diff --git a/Makefile b/Makefile index d1f910ec734..af16b723d73 100644 --- a/Makefile +++ b/Makefile @@ -182,10 +182,12 @@ lint-golint: @echo Running Go linter ... @./hack/golangci-lint run --build-tags=e2e +# The inline config is needed to allow the Gateway API validating webhook YAML +# (which we import directly from the Gateway API repo) to pass. .PHONY: lint-yamllint lint-yamllint: @echo Running YAML linter ... - @./hack/yamllint examples/ site/content/examples/ ./versions.yaml + @./hack/yamllint -d "{rules: {brackets: {max-spaces-inside: 1}, commas: {max-spaces-before: 1}}}" examples/ site/content/examples/ ./versions.yaml # Check that CLI flags are formatted consistently. We are checking # for calls to Kingpin Flags() and Command() APIs where the 2nd @@ -205,7 +207,7 @@ lint-flags: .PHONY: generate generate: ## Re-generate generated code and documentation -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: @@ -230,10 +232,14 @@ generate-crd-yaml: @echo "Generating Contour CRD YAML documents..." @./hack/generate-crd-yaml.sh -.PHONY: generate-gateway-crd-yaml -generate-gateway-crd-yaml: +.PHONY: generate-gateway-yaml +generate-gateway-yaml: @echo "Generating Gateway API CRD YAML documents..." @kubectl kustomize -o examples/gateway/00-crds.yaml "github.com/kubernetes-sigs/gateway-api/config/crd?ref=${GATEWAY_API_VERSION}" + @echo "Generating Gateway API webhook documents..." + @curl -s -o examples/gateway/01-admission_webhook.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/admission_webhook.yaml + @curl -s -o examples/gateway/02-certificate_config.yaml https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${GATEWAY_API_VERSION}/deploy/certificate_config.yaml + .PHONY: generate-api-docs generate-api-docs: diff --git a/changelogs/unreleased/4489-skriss-small.md b/changelogs/unreleased/4489-skriss-small.md new file mode 100644 index 00000000000..daff122b63f --- /dev/null +++ b/changelogs/unreleased/4489-skriss-small.md @@ -0,0 +1 @@ +Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML. diff --git a/examples/gateway/01-admission_webhook.yaml b/examples/gateway/01-admission_webhook.yaml new file mode 100644 index 00000000000..c77a7324e49 --- /dev/null +++ b/examples/gateway/01-admission_webhook.yaml @@ -0,0 +1,98 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission diff --git a/examples/gateway/02-certificate_config.yaml b/examples/gateway/02-certificate_config.yaml new file mode 100644 index 00000000000..9e8dac65921 --- /dev/null +++ b/examples/gateway/02-certificate_config.yaml @@ -0,0 +1,152 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 diff --git a/examples/gateway/01-gatewayclass.yaml b/examples/gateway/03-gatewayclass.yaml similarity index 100% rename from examples/gateway/01-gatewayclass.yaml rename to examples/gateway/03-gatewayclass.yaml diff --git a/examples/gateway/02-gateway.yaml b/examples/gateway/04-gateway.yaml similarity index 100% rename from examples/gateway/02-gateway.yaml rename to examples/gateway/04-gateway.yaml diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 1bf74ceedf3..de5a5430eec 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -4,6 +4,8 @@ # Generated from: # examples/contour/01-crds.yaml # examples/gateway/00-crds.yaml +# examples/gateway/01-admission_webhook.yaml +# examples/gateway/02-certificate_config.yaml # examples/gateway-provisioner/00-common.yaml # examples/gateway-provisioner/01-roles.yaml # examples/gateway-provisioner/02-rolebindings.yaml @@ -8281,6 +8283,260 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 + --- apiVersion: v1 kind: Namespace diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index c912ef2fad1..7dbb2cecf6a 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -13,8 +13,10 @@ # examples/contour/03-contour.yaml # examples/contour/03-envoy.yaml # examples/gateway/00-crds.yaml -# examples/gateway/01-gatewayclass.yaml -# examples/gateway/02-gateway.yaml +# examples/gateway/01-admission_webhook.yaml +# examples/gateway/02-certificate_config.yaml +# examples/gateway/03-gatewayclass.yaml +# examples/gateway/04-gateway.yaml --- apiVersion: v1 @@ -8973,6 +8975,260 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: gateway-api-admission +webhooks: + - name: validate.gateway.networking.k8s.io + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "networking.x-k8s.io" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "gateway.networking.k8s.io" ] + apiVersions: [ "v1alpha2" ] + resources: [ "gateways", "gatewayclasses", "httproutes" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: gateway-api-admission-server + namespace: gateway-api + path: "/validate" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: gateway-api-webhook-server + version: 0.0.1 + name: gateway-api-admission-server + namespace: gateway-api +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + name: gateway-api-admission-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway-api-admission-server + namespace: gateway-api + labels: + name: gateway-api-admission-server +spec: + replicas: 1 + selector: + matchLabels: + name: gateway-api-admission-server + template: + metadata: + name: gateway-api-admission-server + labels: + name: gateway-api-admission-server + spec: + containers: + - name: webhook + image: gcr.io/k8s-staging-gateway-api/admission-server:v0.4.3 + imagePullPolicy: Always + args: + - -logtostderr + - --tlsCertFile=/etc/certs/cert + - --tlsKeyFile=/etc/certs/key + - -v=10 + - 2>&1 + ports: + - containerPort: 8443 + name: webhook + resources: + limits: + memory: 50Mi + cpu: 100m + requests: + memory: 50Mi + cpu: 100m + volumeMounts: + - name: webhook-certs + mountPath: /etc/certs + readOnly: true + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: webhook-certs + secret: + secretName: gateway-api-admission + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-api + labels: + name: gateway-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-api-admission + labels: + name: gateway-api-webhook + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-api-admission + labels: + name: gateway-api +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gateway-api-admission +subjects: + - kind: ServiceAccount + name: gateway-api-admission + namespace: gateway-api +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission + annotations: + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-create + labels: + name: gateway-api-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=gateway-api-admission-server,gateway-api-admission-server.gateway-api.svc + - --namespace=gateway-api + - --secret-name=gateway-api-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + namespace: gateway-api +spec: + template: + metadata: + name: gateway-api-admission-patch + labels: + name: gateway-api-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=gateway-api-admission + - --namespace=gateway-api + - --patch-mutating=false + - --patch-validating=true + - --secret-name=gateway-api-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: gateway-api-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 + --- kind: GatewayClass apiVersion: gateway.networking.k8s.io/v1alpha2 diff --git a/go.mod b/go.mod index 127d41ed078..bb77ef5048c 100644 --- a/go.mod +++ b/go.mod @@ -39,6 +39,6 @@ require ( k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b sigs.k8s.io/controller-runtime v0.11.0 sigs.k8s.io/controller-tools v0.6.2 - sigs.k8s.io/gateway-api v0.4.1 + sigs.k8s.io/gateway-api v0.4.3 sigs.k8s.io/kustomize/kyaml v0.10.17 ) diff --git a/go.sum b/go.sum index fa78e92498c..5d2db169758 100644 --- a/go.sum +++ b/go.sum @@ -1953,8 +1953,8 @@ sigs.k8s.io/controller-tools v0.6.0/go.mod h1:baRMVPrctU77F+rfAuH2uPqW93k6yQnZA2 sigs.k8s.io/controller-tools v0.6.2 h1:+Y8L0UsAugDipGRw8lrkPoAi6XqlQVZuf1DQHME3PgU= sigs.k8s.io/controller-tools v0.6.2/go.mod h1:oaeGpjXn6+ZSEIQkUe/+3I40PNiDYp9aeawbt3xTgJ8= sigs.k8s.io/gateway-api v0.3.0/go.mod h1:Wb8bx7QhGVZxOSEU3i9vw/JqTB5Nlai9MLMYVZeDmRQ= -sigs.k8s.io/gateway-api v0.4.1 h1:Tof9/PNSZXyfDuTTe1XFvaTlvBRE6bKq1kmV6jj6rQE= -sigs.k8s.io/gateway-api v0.4.1/go.mod h1:r3eiNP+0el+NTLwaTfOrCNXy8TukC+dIM3ggc+fbNWk= +sigs.k8s.io/gateway-api v0.4.3 h1:9kdHAcfkyP7jVMSFshc8EYEKNLlFM7hbZL8vCKcMwps= +sigs.k8s.io/gateway-api v0.4.3/go.mod h1:r3eiNP+0el+NTLwaTfOrCNXy8TukC+dIM3ggc+fbNWk= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/kustomize/api v0.8.5/go.mod h1:M377apnKT5ZHJS++6H4rQoCHmWtt6qTpp3mbe7p6OLY= diff --git a/hack/generate-gateway-deployment.sh b/hack/generate-gateway-deployment.sh index ce2f39afbae..d0976d29850 100755 --- a/hack/generate-gateway-deployment.sh +++ b/hack/generate-gateway-deployment.sh @@ -48,10 +48,22 @@ done for y in "${REPO}/examples/gateway/"*.yaml ; do echo # Ensure we have at least one newline between joined fragments. + + # Since the Gateway YAMLs are pulled from the Gateway API repo, the manifests do not start with "---". case $y in - */00-crds.yaml) - # Since the Gateway CRDs are generated, the manifest does not start with "---". - echo "---" + */00-crds.yaml) + echo "---" + ;; + + */01-admission_webhook.yaml) + echo "---" + ;; + + */02-certificate_config.yaml) + echo "---" + ;; + esac + cat "$y" done diff --git a/hack/generate-provisioner-deployment.sh b/hack/generate-provisioner-deployment.sh index c44ffbcb6db..47ffd60ca9c 100755 --- a/hack/generate-provisioner-deployment.sh +++ b/hack/generate-provisioner-deployment.sh @@ -14,6 +14,8 @@ exec > >(git stripspace >"$TARGET") # FILES defines the set of source files to render together. readonly FILES="examples/contour/01-crds.yaml examples/gateway/00-crds.yaml +examples/gateway/01-admission_webhook.yaml +examples/gateway/02-certificate_config.yaml examples/gateway-provisioner/*.yaml" # Write file header listing individual files used. @@ -36,10 +38,20 @@ for y in $FILES ; do # Ensure we have at least one newline between joined fragments. echo - # Since the Gateway CRDs are generated, the manifest does not start with "---", so insert it. + # Since the Gateway YAMLs are pulled from the Gateway API repo, the manifests do not start with "---". case $y in */gateway/00-crds.yaml) echo "---" + ;; + + */gateway/01-admission_webhook.yaml) + echo "---" + ;; + + */gateway/02-certificate_config.yaml) + echo "---" + ;; + esac # Write the file contents. diff --git a/test/e2e/gateway/invalid_forward_to_test.go b/test/e2e/gateway/invalid_forward_to_test.go index 2c737d4acfc..31595f504b6 100644 --- a/test/e2e/gateway/invalid_forward_to_test.go +++ b/test/e2e/gateway/invalid_forward_to_test.go @@ -63,28 +63,6 @@ func testInvalidForwardTo(namespace string) { }, }, }, - - { - Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ - { - Path: &gatewayapi_v1alpha2.HTTPPathMatch{ - Type: gatewayapi.PathMatchTypePtr(gatewayapi_v1alpha2.PathMatchPathPrefix), - Value: pointer.StringPtr("/invalidport"), - }, - }, - }, - BackendRefs: []gatewayapi_v1alpha2.HTTPBackendRef{ - { - BackendRef: gatewayapi_v1alpha2.BackendRef{ - BackendObjectReference: gatewayapi_v1alpha2.BackendObjectReference{ - Kind: gatewayapi.KindPtr("Service"), - Name: "echo-slash-default", - }, - }, - }, - }, - }, - { Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ { @@ -106,7 +84,6 @@ func testInvalidForwardTo(namespace string) { }, }, }, - { Matches: []gatewayapi_v1alpha2.HTTPRouteMatch{ { @@ -170,10 +147,6 @@ func testInvalidForwardTo(namespace string) { path: "/invalidref", expectResponse: 503, }, - { - path: "/invalidport", - expectResponse: 503, - }, { path: "/invalidservicename", expectResponse: 503, diff --git a/test/scripts/make-kind-cluster.sh b/test/scripts/make-kind-cluster.sh index 0a13db1fa06..2b01e23dce8 100755 --- a/test/scripts/make-kind-cluster.sh +++ b/test/scripts/make-kind-cluster.sh @@ -115,8 +115,11 @@ ${KUBECTL} apply -f https://github.com/jetstack/cert-manager/releases/download/v ${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=cert-manager deployments --for=condition=Available ${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=webhook deployments --for=condition=Available -# Install Gateway API CRDs. +# Install Gateway API CRDs and webhook. ${KUBECTL} apply -f "${REPO}/examples/gateway/00-crds.yaml" +${KUBECTL} apply -f "${REPO}/examples/gateway/01-admission_webhook.yaml" +${KUBECTL} apply -f "${REPO}/examples/gateway/02-certificate_config.yaml" +${KUBECTL} wait --timeout="${WAITTIME}" -n gateway-api deployment/gateway-api-admission-server --for=condition=Available # Install Contour CRDs. ${KUBECTL} apply -f "${REPO}/examples/contour/01-crds.yaml"