Skip to content

Commit

Permalink
Merge a8cf888 into 93d8020
Browse files Browse the repository at this point in the history
  • Loading branch information
@skriss
skriss authored May 6, 2022
2 parents 93d8020 + a8cf888 commit 19c7fd5
Show file tree
Hide file tree
Showing 14 changed files with 810 additions and 41 deletions.
14 changes: 10 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,10 +182,12 @@ lint-golint:
@echo Running Go linter ...
@./hack/golangci-lint run --build-tags=e2e

# The inline config is needed to allow the Gateway API validating webhook YAML
# (which we import directly from the Gateway API repo) to pass.
.PHONY: lint-yamllint
lint-yamllint:
@echo Running YAML linter ...
@./hack/yamllint examples/ site/content/examples/ ./versions.yaml
@./hack/yamllint -d "{rules: {brackets: {max-spaces-inside: 1}, commas: {max-spaces-before: 1}}}" examples/ site/content/examples/ ./versions.yaml

# Check that CLI flags are formatted consistently. We are checking
# for calls to Kingpin Flags() and Command() APIs where the 2nd
Expand All @@ -205,7 +207,7 @@ lint-flags:

.PHONY: generate
generate: ## Re-generate generated code and documentation
generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go
generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go

.PHONY: generate-rbac
generate-rbac:
Expand All @@ -230,10 +232,14 @@ generate-crd-yaml:
@echo "Generating Contour CRD YAML documents..."
@./hack/generate-crd-yaml.sh

.PHONY: generate-gateway-crd-yaml
generate-gateway-crd-yaml:
.PHONY: generate-gateway-yaml
generate-gateway-yaml:
@echo "Generating Gateway API CRD YAML documents..."
@kubectl kustomize -o examples/gateway/00-crds.yaml "github.com/kubernetes-sigs/gateway-api/config/crd?ref=${GATEWAY_API_VERSION}"
@echo "Generating Gateway API webhook documents..."
@curl -s -o examples/gateway/01-admission_webhook.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/admission_webhook.yaml
@curl -s -o examples/gateway/02-certificate_config.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/certificate_config.yaml


.PHONY: generate-api-docs
generate-api-docs:
Expand Down
1 change: 1 addition & 0 deletions changelogs/unreleased/4489-skriss-small.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML.
98 changes: 98 additions & 0 deletions examples/gateway/01-admission_webhook.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
apiVersion: v1
kind: Namespace
metadata:
name: gateway-api
labels:
name: gateway-api
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: gateway-api-admission
webhooks:
- name: validate.gateway.networking.k8s.io
matchPolicy: Equivalent
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "networking.x-k8s.io" ]
apiVersions: [ "v1alpha1" ]
resources: [ "gateways", "gatewayclasses", "httproutes" ]
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "gateway.networking.k8s.io" ]
apiVersions: [ "v1alpha2" ]
resources: [ "gateways", "gatewayclasses", "httproutes" ]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
name: gateway-api-admission-server
namespace: gateway-api
path: "/validate"
---
apiVersion: v1
kind: Service
metadata:
labels:
name: gateway-api-webhook-server
version: 0.0.1
name: gateway-api-admission-server
namespace: gateway-api
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: 8443
selector:
name: gateway-api-admission-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gateway-api-admission-server
namespace: gateway-api
labels:
name: gateway-api-admission-server
spec:
replicas: 1
selector:
matchLabels:
name: gateway-api-admission-server
template:
metadata:
name: gateway-api-admission-server
labels:
name: gateway-api-admission-server
spec:
containers:
- name: webhook
image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3
imagePullPolicy: Always
args:
- -logtostderr
- --tlsCertFile=/etc/certs/cert
- --tlsKeyFile=/etc/certs/key
- -v=10
- 2>&1
ports:
- containerPort: 8443
name: webhook
resources:
limits:
memory: 50Mi
cpu: 100m
requests:
memory: 50Mi
cpu: 100m
volumeMounts:
- name: webhook-certs
mountPath: /etc/certs
readOnly: true
securityContext:
readOnlyRootFilesystem: true
volumes:
- name: webhook-certs
secret:
secretName: gateway-api-admission
152 changes: 152 additions & 0 deletions examples/gateway/02-certificate_config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
apiVersion: v1
kind: Namespace
metadata:
name: gateway-api
labels:
name: gateway-api
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gateway-api-admission
labels:
name: gateway-api-webhook
namespace: gateway-api
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gateway-api-admission
labels:
name: gateway-api
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gateway-api-admission
subjects:
- kind: ServiceAccount
name: gateway-api-admission
namespace: gateway-api
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gateway-api-admission
subjects:
- kind: ServiceAccount
name: gateway-api-admission
namespace: gateway-api
---
apiVersion: batch/v1
kind: Job
metadata:
name: gateway-api-admission
annotations:
labels:
name: gateway-api-webhook
namespace: gateway-api
spec:
template:
metadata:
name: gateway-api-admission-create
labels:
name: gateway-api-webhook
spec:
containers:
- name: create
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
args:
- create
- --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc
- --namespace=gateway-api
- --secret-name=gateway-api-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: gateway-api-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
apiVersion: batch/v1
kind: Job
metadata:
name: gateway-api-admission-patch
labels:
name: gateway-api-webhook
namespace: gateway-api
spec:
template:
metadata:
name: gateway-api-admission-patch
labels:
name: gateway-api-webhook
spec:
containers:
- name: patch
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=gateway-api-admission
- --namespace=gateway-api
- --patch-mutating=false
- --patch-validating=true
- --secret-name=gateway-api-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: gateway-api-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
0 examples/gateway/01-gatewayclass.yaml → examples/gateway/03-gatewayclass.yaml
View file
File renamed without changes.
0 examples/gateway/02-gateway.yaml → examples/gateway/04-gateway.yaml
View file
File renamed without changes.
Loading

0 comments on commit 19c7fd5

Please sign in to comment.