ["update"] - apiGroups: ["multicluster.agones.dev"] resources: ["gameserverallocationpolicies"] - verbs: ["get", "list", "watch"] - + verbs: ["create", "delete", "get", "list", "update", "watch"] +- apiGroups: ["autoscaling.agones.dev"] + resources: ["fleetautoscalers"] + verbs: ["get", "list", "update", "watch"] +- apiGroups: ["autoscaling.agones.dev"] + resources: ["fleetautoscalers/status"] + verbs: ["update"] --- -# Create a ServiceAccount that will be bound to the above role -apiVersion: v1 -kind: ServiceAccount +# Source: agones/templates/serviceaccounts/sdk.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: agones-allocator + name: agones-sdk namespace: agones-system labels: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller - + heritage: Helm +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["agones.dev"] + resources: ["gameservers"] + verbs: ["list", "update", "watch"] --- +# Source: agones/templates/service/allocation.yaml # Bind the agones-allocator ServiceAccount to the agones-allocator ClusterRole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1268,7 +1079,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm subjects: - kind: ServiceAccount name: agones-allocator @@ -1277,55 +1088,194 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: agones-allocator - --- -# Allocation CA +# Source: agones/templates/serviceaccounts/controller.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agones-controller-access + namespace: agones-system + labels: + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +subjects: +- kind: User + name: system:serviceaccount:agones-system:agones-controller + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agones-controller +--- +# Source: agones/templates/serviceaccounts/controller.yaml +# +# RBACs for APIService +# +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agones-controller:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: agones-controller + namespace: agones-system +--- +# Source: agones/templates/serviceaccounts/controller.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agones-controller-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: agones-controller + namespace: agones-system +--- +# Source: agones/templates/serviceaccounts/sdk.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agones-sdk-access + namespace: default + labels: + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +subjects: +- kind: User + name: system:serviceaccount:default:agones-sdk + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agones-sdk +--- +# Source: agones/templates/ping.yaml apiVersion: v1 -kind: Secret +kind: Service metadata: - name: allocator-client-ca + name: agones-ping-http-service namespace: agones-system labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Tiller" -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - - + component: ping + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +spec: + selector: + agones.dev/role: ping + ports: + - port: 80 + name: http + targetPort: 8080 + protocol: TCP + type: LoadBalancer --- -# Allocation TLS certs +# Source: agones/templates/ping.yaml apiVersion: v1 -kind: Secret -type: kubernetes.io/tls +kind: Service metadata: - name: allocator-tls + name: agones-ping-udp-service namespace: agones-system labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Tiller" -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBK2l5WndvdlJYNExCY2RVL3MzRWE1eE9CVU9RajFCRC9CcEQ3S2h6RzdKZzh6L3RBCmZsSkJQc3VhWTFaWVBydktwYkhRcDg3VUZWT2ZQNWM5a2ord0g3QjlkeHlDYkl1c1pPKzkxMFJFT09sNmlhYUoKMSsrdUVZOXNuKzhUcHlkT0c3WlV5YmQ2dkVnZnoyTzdKRnJja0Rkanc5OFFFclF4RnA3djhOeHRTek8rdGwyOApKR2UxVVUzRnhMU1U0dXU3b3FjUDg0VklqaktXWGpsZFZqb00vc2E5ajN1bi9nalp0MTB0MUoxM0V2Q1c0cW8vCkZnWFBLTzJTbnF4YTN1R2l3eUhyV1BzZmQyRjErbCt0d1hkNklLM2hxWDhWa0VzUUd0Qmp5aXBGcUliQXlIMEEKeGRJQ1NhK2tiQ1pQVkRWeGE0YTQ5RXlPTEMzUzVmbXIwU3lkVHdJREFRQUJBb0lCQVFDK1JQV2NsU0prZGRvUwpiWkhKTkJpMTdvdkhyZnZoNmh0TUx6QVhVMU9uMWhGS1RWazd1ZXVOaXVTYzhLcWs2OGF3UnBEZlQ5clZiWWdNCm9VWmUyTGxuSUtBTDIwOEdweVF5a0hQZUtUbUozMmtuRDlaK3VQZTJ1MUp1UVRLOVNwT0pXQjhjVzhPcE4yR2EKSmN2TFZwK3h2NjdNNWZZZmc1UmlFL2VCUk9TSzhBc0ZFMUlTNmpSRzRVaC84U1dSUUdEYzlReU1Lc3lNbFNVZwphajB4ZWtsWUZDWXl0WUtCMnBaSGw0N1lUK1kzalR6cXN1ekhxK1hIM1hkT043bDk3eHZYZWJPTEJZRWorMGI1Cml4NEJ1bEJIQS9WRk93eXU2LzRKalptRHB1dVRpNnpNbVMyYXV0OW1EY3VoOUZjem1qQ0ZMcnAyWmJiMC9acDQKRkttZXRJR0JBb0dCQVAwSzk4V3kyN2xyVklrQ2JVTnpoNkdzeUhGSXZZYXY0cTJsSzJZVGdKRld2a0tGemFKagpmYWRZMHRmUHV6V3dPUU9nWkl3aW94TElOVFNSa0llbCtrQnFVMkNIblZOc3F4M05nSWk0S0g3K1ltS2ZFMFJtCkRaamV0YTlpTW52a0IyQXVSRUhDSEplVThYd2JNR2JnaXJNSmhlZmIwREJlY2xmZmwrbk8wSlFSQW9HQkFQMFoKRFBoU2RsQnBRMDFQcDVSNmpwaW1KaEIrNXNaejhsZXNiRlpSMDc2VHI5STJXQm1vY2t2dmZYWi8vWkRxSllaYgpoWkxEN09NdjFELy9MMDFvK1ZTaGRwNVovL05samw3NG5nV3VoY01GYmVLMjdhVmEyQTRmak1VMGE2a3NCZXM3CmkxZTRIOTJLOHpHVk9vOTV3dXhub3RtVEY1SHpncE9CUFhLY0NmdGZBb0dCQUlId3ZlZWh2ejlxSkZEdkZCak4KSE5zakZSTkhYVHZxMmlaOWFOblVMZk4wYmVOUFBwZWpLNFZpRVhPTlV2OXc3UFkxeVN4RkpTU2g5dUIxMTVndwozVjl5dWpvWnFlcUxKUnY2eVlScnZTL3BoYkJMSytPMTNFbWlJLzVhR0w2U0RFK1JzcTlwOUxES1pXOXJydUZGCmNUUWJNYzRzaks0cDhlRzZDaEtnaDI5aEFvR0JBTkdUK01WM296a2FzUHhIeFVDUjY1cERtcWwySzZxUlFFK1IKRzNTdTlXT043NzFsK3JYa1lpQzNBM0Vvc3ROWTBCSGRuMUhVbzBmTXh6am5Ha2hEY0pLLzBQVjNHUlozTmRrMgpqY091ckZ5OUZpenh4UDl6cGd5cjIybEE2eFYrdXJmNjZudU1uL1pYcE9HZDdJdjZDNHF1bG84TDJpeWxNNjdwCkNmVHBlT3FKQW9HQUF4cit6Qm1wSkNMbjJZcXJQRVRSUTE2K2Vna1ovMElIQWh4KzhTVlZnN2hjc2Z0MmJLSEoKWUJ2bVBlRnNaNjFTdmRHbXRtT2pqMkUremtFekZvQzhHWXpOU0hsbjFLYTh3UnNlVmI1UlJkWiswSnB5ZUFCWQpOVVlISDVjcWgxamdnQlg4eXExSmdPcDN1REZLQVFJelpCWnZXZ01YRFUwY2thS1pHQkxsQUYwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + component: ping + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +spec: + selector: + agones.dev/role: ping + ports: + - port: 50000 + name: udp + targetPort: 8080 + protocol: UDP + type: LoadBalancer +--- +# Source: agones/templates/service.yaml +# Copyright 2018 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + name: agones-controller-service + namespace: agones-system + labels: + agones.dev/role: controller + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +spec: + selector: + agones.dev/role: controller + ports: + - name: webhooks + port: 443 + targetPort: 8081 + - name: web + port: 8080 --- -# Allocation TLS CA +# Source: agones/templates/service/allocation.yaml +# Copyright 2019 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Define a Service for the agones-allocator apiVersion: v1 -kind: Secret +kind: Service metadata: - name: allocator-tls-ca + name: agones-allocator namespace: agones-system labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Tiller" -data: - tls-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lSQU9lTWcwK1JKaFBJbks5ekFpMnpoUjR3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQXhNTllXeHNiMk5oZEdsdmJpMWpZVEFlRncweE9UQTJNVGt4T0RRek5UVmFGdzB5T1RBMgpNVFl4T0RRek5UVmFNQUF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRDZMSm5DCmk5RmZnc0Z4MVQremNScm5FNEZRNUNQVUVQOEdrUHNxSE1ic21EelArMEIrVWtFK3k1cGpWbGcrdThxbHNkQ24KenRRVlU1OC9sejJTUDdBZnNIMTNISUpzaTZ4azc3M1hSRVE0NlhxSnBvblg3NjRSajJ5Zjd4T25KMDRidGxUSgp0M3E4U0IvUFk3c2tXdHlRTjJQRDN4QVN0REVXbnUvdzNHMUxNNzYyWGJ3a1o3VlJUY1hFdEpUaTY3dWlwdy96CmhVaU9NcFplT1YxV09neit4cjJQZTZmK0NObTNYUzNVblhjUzhKYmlxajhXQmM4bzdaS2VyRnJlNGFMRElldFkKK3g5M1lYWDZYNjNCZDNvZ3JlR3BmeFdRU3hBYTBHUEtLa1dvaHNESWZRREYwZ0pKcjZSc0prOVVOWEZyaHJqMApUSTRzTGRMbCthdlJMSjFQQWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFKZ1ErVzZlYTdKZjhldmp0cWNmRC9EZUVMYzRLcFFwdk9NR0ZGVDkzQTM4bWFzeFNxVXluOGk4RgppaEplNDZFZnFkREQvcWRWSDh4TkJId2NIcjgyVDVLcFkzTWc1amJPWG1iMEoxZEdSTFRHSmdGd0ZpUXdsM3J3CmZ4dWhlYnZvaTJkcVhQbGc3L2ZZZmVqN2RkbTAxMTdhRCtwUExCN0NNUGVLdk5QSHF2N0VBRlowOU8rRjM3cjkKNTBPZEMrSk1VK0FNczRVMzVVeEZGZjRVRHVIbWM4U0l0bTJra1U3Vk1TcDFaV1VuRVZFUExaU09SZ3dZdWFNcQo3WTgzOVpXVmtyRGZMUEJrS09Ec1BVMDI3NGdmbXBpTmNyVElYREhPY2hhcFByWG53eDhxLzcrZERYYlhoUk84ClFDK2lZWVY0MVlTSGt1djNiYUtrYXlYamV0czc3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - + component: allocator + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +spec: + selector: + multicluster.agones.dev/role: allocator + ports: + - port: 443 + name: https + targetPort: 8443 + protocol: TCP + type: LoadBalancer --- # Source: agones/templates/controller.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1352,14 +1302,14 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: selector: matchLabels: agones.dev/role: controller app: agones release: agones-manual - heritage: Tiller + heritage: Helm replicas: 1 strategy: type: Recreate @@ -1374,7 +1324,7 @@ spec: agones.dev/role: controller app: agones release: agones-manual - heritage: Tiller + heritage: Helm spec: affinity: nodeAffinity: @@ -1384,13 +1334,11 @@ spec: - key: agones.dev/agones-system operator: Exists weight: 1 - tolerations: - effect: NoExecute key: agones.dev/agones-system operator: Equal value: "true" - priorityClassName: agones-system serviceAccountName: agones-controller containers: @@ -1444,8 +1392,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: DISABLE_MTLS - value: "false" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -1473,7 +1419,6 @@ spec: secretName: agones-manual-cert - name: logs emptyDir: {} - --- # Source: agones/templates/ping.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1499,14 +1444,14 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: selector: matchLabels: agones.dev/role: ping app: agones release: agones-manual - heritage: Tiller + heritage: Helm replicas: 2 template: metadata: @@ -1514,7 +1459,7 @@ spec: agones.dev/role: ping app: agones release: agones-manual - heritage: Tiller + heritage: Helm spec: affinity: nodeAffinity: @@ -1524,13 +1469,11 @@ spec: - key: agones.dev/agones-system operator: Exists weight: 1 - tolerations: - effect: NoExecute key: agones.dev/agones-system operator: Equal value: "true" - priorityClassName: agones-system containers: - name: agones-ping @@ -1552,47 +1495,128 @@ spec: - name: FEATURE_GATES value: "" --- -apiVersion: v1 -kind: Service +# Source: agones/templates/service/allocation.yaml +# Deploy a pod to run the agones-allocator code +apiVersion: apps/v1 +kind: Deployment metadata: - name: agones-ping-http-service + name: agones-allocator namespace: agones-system labels: - component: ping + multicluster.agones.dev/role: allocator app: agones - chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm spec: + replicas: 3 selector: - agones.dev/role: ping - ports: - - port: 80 - name: http - targetPort: 8080 - protocol: TCP - type: LoadBalancer + matchLabels: + multicluster.agones.dev/role: allocator + app: agones + release: agones-manual + heritage: Helm + template: + metadata: + annotations: + labels: + multicluster.agones.dev/role: allocator + app: agones + release: agones-manual + heritage: Helm + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: agones.dev/agones-system + operator: Exists + weight: 1 + tolerations: + - effect: NoExecute + key: agones.dev/agones-system + operator: Equal + value: "true" + serviceAccountName: agones-allocator + volumes: + - name: tls + secret: + secretName: allocator-tls + - name: client-ca + secret: + secretName: allocator-client-ca + containers: + - name: agones-allocator + image: "gcr.io/agones-images/agones-allocator:1.7.0" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 3 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 8080 + env: + - name: PROMETHEUS_EXPORTER + value: "true" + - name: STACKDRIVER_EXPORTER + value: "false" + - name: GCP_PROJECT_ID + value: "" + - name: STACKDRIVER_LABELS + value: "" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: "agones-allocator" + - name: FEATURE_GATES + value: "" + ports: + - name: https + containerPort: 8443 + volumeMounts: + - mountPath: /home/allocator/tls + name: tls + readOnly: true + - mountPath: /home/allocator/client-ca + name: client-ca + readOnly: true --- -apiVersion: v1 -kind: Service -metadata: - name: agones-ping-udp-service - namespace: agones-system - labels: - component: ping - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -spec: - selector: - agones.dev/role: ping - ports: - - port: 50000 - name: udp - targetPort: 8080 - protocol: UDP - type: LoadBalancer +# Source: agones/templates/extensions.yaml +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1.allocation.agones.dev + labels: + component: controller + app: agones + chart: agones-1.7.0 + release: agones-manual + heritage: Helm +spec: + group: allocation.agones.dev + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: agones-controller-service + namespace: agones-system + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + version: v1 --- # Source: agones/templates/extensions.yaml # Copyright 2018 Google LLC All Rights Reserved. @@ -1607,28 +1631,49 @@ spec: # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and -# limitations under the License. ---- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService +# limitations under the License. +--- +# Source: agones/templates/extensions.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration metadata: - name: v1.allocation.agones.dev + name: agones-mutation-webhook labels: component: controller app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller -spec: - group: allocation.agones.dev - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: agones-controller-service - namespace: agones-system - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - version: v1 ---- + heritage: Helm +webhooks: + - name: mutations.agones.dev + failurePolicy: Fail + clientConfig: + service: + name: agones-controller-service + namespace: agones-system + path: /mutate + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + rules: + - apiGroups: + - agones.dev + resources: + - "gameservers" + - "fleets" + apiVersions: + - "v1" + operations: + - CREATE +--- +# Source: agones/templates/priority-class.yaml +apiVersion: scheduling.k8s.io/v1beta1 +kind: PriorityClass +metadata: + name: agones-system +value: 1000000 +globalDefault: false +description: "This priority class should be used for Agones service pods only." +--- +# Source: agones/templates/extensions.yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: @@ -1638,7 +1683,7 @@ metadata: app: agones chart: agones-1.7.0 release: agones-manual - heritage: Tiller + heritage: Helm webhooks: - name: validations.agones.dev failurePolicy: Fail @@ -1676,76 +1721,4 @@ webhooks: - "v1" operations: - CREATE - - UPDATE - ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: agones-mutation-webhook - labels: - component: controller - app: agones - chart: agones-1.7.0 - release: agones-manual - heritage: Tiller -webhooks: - - name: mutations.agones.dev - failurePolicy: Fail - clientConfig: - service: - name: agones-controller-service - namespace: agones-system - path: /mutate - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - rules: - - apiGroups: - - agones.dev - resources: - - "gameservers" - - "fleets" - apiVersions: - - "v1" - operations: - - CREATE ---- -apiVersion: v1 -kind: Secret -metadata: - name: agones-manual-cert - namespace: agones-system - labels: - app: agones-manual - chart: "agones-1.7.0" - release: "agones-manual" - heritage: "Tiller" -type: Opaque -data: - server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBemdWVDkwZWp4Tm53Q28vT2pNRDI2ZlU0ZHJrU2Vmd2RRZ3dpYmlmYWw4cms2WTBWCnZPSVYxSCtsUm93ZTA2bVdOdVI1Rk9YRkEwZlhsdnhDS0tZVlFwU1BFSzJZU3loL2FTbkpRTDZxbzhlQVlUSkIKa09ZTEI1Q2J6SXppV2VvUWZPWU44TWxFbjhiWEpkaWVKaEhIOFVueWp0eW9UbHh6aFptWCtwZnRoVWRlYTNWawp6TzIxbjQrUUUzUlg1ZjEzMkZURmN1cVhPVUEvcGk4Y2NBTkdjM3pqTGVaSnZBOW9kUEVoR2Y3Z0M4ZXlBNjhTClZjc2grUGp6MGx3OTVBUHZsTXYxam1xVVJGV2NFU1RMYVEwRng1S3dSeVYwemlabVV2QUFGMlp4RFpoSFVjb0YKUEhBd1RsNzVOQWhuSHBNbExOcDVMN3RjVmR5VDhCMkdScytzbFFJREFRQUJBb0lCQUVvVTVHS1E0alRRNFY0Swo1QXo4L2t5V254MGg0NkQxcFZld29WalcvK1dCVWRzaG5tVnpMc0pndS8rb054V0piN2lCWTRDK05wKzlYNnF0ClB1VDdBNzRUU1hhSDFiR0ErSC9LUk5JQlBiN3k2QmtMUjBSaFZDbitOK2ZQNlR6SHkvSDlqNW03NWU5R1F1c2EKLzVOVTVYN0FSblpVcGppM1Nkc0twZm00VS9LT1YrcDJqV1NQWDdIT0J1L0tZYTFqdmVDdDZKTVBRMzZLQlhrUgpNbFZDa0FEY3ZBQUd1T2JwYS9zbTBNQTYzK2loZGVTWWhrRVhLcXhINEF6M1BWREx3UDgwVDhmNVZxd1dZbW5xCkwvQmc2SG5WNUdIbmxUWEErV2VwTmJIa29rTjlHMEg2bTBJdGo0YWwzYkdUQjRqZUJDSlpwNUZIVzVvYko0cVAKV2tjZlhjRUNnWUVBOFVJWnZkTlNzU3BSWlZUZTRoaHRYbmNPcHRGVGRvVktJelR1VVZLZktlOU9CNWkzMkI5dQo0aEROcEJEcWtnRWt0ZzRSOC9jbjU3ejZaVWRVQ2NvYmpXUWJKTFhFNXdwN0h0ZjdqQ0duTDJRbUljcDIwcmJGCkhyRTJsSHIwb05yM01MVXJ1QnZBclZCM0xMR21PRWduM05RdzlhSndnLzU0MkVEUzd4NXYzWGtDZ1lFQTJwd0cKSGlHWVhUSmZZTmcvK1NtRHVTRFdGZTRpTVBUUncxVFQ4NXVHRTlVRXJZUFFkOE9xWVFRT2dJQVQ3eHAxejBvcQo2cG1zalBPNkhabmc5b0hLZUFPL0pQZVN1WEUrYko4SFlLcDdXOTI5RitMR0pvcWl0T0xQTW0vOU9vdllEQ3ZoCjYrcURZNUxOUkhkQWVUcXd3STJ5dWdmNFluQmpZNnpJZkJwNUxQMENnWUVBeXJydjVKcVNienVQUUdaTUVKUFUKTzhBeCtLNEh3NTJIeWdQdGl6cXhjc3lidGpoM3JFM2xvR1BjV2RTNU9FMXJxdXd4Mjk5QmtqTXoraTB4Q2pUaQphRExKdUZSaURIKzdMQlQwVlRIbVNpV1BBWEFmM3pza2M0RVl5elp6SUVRLzJaYzBFTGFKZDFvWmV0NGhQa1FyCjh4My9zamw0OFFIQ1RINVVnZ2tDbVlrQ2dZQWZLL3BQVjVrRFNRaUNwYk5Sa3hMZVZnbFE3VGpnNURmNDgyS1oKclFhTVUyYXNXMHhobDN2M0EzNFI0ckYwK2Ivc3cvV2txQzhMbGtGbXNTZDczdndBNnYvWmhKZmVhNEJzT3F6eApvcjJlVnRyOHlmQlpWSkZvMjZLUjNaZ3RQZjJibHJKTFVwQlRwWDR4a2hPV2RjRDRZL3dsUExlMVNiTlNaalBjClJtWWEvUUtCZ1FDNmE3ek5BU1AwQTBxTVBocXlKWmxiZzRGOFdNUnRnSEZmc3kvaUx3ZGlFVUd1Q2hRV1VMa2MKaHpQV3BqRDB6d3JTeFp0eWhTTDBiNlRIbnFUaWluMjNPdnRJTmxWaVptb3M1bVdXMFZlR3NiSG5KdVJhM1RIeQpFalNrU1A0bVI3dEpsSm9rYm9aK2xZTDdnQUJIbjJFUm5Ec3FYOG9FVTZRcERQMXJaaFlTemc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - ---- -# Source: agones/templates/priority-class.yaml - -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass -metadata: - name: agones-system -value: 1000000 -globalDefault: false -description: "This priority class should be used for Agones service pods only." ---- -# Source: agones/templates/hooks/pre_delete_hook.yaml - - ---- -# Source: agones/templates/hooks/sa.yaml - - ---- -# Source: agones/templates/hooks/scripts.yaml - - ---- -# Source: agones/templates/tests/test-runner.yaml - + - UPDATE From 19b1f16d41c5d1d3b4542f4d80fde012dd4c2efc Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 18:21:59 +0000 Subject: [PATCH 21/25] Readded disableMTLS configuration to install.yaml. --- install/yaml/install.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/yaml/install.yaml b/install/yaml/install.yaml index dc5994728a..164ebeea77 100644 --- a/install/yaml/install.yaml +++ b/install/yaml/install.yaml @@ -1392,6 +1392,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DISABLE_MTLS + value: "false" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -1574,6 +1576,8 @@ spec: value: "" - name: STACKDRIVER_LABELS value: "" + - name: DISABLE_MTLS + value: "false" - name: POD_NAME valueFrom: fieldRef: From 737a50ed4ea17db8d9e7531c7c7690c708bf39bc Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 18:25:46 +0000 Subject: [PATCH 22/25] Removed duplicate disableMTLS flag in values.yaml --- install/helm/agones/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/install/helm/agones/values.yaml b/install/helm/agones/values.yaml index 28370af588..efc77ef53d 100644 --- a/install/helm/agones/values.yaml +++ b/install/helm/agones/values.yaml @@ -127,7 +127,6 @@ agones: serviceType: LoadBalancer annotations: {} generateTLS: true - disableMTLS: false image: registry: gcr.io/agones-images tag: 1.7.0 From f865947fdc9253d69191990892704124f0767022 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 23:23:21 +0000 Subject: [PATCH 23/25] Still want to keep MTLS for multi-cluster. --- pkg/gameserverallocations/allocator.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index 743c2f3bc0..53b1ff47bd 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -366,9 +366,7 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { - if c.mTLSDisabled { - return grpc.WithInsecure(), nil - } + // TODO: disableMTLS works for a single cluster; still need to address multi-cluster authnetication here. clientCert, clientKey, caCert, err := c.getClientCertificates(namespace, connectionInfo.SecretName) if err != nil { From fce7043de4cc2040948d8bd0740cf1f59d88f996 Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Fri, 26 Jun 2020 23:25:42 +0000 Subject: [PATCH 24/25] Clarified the comment a bit more. --- pkg/gameserverallocations/allocator.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index 53b1ff47bd..f657fd369d 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -366,7 +366,7 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { - // TODO: disableMTLS works for a single cluster; still need to address multi-cluster authnetication here. + // TODO: disableMTLS works for a single cluster; still need to address how the flag interacts with multi-cluster authentication. clientCert, clientKey, caCert, err := c.getClientCertificates(namespace, connectionInfo.SecretName) if err != nil { From 326750cd4903ed218df799206b01b6e557ff28af Mon Sep 17 00:00:00 2001 From: Nikhil Athreya Date: Sat, 27 Jun 2020 00:14:38 +0000 Subject: [PATCH 25/25] Removed mTLS disabling from the game server allocator. --- cmd/allocator/main.go | 2 +- cmd/controller/main.go | 8 +------- install/helm/agones/templates/controller.yaml | 2 -- install/helm/agones/templates/service/allocation.yaml | 2 +- install/helm/agones/values.yaml | 2 +- install/yaml/install.yaml | 2 -- pkg/gameserverallocations/allocator.go | 5 +---- pkg/gameserverallocations/controller.go | 4 +--- pkg/gameserverallocations/controller_test.go | 2 +- 9 files changed, 7 insertions(+), 22 deletions(-) diff --git a/cmd/allocator/main.go b/cmd/allocator/main.go index 9a1b2e2b7c..18d466ad0e 100644 --- a/cmd/allocator/main.go +++ b/cmd/allocator/main.go @@ -177,7 +177,7 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I agonesInformerFactory.Multicluster().V1().GameServerAllocationPolicies(), kubeInformerFactory.Core().V1().Secrets(), kubeClient, - gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health), mTLSDisabled) + gameserverallocations.NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), gsCounter, health)) stop := signals.NewStopChannel() h := serviceHandler{ diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 57fd60e38f..84135de06e 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -76,7 +76,6 @@ const ( logLevelFlag = "log-level" logSizeLimitMBFlag = "log-size-limit-mb" kubeconfigFlag = "kubeconfig" - mTLSDisabledFlag = "disable-mtls" defaultResync = 30 * time.Second ) @@ -210,7 +209,7 @@ func main() { gsSetController := gameserversets.NewController(wh, health, gsCounter, kubeClient, extClient, agonesClient, agonesInformerFactory) fleetController := fleets.NewController(wh, health, kubeClient, extClient, agonesClient, agonesInformerFactory) - gasController := gameserverallocations.NewController(api, health, gsCounter, kubeClient, kubeInformerFactory, agonesClient, agonesInformerFactory, ctlConf.MTLSDisabled) + gasController := gameserverallocations.NewController(api, health, gsCounter, kubeClient, kubeInformerFactory, agonesClient, agonesInformerFactory) fasController := fleetautoscalers.NewController(wh, health, kubeClient, extClient, agonesClient, agonesInformerFactory) @@ -241,7 +240,6 @@ func parseEnvFlags() config { } base := filepath.Dir(exec) - viper.SetDefault(mTLSDisabledFlag, false) viper.SetDefault(sidecarImageFlag, "gcr.io/agones-images/agones-sdk:"+pkg.Version) viper.SetDefault(sidecarCPURequestFlag, "0") viper.SetDefault(sidecarCPULimitFlag, "0") @@ -263,7 +261,6 @@ func parseEnvFlags() config { viper.SetDefault(logLevelFlag, "Info") viper.SetDefault(logSizeLimitMBFlag, 10000) // 10 GB, will be split into 100 MB chunks - pflag.Bool(mTLSDisabledFlag, viper.GetBool(mTLSDisabledFlag), "Flag to enable/disable mTLS for the allocator.") pflag.String(sidecarImageFlag, viper.GetString(sidecarImageFlag), "Flag to overwrite the GameServer sidecar image that is used. Can also use SIDECAR env variable") pflag.String(sidecarCPULimitFlag, viper.GetString(sidecarCPULimitFlag), "Flag to overwrite the GameServer sidecar container's cpu limit. Can also use SIDECAR_CPU_LIMIT env variable") pflag.String(sidecarCPURequestFlag, viper.GetString(sidecarCPURequestFlag), "Flag to overwrite the GameServer sidecar container's cpu request. Can also use SIDECAR_CPU_REQUEST env variable") @@ -290,7 +287,6 @@ func parseEnvFlags() config { pflag.Parse() viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_")) - runtime.Must(viper.BindEnv(mTLSDisabledFlag)) runtime.Must(viper.BindEnv(sidecarImageFlag)) runtime.Must(viper.BindEnv(sidecarCPULimitFlag)) runtime.Must(viper.BindEnv(sidecarCPURequestFlag)) @@ -361,7 +357,6 @@ func parseEnvFlags() config { LogLevel: viper.GetString(logLevelFlag), LogSizeLimitMB: int(viper.GetInt32(logSizeLimitMBFlag)), StackdriverLabels: viper.GetString(stackdriverLabels), - MTLSDisabled: viper.GetBool(mTLSDisabledFlag), } } @@ -378,7 +373,6 @@ type config struct { AlwaysPullSidecar bool PrometheusMetrics bool Stackdriver bool - MTLSDisabled bool StackdriverLabels string KeyFile string CertFile string diff --git a/install/helm/agones/templates/controller.yaml b/install/helm/agones/templates/controller.yaml index 00362f0f4b..e4f74e967e 100644 --- a/install/helm/agones/templates/controller.yaml +++ b/install/helm/agones/templates/controller.yaml @@ -120,8 +120,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: DISABLE_MTLS - value: {{ .Values.agones.disableMTLS | quote }} - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/install/helm/agones/templates/service/allocation.yaml b/install/helm/agones/templates/service/allocation.yaml index 78ce706a8c..c25380ce95 100644 --- a/install/helm/agones/templates/service/allocation.yaml +++ b/install/helm/agones/templates/service/allocation.yaml @@ -119,7 +119,7 @@ spec: - name: STACKDRIVER_LABELS value: {{ .Values.agones.metrics.stackdriverLabels | quote }} - name: DISABLE_MTLS - value: {{ .Values.agones.disableMTLS | quote }} + value: {{ .Values.agones.allocator.disableMTLS | quote }} - name: POD_NAME valueFrom: fieldRef: diff --git a/install/helm/agones/values.yaml b/install/helm/agones/values.yaml index efc77ef53d..d3beb5b25d 100644 --- a/install/helm/agones/values.yaml +++ b/install/helm/agones/values.yaml @@ -34,7 +34,6 @@ agones: sdk: agones-sdk createPriorityClass: true priorityClassName: agones-system - disableMTLS: false controller: resources: {} nodeSelector: {} @@ -127,6 +126,7 @@ agones: serviceType: LoadBalancer annotations: {} generateTLS: true + disableMTLS: false image: registry: gcr.io/agones-images tag: 1.7.0 diff --git a/install/yaml/install.yaml b/install/yaml/install.yaml index 164ebeea77..bb9f4e3ece 100644 --- a/install/yaml/install.yaml +++ b/install/yaml/install.yaml @@ -1392,8 +1392,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: DISABLE_MTLS - value: "false" - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/pkg/gameserverallocations/allocator.go b/pkg/gameserverallocations/allocator.go index f657fd369d..c977f366e6 100644 --- a/pkg/gameserverallocations/allocator.go +++ b/pkg/gameserverallocations/allocator.go @@ -107,7 +107,6 @@ type Allocator struct { readyGameServerCache *ReadyGameServerCache topNGameServerCount int remoteAllocationCallback func(string, grpc.DialOption, *pb.AllocationRequest) (*pb.AllocationResponse, error) - mTLSDisabled bool } // request is an async request for allocation @@ -125,7 +124,7 @@ type response struct { // NewAllocator creates an instance off Allocator func NewAllocator(policyInformer multiclusterinformerv1.GameServerAllocationPolicyInformer, secretInformer informercorev1.SecretInformer, - kubeClient kubernetes.Interface, readyGameServerCache *ReadyGameServerCache, mTLSDisabled bool) *Allocator { + kubeClient kubernetes.Interface, readyGameServerCache *ReadyGameServerCache) *Allocator { ah := &Allocator{ pendingRequests: make(chan request, maxBatchQueue), allocationPolicyLister: policyInformer.Lister(), @@ -144,7 +143,6 @@ func NewAllocator(policyInformer multiclusterinformerv1.GameServerAllocationPoli grpcClient := pb.NewAllocationServiceClient(conn) return grpcClient.Allocate(context.Background(), request) }, - mTLSDisabled: mTLSDisabled, } ah.baseLogger = runtime.NewLoggerWithType(ah) @@ -367,7 +365,6 @@ func (c *Allocator) allocateFromRemoteCluster(gsa *allocationv1.GameServerAlloca // createRemoteClusterDialOption creates a grpc client dial option with proper certs to make a remote call. func (c *Allocator) createRemoteClusterDialOption(namespace string, connectionInfo *multiclusterv1.ClusterConnectionInfo) (grpc.DialOption, error) { // TODO: disableMTLS works for a single cluster; still need to address how the flag interacts with multi-cluster authentication. - clientCert, clientKey, caCert, err := c.getClientCertificates(namespace, connectionInfo.SecretName) if err != nil { return nil, err diff --git a/pkg/gameserverallocations/controller.go b/pkg/gameserverallocations/controller.go index 83fcfac990..546a37287c 100644 --- a/pkg/gameserverallocations/controller.go +++ b/pkg/gameserverallocations/controller.go @@ -58,7 +58,6 @@ func NewController(apiServer *apiserver.APIServer, kubeInformerFactory informers.SharedInformerFactory, agonesClient versioned.Interface, agonesInformerFactory externalversions.SharedInformerFactory, - mTLSDisabled bool, ) *Controller { c := &Controller{ api: apiServer, @@ -66,8 +65,7 @@ func NewController(apiServer *apiserver.APIServer, agonesInformerFactory.Multicluster().V1().GameServerAllocationPolicies(), kubeInformerFactory.Core().V1().Secrets(), kubeClient, - NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), counter, health), - mTLSDisabled), + NewReadyGameServerCache(agonesInformerFactory.Agones().V1().GameServers(), agonesClient.AgonesV1(), counter, health)), } c.baseLogger = runtime.NewLoggerWithType(c) diff --git a/pkg/gameserverallocations/controller_test.go b/pkg/gameserverallocations/controller_test.go index 992112dce2..d801ad5569 100644 --- a/pkg/gameserverallocations/controller_test.go +++ b/pkg/gameserverallocations/controller_test.go @@ -1342,7 +1342,7 @@ func newFakeController() (*Controller, agtesting.Mocks) { m.Mux = http.NewServeMux() counter := gameservers.NewPerNodeCounter(m.KubeInformerFactory, m.AgonesInformerFactory) api := apiserver.NewAPIServer(m.Mux) - c := NewController(api, healthcheck.NewHandler(), counter, m.KubeClient, m.KubeInformerFactory, m.AgonesClient, m.AgonesInformerFactory, false) + c := NewController(api, healthcheck.NewHandler(), counter, m.KubeClient, m.KubeInformerFactory, m.AgonesClient, m.AgonesInformerFactory) c.allocator.topNGameServerCount = 1 c.recorder = m.FakeRecorder c.allocator.recorder = m.FakeRecorder