From a8cf888e3c61aa9b7c85d0817c173732ba9b988e Mon Sep 17 00:00:00 2001 From: Steve Kriss Date: Mon, 2 May 2022 21:38:45 +0000 Subject: [PATCH] Gateway API: update to v0.4.3, add validating webhook Updates the version of Gateway API to v0.4.3 and adds the validating webhook from that version to Contour's example YAML files and E2E tests. Closes #3807. Signed-off-by: Steve Kriss --- Makefile | 14 +- changelogs/unreleased/4489-skriss-small.md | 1 + examples/gateway/01-admission_webhook.yaml | 98 +++++++ examples/gateway/02-certificate_config.yaml | 152 ++++++++++ ...gatewayclass.yaml => 03-gatewayclass.yaml} | 0 .../{02-gateway.yaml => 04-gateway.yaml} | 0 .../render/contour-gateway-provisioner.yaml | 256 +++++++++++++++++ examples/render/contour-gateway.yaml | 260 +++++++++++++++++- go.mod | 2 +- go.sum | 4 +- hack/generate-gateway-deployment.sh | 18 +- hack/generate-provisioner-deployment.sh | 14 +- test/e2e/gateway/invalid_forward_to_test.go | 27 -- test/scripts/make-kind-cluster.sh | 5 +- 14 files changed, 810 insertions(+), 41 deletions(-) create mode 100644 changelogs/unreleased/4489-skriss-small.md create mode 100644 examples/gateway/01-admission_webhook.yaml create mode 100644 examples/gateway/02-certificate_config.yaml rename examples/gateway/{01-gatewayclass.yaml => 03-gatewayclass.yaml} (100%) rename examples/gateway/{02-gateway.yaml => 04-gateway.yaml} (100%) diff --git a/Makefile b/Makefile index d1f910ec734..af16b723d73 100644 --- a/Makefile +++ b/Makefile @@ -182,10 +182,12 @@ lint-golint: @echo Running Go linter ... @./hack/golangci-lint run --build-tags=e2e +# The inline config is needed to allow the Gateway API validating webhook YAML +# (which we import directly from the Gateway API repo) to pass. .PHONY: lint-yamllint lint-yamllint: @echo Running YAML linter ... - @./hack/yamllint examples/ site/content/examples/ ./versions.yaml + @./hack/yamllint -d "{rules: {brackets: {max-spaces-inside: 1}, commas: {max-spaces-before: 1}}}" examples/ site/content/examples/ ./versions.yaml # Check that CLI flags are formatted consistently. We are checking # for calls to Kingpin Flags() and Command() APIs where the 2nd @@ -205,7 +207,7 @@ lint-flags: .PHONY: generate generate: ## Re-generate generated code and documentation -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: @@ -230,10 +232,14 @@ generate-crd-yaml: @echo "Generating Contour CRD YAML documents..." @./hack/generate-crd-yaml.sh -.PHONY: generate-gateway-crd-yaml -generate-gateway-crd-yaml: +.PHONY: generate-gateway-yaml +generate-gateway-yaml: @echo "Generating Gateway API CRD YAML documents..." @kubectl kustomize -o examples/gateway/00-crds.yaml "github.com/kubernetes-sigs/gateway-api/config/crd?ref=${GATEWAY_API_VERSION}" + @echo "Generating Gateway API webhook documents..." + @curl -s -o examples/gateway/01-admission_webhook.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/admission_webhook.yaml + @curl -s -o examples/gateway/02-certificate_config.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/certificate_config.yaml + .PHONY: generate-api-docs generate-api-docs: diff --git a/changelogs/unreleased/4489-skriss-small.md b/changelogs/unreleased/4489-skriss-small.md new file mode 100644 index 00000000000..daff122b63f --- /dev/null +++ b/changelogs/unreleased/4489-skriss-small.md @@ -0,0 +1 @@ +Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML. diff --git a/examples/gateway/01-admission_webhook.yaml b/examples/gateway/01-admission_webhook.yaml new file mode 100644 index 00000000000..c77a7324e49 --- /dev/null +++ b/examples/gateway/01-admission_webhook.yaml @@ -0,0 +1,98 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission diff --git a/examples/gateway/02-certificate_config.yaml b/examples/gateway/02-certificate_config.yaml new file mode 100644 index 00000000000..9e8dac65921 --- /dev/null +++ b/examples/gateway/02-certificate_config.yaml @@ -0,0 +1,152 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 diff --git a/examples/gateway/01-gatewayclass.yaml b/examples/gateway/03-gatewayclass.yaml similarity index 100% rename from examples/gateway/01-gatewayclass.yaml rename to examples/gateway/03-gatewayclass.yaml diff --git a/examples/gateway/02-gateway.yaml b/examples/gateway/04-gateway.yaml similarity index 100% rename from examples/gateway/02-gateway.yaml rename to examples/gateway/04-gateway.yaml diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 1bf74ceedf3..de5a5430eec 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -4,6 +4,8 @@ # Generated from: # examples/contour/01-crds.yaml # examples/gateway/00-crds.yaml +# examples/gateway/01-admission_webhook.yaml +# examples/gateway/02-certificate_config.yaml # examples/gateway-provisioner/00-common.yaml # examples/gateway-provisioner/01-roles.yaml # examples/gateway-provisioner/02-rolebindings.yaml @@ -8281,6 +8283,260 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 + --- apiVersion: v1 kind: Namespace diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index c912ef2fad1..7dbb2cecf6a 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -13,8 +13,10 @@ # examples/contour/03-contour.yaml # examples/contour/03-envoy.yaml # examples/gateway/00-crds.yaml -# examples/gateway/01-gatewayclass.yaml -# examples/gateway/02-gateway.yaml +# examples/gateway/01-admission_webhook.yaml +# examples/gateway/02-certificate_config.yaml +# examples/gateway/03-gatewayclass.yaml +# examples/gateway/04-gateway.yaml --- apiVersion: v1 @@ -8973,6 +8975,260 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 + --- kind: GatewayClass apiVersion: gateway.networking.k8s.io/v1alpha2 diff --git a/go.mod b/go.mod index 127d41ed078..bb77ef5048c 100644 --- a/go.mod +++ b/go.mod @@ -39,6 +39,6 @@ require ( k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b sigs.k8s.io/controller-runtime v0.11.0 sigs.k8s.io/controller-tools v0.6.2 - sigs.k8s.io/gateway-api v0.4.1 + sigs.k8s.io/gateway-api v0.4.3 sigs.k8s.io/kustomize/kyaml v0.10.17 ) diff --git a/go.sum b/go.sum index fa78e92498c..5d2db169758 100644 --- a/go.sum +++ b/go.sum @@ -1953,8 +1953,8 @@ sigs.k8s.io/controller-tools v0.6.0/go.mod h1:baRMVPrctU77F+rfAuH2uPqW93k6yQnZA2 sigs.k8s.io/controller-tools v0.6.2 h1:+Y8L0UsAugDipGRw8lrkPoAi6XqlQVZuf1DQHME3PgU= sigs.k8s.io/controller-tools v0.6.2/go.mod h1:oaeGpjXn6+ZSEIQkUe/+3I40PNiDYp9aeawbt3xTgJ8= sigs.k8s.io/gateway-api v0.3.0/go.mod h1:Wb8bx7QhGVZxOSEU3i9vw/JqTB5Nlai9MLMYVZeDmRQ= -sigs.k8s.io/gateway-api v0.4.1 h1:Tof9/PNSZXyfDuTTe1XFvaTlvBRE6bKq1kmV6jj6rQE= -sigs.k8s.io/gateway-api v0.4.1/go.mod h1:r3eiNP+0el+NTLwaTfOrCNXy8TukC+dIM3ggc+fbNWk= +sigs.k8s.io/gateway-api v0.4.3 h1:9kdHAcfkyP7jVMSFshc8EYEKNLlFM7hbZL8vCKcMwps= +sigs.k8s.io/gateway-api v0.4.3/go.mod h1:r3eiNP+0el+NTLwaTfOrCNXy8TukC+dIM3ggc+fbNWk= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/kustomize/api v0.8.5/go.mod h1:M377apnKT5ZHJS++6H4rQoCHmWtt6qTpp3mbe7p6OLY= diff --git a/hack/generate-gateway-deployment.sh b/hack/generate-gateway-deployment.sh index ce2f39afbae..d0976d29850 100755 --- a/hack/generate-gateway-deployment.sh +++ b/hack/generate-gateway-deployment.sh @@ -48,10 +48,22 @@ done for y in "${REPO}/examples/gateway/"*.yaml ; do echo # Ensure we have at least one newline between joined fragments. + + # Since the Gateway YAMLs are pulled from the Gateway API repo, the manifests do not start with "---". case $y in - */00-crds.yaml) - # Since the Gateway CRDs are generated, the manifest does not start with "---". - echo "---" + */00-crds.yaml) + echo "---" + ;; + + */01-admission_webhook.yaml) + echo "---" + ;; + + */02-certificate_config.yaml) + echo "---" + ;; + esac + cat "$y" done diff --git a/hack/generate-provisioner-deployment.sh b/hack/generate-provisioner-deployment.sh index c44ffbcb6db..47ffd60ca9c 100755 --- a/hack/generate-provisioner-deployment.sh +++ b/hack/generate-provisioner-deployment.sh @@ -14,6 +14,8 @@ exec > >(git stripspace >"$TARGET") # FILES defines the set of source files to render together. readonly FILES="examples/contour/01-crds.yaml examples/gateway/00-crds.yaml +examples/gateway/01-admission_webhook.yaml +examples/gateway/02-certificate_config.yaml examples/gateway-provisioner/*.yaml" # Write file header listing individual files used. @@ -36,10 +38,20 @@ for y in $FILES ; do # Ensure we have at least one newline between joined fragments. echo - # Since the Gateway CRDs are generated, the manifest does not start with "---", so insert it. + # Since the Gateway YAMLs are pulled from the Gateway API repo, the manifests do not start with "---". case $y in */gateway/00-crds.yaml) echo "---" + ;; + + */gateway/01-admission_webhook.yaml) + echo "---" + ;; + + */gateway/02-certificate_config.yaml) + echo "---" + ;; + esac # Write the file contents. diff --git a/test/e2e/gateway/invalid_forward_to_test.go b/test/e2e/gateway/invalid_forward_to_test.go index 2c737d4acfc..31595f504b6 100644 --- a/test/e2e/gateway/invalid_forward_to_test.go +++ b/test/e2e/gateway/invalid_forward_to_test.go @@ -63,28 +63,6 @@ func testInvalidForwardTo(namespace string) { }, }, }, - - { - Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ - { - Path: &gatewayapi_v1alpha2.HTTPPathMatch{ - Type: gatewayapi.PathMatchTypePtr(gatewayapi_v1alpha2.PathMatchPathPrefix), - Value: pointer.StringPtr("/invalidport"), - }, - }, - }, - BackendRefs: []gatewayapi_v1alpha2.HTTPBackendRef{ - { - BackendRef: gatewayapi_v1alpha2.BackendRef{ - BackendObjectReference: gatewayapi_v1alpha2.BackendObjectReference{ - Kind: gatewayapi.KindPtr("Service"), - Name: "echo-slash-default", - }, - }, - }, - }, - }, - { Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ { @@ -106,7 +84,6 @@ func testInvalidForwardTo(namespace string) { }, }, }, - { Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ { @@ -170,10 +147,6 @@ func testInvalidForwardTo(namespace string) { path: "/invalidref", expectResponse: 503, }, - { - path: "/invalidport", - expectResponse: 503, - }, { path: "/invalidservicename", expectResponse: 503, diff --git a/test/scripts/make-kind-cluster.sh b/test/scripts/make-kind-cluster.sh index 0a13db1fa06..2b01e23dce8 100755 --- a/test/scripts/make-kind-cluster.sh +++ b/test/scripts/make-kind-cluster.sh @@ -115,8 +115,11 @@ ${KUBECTL} apply -f https://github.com/jetstack/cert-manager/releases/download/v ${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=cert-manager deployments --for=condition=Available ${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=webhook deployments --for=condition=Available -# Install Gateway API CRDs. +# Install Gateway API CRDs and webhook. ${KUBECTL} apply -f "${REPO}/examples/gateway/00-crds.yaml" +${KUBECTL} apply -f "${REPO}/examples/gateway/01-admission_webhook.yaml" +${KUBECTL} apply -f "${REPO}/examples/gateway/02-certificate_config.yaml" +${KUBECTL} wait --timeout="${WAITTIME}" -n gateway-api deployment/gateway-api-admission-server --for=condition=Available # Install Contour CRDs. ${KUBECTL} apply -f "${REPO}/examples/contour/01-crds.yaml"