Skip to content

Commit

Permalink
Gateway API: update to v0.4.3, add validating webhook
Browse files Browse the repository at this point in the history
Updates the version of Gateway API to
v0.4.3 and adds the validating webhook
from that version to Contour's example
YAML files and E2E tests.

Closes #3807.

Signed-off-by: Steve Kriss <krisss@vmware.com>
  • Loading branch information
skriss committed May 6, 2022
1 parent 93d8020 commit a8cf888
Show file tree
Hide file tree
Showing 14 changed files with 810 additions and 41 deletions.
14 changes: 10 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -182,10 +182,12 @@ lint-golint:
@echo Running Go linter ...
@./hack/golangci-lint run --build-tags=e2e

# The inline config is needed to allow the Gateway API validating webhook YAML
# (which we import directly from the Gateway API repo) to pass.
.PHONY: lint-yamllint
lint-yamllint:
@echo Running YAML linter ...
@./hack/yamllint examples/ site/content/examples/ ./versions.yaml
@./hack/yamllint -d "{rules: {brackets: {max-spaces-inside: 1}, commas: {max-spaces-before: 1}}}" examples/ site/content/examples/ ./versions.yaml

# Check that CLI flags are formatted consistently. We are checking
# for calls to Kingpin Flags() and Command() APIs where the 2nd
Expand All @@ -205,7 +207,7 @@ lint-flags:

.PHONY: generate
generate: ## Re-generate generated code and documentation
generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go
generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go

.PHONY: generate-rbac
generate-rbac:
Expand All @@ -230,10 +232,14 @@ generate-crd-yaml:
@echo "Generating Contour CRD YAML documents..."
@./hack/generate-crd-yaml.sh

.PHONY: generate-gateway-crd-yaml
generate-gateway-crd-yaml:
.PHONY: generate-gateway-yaml
generate-gateway-yaml:
@echo "Generating Gateway API CRD YAML documents..."
@kubectl kustomize -o examples/gateway/00-crds.yaml "github.com/kubernetes-sigs/gateway-api/config/crd?ref=${GATEWAY_API_VERSION}"
@echo "Generating Gateway API webhook documents..."
@curl -s -o examples/gateway/01-admission_webhook.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/admission_webhook.yaml
@curl -s -o examples/gateway/02-certificate_config.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/certificate_config.yaml


.PHONY: generate-api-docs
generate-api-docs:
Expand Down
1 change: 1 addition & 0 deletions changelogs/unreleased/4489-skriss-small.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML.
98 changes: 98 additions & 0 deletions examples/gateway/01-admission_webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
apiVersion: v1
kind: Namespace
metadata:
name: gateway-api
labels:
name: gateway-api
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: gateway-api-admission
webhooks:
- name: validate.gateway.networking.k8s.io
matchPolicy: Equivalent
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "networking.x-k8s.io" ]
apiVersions: [ "v1alpha1" ]
resources: [ "gateways", "gatewayclasses", "httproutes" ]
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "gateway.networking.k8s.io" ]
apiVersions: [ "v1alpha2" ]
resources: [ "gateways", "gatewayclasses", "httproutes" ]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
name: gateway-api-admission-server
namespace: gateway-api
path: "/validate"
---
apiVersion: v1
kind: Service
metadata:
labels:
name: gateway-api-webhook-server
version: 0.0.1
name: gateway-api-admission-server
namespace: gateway-api
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: 8443
selector:
name: gateway-api-admission-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gateway-api-admission-server
namespace: gateway-api
labels:
name: gateway-api-admission-server
spec:
replicas: 1
selector:
matchLabels:
name: gateway-api-admission-server
template:
metadata:
name: gateway-api-admission-server
labels:
name: gateway-api-admission-server
spec:
containers:
- name: webhook
image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3
imagePullPolicy: Always
args:
- -logtostderr
- --tlsCertFile=/etc/certs/cert
- --tlsKeyFile=/etc/certs/key
- -v=10
- 2>&1
ports:
- containerPort: 8443
name: webhook
resources:
limits:
memory: 50Mi
cpu: 100m
requests:
memory: 50Mi
cpu: 100m
volumeMounts:
- name: webhook-certs
mountPath: /etc/certs
readOnly: true
securityContext:
readOnlyRootFilesystem: true
volumes:
- name: webhook-certs
secret:
secretName: gateway-api-admission
152 changes: 152 additions & 0 deletions examples/gateway/02-certificate_config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
apiVersion: v1
kind: Namespace
metadata:
name: gateway-api
labels:
name: gateway-api
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gateway-api-admission
labels:
name: gateway-api-webhook
namespace: gateway-api
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gateway-api-admission
labels:
name: gateway-api
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gateway-api-admission
subjects:
- kind: ServiceAccount
name: gateway-api-admission
namespace: gateway-api
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gateway-api-admission
subjects:
- kind: ServiceAccount
name: gateway-api-admission
namespace: gateway-api
---
apiVersion: batch/v1
kind: Job
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
spec:
template:
metadata:
name: gateway-api-admission-create
labels:
name: gateway-api-webhook
spec:
containers:
- name: create
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
args:
- create
- --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc
- --namespace=gateway-api
- --secret-name=gateway-api-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: gateway-api-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
apiVersion: batch/v1
kind: Job
metadata:
name: gateway-api-admission-patch
labels:
name: gateway-api-webhook
namespace: gateway-api
spec:
template:
metadata:
name: gateway-api-admission-patch
labels:
name: gateway-api-webhook
spec:
containers:
- name: patch
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=gateway-api-admission
- --namespace=gateway-api
- --patch-mutating=false
- --patch-validating=true
- --secret-name=gateway-api-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: gateway-api-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
File renamed without changes.
File renamed without changes.
Loading

0 comments on commit a8cf888

Please sign in to comment.