diff --git a/charts/gateway-operator/CHANGELOG.md b/charts/gateway-operator/CHANGELOG.md index a27b5cb67..c258c33c1 100644 --- a/charts/gateway-operator/CHANGELOG.md +++ b/charts/gateway-operator/CHANGELOG.md @@ -1,5 +1,17 @@ # Changelog +## 0.4.8 + +## Changes + +- Remove kube-rbac-proxy for operator versions 1.5+. + In order to controler metrics endpoint access for these version please see + [kubernetes-sigs/kubebuilder/discussions/3907][kubebuilder_discussion_3907]. + Operator exposes `--metrics-access-filter` flag to control access to the metrics endpoint. + [#1243](https://github.com/Kong/charts/pull/1243) + +[kubebuilder_discussion_3907]: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907 + ## 0.4.7 ## Changes diff --git a/charts/gateway-operator/Chart.yaml b/charts/gateway-operator/Chart.yaml index e9d5d5c16..ec629fc16 100644 --- a/charts/gateway-operator/Chart.yaml +++ b/charts/gateway-operator/Chart.yaml @@ -8,7 +8,7 @@ maintainers: name: gateway-operator sources: - https://github.com/Kong/charts/tree/main/charts/gateway-operator -version: 0.4.7 +version: 0.4.8 appVersion: "1.4" annotations: artifacthub.io/prerelease: "false" diff --git a/charts/gateway-operator/ci/__snapshots__/affinity-values.snap b/charts/gateway-operator/ci/__snapshots__/affinity-values.snap index 237aa3cd1..0c16e0d36 100644 --- a/charts/gateway-operator/ci/__snapshots__/affinity-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/affinity-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -743,7 +743,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -781,6 +781,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap b/charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap index 66e55d7c8..5952f311c 100644 --- a/charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -735,7 +735,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -773,6 +773,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap b/charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap index b73a5431b..59ee57b14 100644 --- a/charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -735,7 +735,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -773,6 +773,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap b/charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap index e9bf59e35..fe5bc9545 100644 --- a/charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -737,7 +737,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -775,6 +775,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap b/charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap index 11c7bd4b8..bebc541db 100644 --- a/charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" a: "b" @@ -719,7 +719,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" a: "b" @@ -735,7 +735,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -773,6 +773,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/kube-rbac-proxy-removed-in-1-5-values.snap b/charts/gateway-operator/ci/__snapshots__/kube-rbac-proxy-removed-in-1-5-values.snap new file mode 100644 index 000000000..b3e429dee --- /dev/null +++ b/charts/gateway-operator/ci/__snapshots__/kube-rbac-proxy-removed-in-1-5-values.snap @@ -0,0 +1,787 @@ +# chartsnap: snapshot_version=v3 +--- +# Source: gateway-operator/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: default +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: chartsnap-gateway-operator-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + - serviceaccounts/status + verbs: + - get +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + - kongclusterplugins + - kongcustomentities + - kongingresses + - konglicenses + - kongupstreampolicies + - tcpingresses + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcacertificates + - kongcertificates + - kongconsumergroups + - kongconsumers + - kongcredentialacls + - kongcredentialapikeys + - kongcredentialbasicauths + - kongcredentialhmacs + - kongcredentialjwts + - kongdataplaneclientcertificates + - kongkeys + - kongkeysets + - kongroutes + - kongservices + - kongsnis + - kongtargets + - kongupstreams + - kongvaults + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcacertificates/finalizers + - kongcacertificates/status + - kongcertificates/finalizers + - kongcertificates/status + - kongconsumergroups/finalizers + - kongconsumers/finalizers + - kongcredentialacls/finalizers + - kongcredentialacls/status + - kongcredentialapikeys/finalizers + - kongcredentialapikeys/status + - kongcredentialbasicauths/finalizers + - kongcredentialbasicauths/status + - kongcredentialhmacs/finalizers + - kongcredentialhmacs/status + - kongcredentialjwts/finalizers + - kongcredentialjwts/status + - kongdataplaneclientcertificates/finalizers + - kongdataplaneclientcertificates/status + - kongkeys/finalizers + - kongkeys/status + - kongkeysets/finalizers + - kongkeysets/status + - kongpluginbindings/status + - kongroutes/finalizers + - kongroutes/status + - kongservices/finalizers + - kongservices/status + - kongsnis/finalizers + - kongsnis/status + - kongtargets/finalizers + - kongtargets/status + - kongupstreams/finalizers + - kongupstreams/status + - kongvaults/finalizers + verbs: + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + - kongconsumergroups/status + - kongconsumers/status + - kongcustomentities/status + - kongingresses/status + - konglicenses/status + - kongplugins/status + - kongupstreampolicies/status + - kongvaults/status + - tcpingresses/status + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongpluginbindings + - kongplugins + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway-operator.konghq.com + resources: + - aigateways + - controlplanes + - dataplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway-operator.konghq.com + resources: + - aigateways/finalizers + - controlplanes/finalizers + - dataplanes/finalizers + verbs: + - update +- apiGroups: + - gateway-operator.konghq.com + resources: + - aigateways/status + - controlplanes/status + - dataplanes/status + - kongplugininstallations/status + - konnectextensions/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway-operator.konghq.com + resources: + - dataplanemetricsextensions + - gatewayconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - gateway-operator.konghq.com + resources: + - kongplugininstallations + - konnectextensions + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway-operator.konghq.com + resources: + - konnectextensions/finalizers + verbs: + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - grpcroutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - backendtlspolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants/status + verbs: + - get +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades + verbs: + - get + - list + - watch +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades/status + verbs: + - get + - patch + - update +- apiGroups: + - konnect.konghq.com + resources: + - konnectapiauthconfigurations + - konnectgatewaycontrolplanes + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - konnect.konghq.com + resources: + - konnectapiauthconfigurations/finalizers + - konnectgatewaycontrolplanes/finalizers + - konnectgatewaycontrolplanes/status + verbs: + - patch + - update +- apiGroups: + - konnect.konghq.com + resources: + - konnectapiauthconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings/status + - clusterroles/status + verbs: + - get +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: chartsnap-gateway-operator-kong-mtls-secret-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - patch + - update +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: chartsnap-gateway-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: chartsnap-gateway-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-gateway-operator-kong-mtls-secret-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-gateway-operator-kong-mtls-secret-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: default +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-gateway-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-gateway-operator-manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: default +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-gateway-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-gateway-operator-proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: default +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chartsnap-gateway-operator-leader-election-role + namespace: default +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chartsnap-gateway-operator-leader-election-rolebinding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-gateway-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: default +--- +# Source: gateway-operator/templates/rbac-resources.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: chartsnap-gateway-operator-metrics-service + namespace: default +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: metrics + selector: + control-plane: controller-manager +--- +# Source: gateway-operator/templates/services.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kgo + name: chartsnap-gateway-operator + namespace: default +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: kgo +--- +# Source: gateway-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: gateway-operator + helm.sh/chart: gateway-operator-0.4.8 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/version: "1.4" + app.kubernetes.io/component: kgo + name: chartsnap-gateway-operator-controller-manager + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: gateway-operator + app.kubernetes.io/component: kgo + app.kubernetes.io/instance: "chartsnap" + strategy: + type: Recreate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + app.kubernetes.io/name: gateway-operator + helm.sh/chart: gateway-operator-0.4.8 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/version: "1.4" + app.kubernetes.io/component: kgo + app: chartsnap-gateway-operator + version: "1.4" + spec: + containers: + - name: manager + env: + - name: GATEWAY_OPERATOR_ANONYMOUS_REPORTS + value: "false" + - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS + value: ":8081" + - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS + value: "0.0.0.0:8080" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: "docker.io/kong/nighly-gateway-operator-oss:20250130" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 1 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 1 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 10m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 8081 + name: probe + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + volumeMounts: + - name: chartsnap-gateway-operator-certs-dir + mountPath: /tmp/k8s-webhook-server/serving-certs + securityContext: + runAsNonRoot: true + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: chartsnap-gateway-operator-certs-dir + emptyDir: + sizeLimit: 256Mi diff --git a/charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap b/charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap index a79091a31..805912d88 100644 --- a/charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -735,7 +735,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -773,6 +773,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/__snapshots__/tolerations-values.snap b/charts/gateway-operator/ci/__snapshots__/tolerations-values.snap index eaa8c3a84..4a98b6385 100644 --- a/charts/gateway-operator/ci/__snapshots__/tolerations-values.snap +++ b/charts/gateway-operator/ci/__snapshots__/tolerations-values.snap @@ -696,7 +696,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -718,7 +718,7 @@ spec: labels: control-plane: controller-manager app.kubernetes.io/name: gateway-operator - helm.sh/chart: gateway-operator-0.4.7 + helm.sh/chart: gateway-operator-0.4.8 app.kubernetes.io/instance: "chartsnap" app.kubernetes.io/version: "1.4" app.kubernetes.io/component: kgo @@ -737,7 +737,7 @@ spec: - name: GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":8081" - name: GATEWAY_OPERATOR_METRICS_BIND_ADDRESS - value: "127.0.0.1:8080" + value: "0.0.0.0:8080" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -775,6 +775,9 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: - name: chartsnap-gateway-operator-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs diff --git a/charts/gateway-operator/ci/kube-rbac-proxy-removed-in-1-5-values.yaml b/charts/gateway-operator/ci/kube-rbac-proxy-removed-in-1-5-values.yaml new file mode 100644 index 000000000..6ce5637ff --- /dev/null +++ b/charts/gateway-operator/ci/kube-rbac-proxy-removed-in-1-5-values.yaml @@ -0,0 +1,18 @@ +image: + repository: docker.io/kong/nighly-gateway-operator-oss + tag: "20250130" + effectiveSemver: "1.5.0" + +livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 1 + +readinessProbe: + initialDelaySeconds: 1 + periodSeconds: 1 + +env: + anonymous_reports: "false" diff --git a/charts/gateway-operator/templates/_helpers.tpl b/charts/gateway-operator/templates/_helpers.tpl index 7ac34eb4f..e7da4b7cb 100644 --- a/charts/gateway-operator/templates/_helpers.tpl +++ b/charts/gateway-operator/templates/_helpers.tpl @@ -63,7 +63,7 @@ Create a list of env vars based on the values of the `env` and `customEnv` maps. {{- $defaultEnv := dict -}} {{- $_ := set $defaultEnv "GATEWAY_OPERATOR_HEALTH_PROBE_BIND_ADDRESS" ":8081" -}} -{{- $_ := set $defaultEnv "GATEWAY_OPERATOR_METRICS_BIND_ADDRESS" "127.0.0.1:8080" -}} +{{- $_ := set $defaultEnv "GATEWAY_OPERATOR_METRICS_BIND_ADDRESS" "0.0.0.0:8080" -}} {{- range $key, $val := .Values.env -}} {{- $var := printf "GATEWAY_OPERATOR_%s" ( upper $key ) -}} @@ -100,3 +100,24 @@ Create a list of env vars based on the values of the `env` and `customEnv` maps. - name: {{ template "kong.fullname" . }}-certs-dir mountPath: /tmp/k8s-webhook-server/serving-certs {{- end }} + +{{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}} +{{- define "kong.effectiveVersion" -}} +{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}} +{{- /* as semver does, we need to account for that here by extracting */ -}} +{{- /* first 3 segments for comparison */ -}} +{{- if .effectiveSemver -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- else -}} + {{- .effectiveSemver -}} + {{- end -}} +{{- else -}} + {{- $tag := (trimSuffix "-redhat" .tag) -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- else -}} + {{- .tag -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/gateway-operator/templates/deployment.yaml b/charts/gateway-operator/templates/deployment.yaml index 0466ec977..16c3da9d8 100644 --- a/charts/gateway-operator/templates/deployment.yaml +++ b/charts/gateway-operator/templates/deployment.yaml @@ -73,8 +73,12 @@ spec: - containerPort: 8081 name: probe protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} +{{- if (semverCompare "< 1.5.0" (include "kong.effectiveVersion" .Values.image)) }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -88,6 +92,7 @@ spec: protocol: TCP resources: {{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} securityContext: runAsNonRoot: true serviceAccountName: {{ template "kong.serviceAccountName" . }} diff --git a/charts/gateway-operator/templates/rbac-resources.yaml b/charts/gateway-operator/templates/rbac-resources.yaml index aa6f913d8..9c9b59abc 100644 --- a/charts/gateway-operator/templates/rbac-resources.yaml +++ b/charts/gateway-operator/templates/rbac-resources.yaml @@ -650,6 +650,10 @@ spec: - name: https port: 8443 protocol: TCP +{{ if (semverCompare "< 1.5.0" (include "kong.effectiveVersion" .Values.image)) }} targetPort: https +{{- else }} + targetPort: metrics +{{- end }} selector: control-plane: controller-manager diff --git a/charts/gateway-operator/values.yaml b/charts/gateway-operator/values.yaml index 8c5ff2f31..d13575107 100644 --- a/charts/gateway-operator/values.yaml +++ b/charts/gateway-operator/values.yaml @@ -1,7 +1,15 @@ image: repository: docker.io/kong/gateway-operator - tag: 1.4 - + tag: "1.4" + # Optionally set a semantic version for version-gated features. This can normally + # be left unset. You only need to set this if your tag is not a semver string, + # such as when you are using a "next" tag. Set this to the effective semantic + # version of your tag: for example if using a "nightly" image for an unreleased 1.5.0 + # version, set this to "1.5.0". + effectiveSemver: "" + +# Deprecated: KGO versions 1.5+ do not use kube-rbac-proxy. +# Use --metrics-access-filter flag instead to control access to metrics endpoint. kubeRBACProxy: # Additional pod containers in the controller. image: gcr.io/kubebuilder/kube-rbac-proxy