Gateway API: update to v0.4.3, add validating webhook

Makefile

@@ -182,10 +182,12 @@ lint-golint:
 	@echo Running Go linter ...
 	@./hack/golangci-lint run --build-tags=e2e
 
+# The inline config is needed to allow the Gateway API validating webhook YAML
+# (which we import directly from the Gateway API repo) to pass.
 .PHONY: lint-yamllint
 lint-yamllint:
 	@echo Running YAML linter ...
-	@./hack/yamllint examples/ site/content/examples/ ./versions.yaml
+	@./hack/yamllint -d "{rules: {brackets: {max-spaces-inside: 1}, commas: {max-spaces-before: 1}}}" examples/ site/content/examples/ ./versions.yaml
 
 # Check that CLI flags are formatted consistently. We are checking
 # for calls to Kingpin Flags() and Command() APIs where the 2nd
@@ -205,7 +207,7 @@ lint-flags:
 
 .PHONY: generate
 generate: ## Re-generate generated code and documentation
-generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go
+generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go
 
 .PHONY: generate-rbac
 generate-rbac:
@@ -230,10 +232,14 @@ generate-crd-yaml:
 	@echo "Generating Contour CRD YAML documents..."
 	@./hack/generate-crd-yaml.sh
 
-.PHONY: generate-gateway-crd-yaml
-generate-gateway-crd-yaml:
+.PHONY: generate-gateway-yaml
+generate-gateway-yaml:
 	@echo "Generating Gateway API CRD YAML documents..."
 	@kubectl kustomize -o examples/gateway/00-crds.yaml "github.com/kubernetes-sigs/gateway-api/config/crd?ref=${GATEWAY_API_VERSION}"
+	@echo "Generating Gateway API webhook documents..."
+	@curl -s -o examples/gateway/01-admission_webhook.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/admission_webhook.yaml
+	@curl -s -o examples/gateway/02-certificate_config.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/certificate_config.yaml
+
 
 .PHONY: generate-api-docs
 generate-api-docs:

changelogs/unreleased/4489-skriss-small.md

@@ -0,0 +1 @@
+Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML.

examples/gateway/01-admission_webhook.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-api
+  labels:
+    name: gateway-api
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: gateway-api-admission
+webhooks:
+  - name: validate.gateway.networking.k8s.io
+    matchPolicy: Equivalent
+    rules:
+      - operations: [ "CREATE" , "UPDATE" ]
+        apiGroups: [ "networking.x-k8s.io" ]
+        apiVersions: [ "v1alpha1" ]
+        resources: [ "gateways", "gatewayclasses", "httproutes" ]
+      - operations: [ "CREATE" , "UPDATE" ]
+        apiGroups: [ "gateway.networking.k8s.io" ]
+        apiVersions: [ "v1alpha2" ]
+        resources: [ "gateways", "gatewayclasses", "httproutes" ]
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: gateway-api-admission-server
+        namespace: gateway-api
+        path: "/validate"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: gateway-api-webhook-server
+    version: 0.0.1
+  name: gateway-api-admission-server
+  namespace: gateway-api
+spec:
+  type: ClusterIP
+  ports:
+    - name: https-webhook
+      port: 443
+      targetPort: 8443
+  selector:
+    name: gateway-api-admission-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gateway-api-admission-server
+  namespace: gateway-api
+  labels:
+    name: gateway-api-admission-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: gateway-api-admission-server
+  template:
+    metadata:
+      name: gateway-api-admission-server
+      labels:
+        name: gateway-api-admission-server
+    spec:
+      containers:
+        - name: webhook
+          image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3
+          imagePullPolicy: Always
+          args:
+            - -logtostderr
+            - --tlsCertFile=/etc/certs/cert
+            - --tlsKeyFile=/etc/certs/key
+            - -v=10
+            - 2>&1
+          ports:
+            - containerPort: 8443
+              name: webhook
+          resources:
+            limits:
+              memory: 50Mi
+              cpu: 100m
+            requests:
+              memory: 50Mi
+              cpu: 100m
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/certs
+              readOnly: true
+          securityContext:
+            readOnlyRootFilesystem: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: gateway-api-admission

examples/gateway/02-certificate_config.yaml

@@ -0,0 +1,152 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-api
+  labels:
+    name: gateway-api
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gateway-api-admission
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gateway-api-admission
+  labels:
+    name: gateway-api
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gateway-api-admission
+  annotations:
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gateway-api-admission
+subjects:
+  - kind: ServiceAccount
+    name: gateway-api-admission
+    namespace: gateway-api
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gateway-api-admission
+  annotations:
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gateway-api-admission
+  annotations:
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gateway-api-admission
+subjects:
+  - kind: ServiceAccount
+    name: gateway-api-admission
+    namespace: gateway-api
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gateway-api-admission
+  annotations:
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+spec:
+  template:
+    metadata:
+      name: gateway-api-admission-create
+      labels:
+        name: gateway-api-webhook
+    spec:
+      containers:
+        - name: create
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc
+            - --namespace=gateway-api
+            - --secret-name=gateway-api-admission
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: gateway-api-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gateway-api-admission-patch
+  labels:
+    name: gateway-api-webhook
+  namespace: gateway-api
+spec:
+  template:
+    metadata:
+      name: gateway-api-admission-patch
+      labels:
+        name: gateway-api-webhook
+    spec:
+      containers:
+        - name: patch
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --webhook-name=gateway-api-admission
+            - --namespace=gateway-api
+            - --patch-mutating=false
+            - --patch-validating=true
+            - --secret-name=gateway-api-admission
+            - --patch-failure-policy=Fail
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: gateway-api-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000