merge conflicts

CHANGELOG.md

@@ -19,6 +19,7 @@
 
 # Table of Contents
 
+- [1.3.0](#130)
 - [1.2.0](#120)
 - [1.1.0](#110)
 - [1.0.0](#100)
@@ -29,6 +30,94 @@
 - [0.2.0](#020)
 - [0.1.0](#010)
 
+# 1.3.0
+
+Welcome to the 1.3.0 release of apisix-ingress-controller!
+
+This is a **GA** release.
+
+## Highlights
+
+### Roadmap
+
+In next release(v1.4), all custom resource versions will be upgraded to version v2beta3, and version v2 will be GA released in version v1.5. Please go to [#707](https://github.com/apache/apisix-ingress-controller/issues/707) for detail.
+
+### Breaking Changes
+
+* In this release(v1.3), the CRD version has been upgraded to `apiextensions.k8s.io/v1`, which means that **the minimum version of Kubernetes supported by APISIX Ingress is v1.16 and later**.
+* The ValidatingWebhookConfiguration version has been upgraded to `admissionregistration.k8s.io/v1`, which means that if you want using the default Dynamic Admission Control, you need ensure that the Kubernetes cluster is at least as new as v1.16.
+
+### New Features
+
+* We have introduced the **v2beta2 version of ApisixRoute** and will drop support for `v2alpha1` ApisixRoute [#698](https://github.com/apache/apisix-ingress-controller/pull/698)
+* Add cert-manager support [#685](https://github.com/apache/apisix-ingress-controller/pull/685)
+* Add full compare when APISIX Ingress startup [#680](https://github.com/apache/apisix-ingress-controller/pull/680)
+* Support TLS for Ingress v1 [#634](https://github.com/apache/apisix-ingress-controller/pull/634)
+* Add admission server and a validation webhook for plugins [#573](https://github.com/apache/apisix-ingress-controller/pull/573)
+* Add `timeout` field for ApisixRoute CR [#609](https://github.com/apache/apisix-ingress-controller/pull/609)
+* Add new metrics `apisix_ingress_controller_check_cluster_health` and `apisix_ingress_controller_sync_success_total` [#627](https://github.com/apache/apisix-ingress-controller/pull/627)
+
+Please try out the release binaries and report any issues at
+https://github.com/apache/apisix-ingress-controller/issues.
+
+### Contributors
+
+* kv
+* Hoshea Jiang
+* Jintao Zhang
+* Sarasa Kisaragi
+* Baoyuan
+* SergeBakharev
+* Sindweller
+* chen zhuo
+* liuxiran
+* oliver
+
+### Changes
+<details><summary>27 commits</summary>
+<p>
+
+* [`a290f12`](https://github.com/apache/apisix-ingress-controller/commit/a290f12cac2d7c8bcc51863cf42bc13b59bfe128) docs: correct helm repo (#657)
+* [`a01888b`](https://github.com/apache/apisix-ingress-controller/commit/a01888bd195f59ae08a5e1399dd26f2ac438880a) feat: Change field retries to value from pointer. (#647)
+* [`6f46ac2`](https://github.com/apache/apisix-ingress-controller/commit/6f46ac29a1bf3e51987169153a10be223fcf414f) Make webhook cover ApisixRoute v2beta2 (#705)
+* [`9dd4f40`](https://github.com/apache/apisix-ingress-controller/commit/9dd4f40b9fc74be6c29ba11cf9086ecbbd51f9e2) feat: add webhooks for consumer/tls/upstream (#667)
+* [`657a1fd`](https://github.com/apache/apisix-ingress-controller/commit/657a1fd1d06b05015e609c5e50107c7358fc44c0) doc: add grpc proxy (#699)
+* [`88be11a`](https://github.com/apache/apisix-ingress-controller/commit/88be11a895d72dfa7d0fef09e2b7d00b3210efe9) fix: CRD v1 preserve unknown fields (#702)
+* [`d46b248`](https://github.com/apache/apisix-ingress-controller/commit/d46b2485834e0ab4198a567cc9a8d3d2bcc60e6b) feat: upgrade ApisixRoute v2beta2 apiversion. (#698)
+* [`736aba3`](https://github.com/apache/apisix-ingress-controller/commit/736aba38f7de1fef03b6b818aa93e343b1666c95) feat: upgrade admission apiversion to v1 (#697)
+* [`0630ac5`](https://github.com/apache/apisix-ingress-controller/commit/0630ac55697eaf01017715fcad87b154cb64d9d4) feat: upgrade CRD version to v1 (#693)
+* [`957c315`](https://github.com/apache/apisix-ingress-controller/commit/957c31522e1b1e5f8ef9cab7eb244473a4e0f675) feat: add full compare when ingress startup (#680)
+* [`1b71fa3`](https://github.com/apache/apisix-ingress-controller/commit/1b71fa32a45d5b5e8e8fc0ed1b761814d169e51f) feat: support cert-manager (#685)
+* [`3e9bdbf`](https://github.com/apache/apisix-ingress-controller/commit/3e9bdbf0cee6d49c8e0db27152d46565df704e8c) fix: the fields in UpstreamPassiveHealthCheckUnhealthy should be timeouts (#687)
+* [`5c9cdbe`](https://github.com/apache/apisix-ingress-controller/commit/5c9cdbe7fc2c28f3023d635dbbd9bc833388a2bf) fix: remove the step of deleting httpbinsvc (#677)
+* [`7216532`](https://github.com/apache/apisix-ingress-controller/commit/721653216b8fe199c15c23aa726157215b12af3a) Remove volumeMounts when webhook is disabled (#679)
+* [`1e1be74`](https://github.com/apache/apisix-ingress-controller/commit/1e1be7401ba3707ba660a7d61df5118fc5725eff) add metric: check_cluster_health and sync_operation_total (#627)
+* [`6a8658d`](https://github.com/apache/apisix-ingress-controller/commit/6a8658db1788c687c70c9f235601cc8224e0b38c) fix: add initContainers to verify if apisix is ready (#660)
+* [`d4a832c`](https://github.com/apache/apisix-ingress-controller/commit/d4a832cf57eb633e8bc1a3bb1a71ba0ae2360337) feat: route crd add timeout fields (#609)
+* [`a9960c2`](https://github.com/apache/apisix-ingress-controller/commit/a9960c2a266686fc438451904c8d66430a7d70ee) Add API for getting schema of route, upstream and consumer (#655)
+* [`75a2aaa`](https://github.com/apache/apisix-ingress-controller/commit/75a2aaa979c61aaeab9b5412b937a618d1f56bca) feat: Implement the admission server and a validation webhook for plugins (#573)
+* [`270a176`](https://github.com/apache/apisix-ingress-controller/commit/270a176a39d34e1d0b213c9d190368919612db9c) fix: e2e failure due to count returned by APISIX (#640)
+* [`c284f38`](https://github.com/apache/apisix-ingress-controller/commit/c284f382576251c7d849a43710f8d09667b05dd1) docs: update practices index for website (#654)
+* [`9ab367f`](https://github.com/apache/apisix-ingress-controller/commit/9ab367f9d35e67616f678471d3407566a2b6b126) docs: Supplement FAQ for the error log 'no matches for kind "ApisixRoute" in version "apisix.apache.org/v2beta1"' (#651)
+* [`62b7590`](https://github.com/apache/apisix-ingress-controller/commit/62b7590443e037ecd6b41521accea567e09ad340) feat: support TLS for ingress v1 (#634)
+* [`68b7d7d`](https://github.com/apache/apisix-ingress-controller/commit/68b7d7d231f548d61455f0e95a4ae157de0f5ff8) chore: release v1.2.0 (#633)
+* [`d537ddc`](https://github.com/apache/apisix-ingress-controller/commit/d537ddc62bfabfe383c0bd402833377003a1d8dc) feat: add link check (#635)
+* [`d7128a1`](https://github.com/apache/apisix-ingress-controller/commit/d7128a1812053e9341f59f0e9c13c1c513c9db42) chore: skip CodeQL if go files have no changes (#636)
+* [`d8854c3`](https://github.com/apache/apisix-ingress-controller/commit/d8854c3bf7fefbc54c0d5b00b5ad669044f791f2) docs: fix config.json (#628)
+</p>
+</details>
+
+### Dependency Changes
+
+* **github.com/fsnotify/fsnotify**         v1.5.0 **_new_**
+* **github.com/prometheus/client_golang**  v1.7.1 -> v1.10.0
+* **github.com/slok/kubewebhook/v2**       v2.1.0 **_new_**
+* **github.com/stretchr/testify**          v1.6.1 -> v1.7.0
+* **github.com/xeipuuv/gojsonschema**      v1.2.0 **_new_**
+* **golang.org/x/sys**                     0f9fa26af87c -> bce67f096156
+
+Previous release can be found at [1.2.0](https://github.com/apache/apisix-ingress-controller/releases/tag/1.2.0)
+
 # 1.2.0
 
 Welcome to the 1.2.0 release of apisix-ingress-controller!

Makefile

@@ -16,7 +16,7 @@
 #
 default: help
 
-VERSION ?= 1.2.0
+VERSION ?= 1.3.0
 RELEASE_SRC = apache-apisix-ingress-controller-${VERSION}-src
 LOCAL_REGISTRY="localhost:5000"
 IMAGE_TAG ?= dev

cmd/ingress/ingress.go

@@ -143,7 +143,8 @@ the apisix cluster and others are created`,
 	cmd.PersistentFlags().BoolVar(&cfg.EnableProfiling, "enable-profiling", true, "enable profiling via web interface host:port/debug/pprof")
 	cmd.PersistentFlags().StringVar(&cfg.Kubernetes.Kubeconfig, "kubeconfig", "", "Kubernetes configuration file (by default in-cluster configuration will be used)")
 	cmd.PersistentFlags().DurationVar(&cfg.Kubernetes.ResyncInterval.Duration, "resync-interval", time.Minute, "the controller resync (with Kubernetes) interval, the minimum resync interval is 30s")
-	cmd.PersistentFlags().StringSliceVar(&cfg.Kubernetes.AppNamespaces, "app-namespace", []string{config.NamespaceAll}, "namespaces that controller will watch for resources")
+	cmd.PersistentFlags().StringSliceVar(&cfg.Kubernetes.AppNamespaces, "app-namespace", []string{config.NamespaceAll}, "namespaces that controller will watch for resources.")
+	cmd.PersistentFlags().StringSliceVar(&cfg.Kubernetes.NamespaceSelector, "namespace-selector", []string{""}, "labels that controller used to select namespaces which will watch for resources")
 	cmd.PersistentFlags().StringVar(&cfg.Kubernetes.IngressClass, "ingress-class", config.IngressClass, "the class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation \"kubernetes.io/ingress.class\" (deprecated)")
 	cmd.PersistentFlags().StringVar(&cfg.Kubernetes.ElectionID, "election-id", config.IngressAPISIXLeader, "election id used for campaign the controller leader")
 	cmd.PersistentFlags().StringVar(&cfg.Kubernetes.IngressVersion, "ingress-version", config.IngressNetworkingV1, "the supported ingress api group version, can be \"networking/v1beta1\", \"networking/v1\" (for Kubernetes version v1.19.0 or higher) and \"extensions/v1beta1\"")
@@ -155,5 +156,8 @@ the apisix cluster and others are created`,
 	cmd.PersistentFlags().StringVar(&cfg.APISIX.DefaultClusterAdminKey, "default-apisix-cluster-admin-key", "", "admin key used for the authorization of admin api / manager api for the default APISIX cluster")
 	cmd.PersistentFlags().StringVar(&cfg.APISIX.DefaultClusterName, "default-apisix-cluster-name", "default", "name of the default apisix cluster")
 
+	if err := cmd.PersistentFlags().MarkDeprecated("app-namespace", "use namespace-selector instead"); err != nil {
+		dief("failed to mark `app-namespace` as deprecated: %s", err)
+	}
 	return cmd
 }

conf/config-default.yaml

@@ -44,6 +44,10 @@ kubernetes:
                                        # and the minimal resync interval is 30s.
   app_namespaces: ["*"]                # namespace list that controller will watch for resources,
                                        # by default all namespaces (represented by "*") are watched.
+                                       # The `app_namespace` is deprecated, using `namespace_selector` instead since version 1.4.0
+  namespace_selector: [""]             # namespace_selector represent basis for selecting managed namespaces.
+                                       # the field is support since version 1.4.0
+                                       # For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching"
   election_id: "ingress-apisix-leader" # the election id for the controller leader campaign,
                                        # only the leader will watch and delivery resource changes,
                                        # other instances (as candidates) stand by.
@@ -56,9 +60,8 @@ kubernetes:
                                        # "extensions/v1beta1", default is "networking/v1".
   watch_endpointslices: false          # whether to watch EndpointSlices rather than Endpoints.
 
-  apisix_route_version: "apisix.apache.org/v2alpha1" # the supported apisixroute api group version, can be
-                                                     # "apisix.apache.org/v1" or "apisix.apache.org/v2alpha1",
-                                                     # default is "apisix.apache.org/v2alpha1".
+  apisix_route_version: "apisix.apache.org/v2beta2"  # the supported apisixroute api group version.
+                                                     # the latest version is "apisix.apache.org/v2beta2".
 # APISIX related configurations.
 apisix:
   base_url: "http://127.0.0.1:9080/apisix/admin" # (Deprecated, use default_cluster_base_url) the APISIX admin api / manager api

docs/en/latest/getting-started.md

@@ -76,7 +76,8 @@ The following table describes the compatibility between apisix-ingress-controlle
 
 | apisix-ingress-controller | Apache APISIX |
 | ----:| ---:|
-| `master` | `>= 2.7`, `2.8` is recommended. |
+| `master` | `>= 2.7`, `2.10` is recommended. |
+| `1.3.0` | `>= 2.7`, `2.10` is recommended. |
 | `1.2.0` | `>= 2.7`, `2.8` is recommended. |
 | `1.1.0` | `>= 2.7`, `2.7` is recommended. |
 | `1.1.0` | `>= 2.7`, `2.7` is recommended. |

docs/en/latest/practices/the-hard-way.md

@@ -621,8 +621,8 @@ data:
     kubernetes:
       kubeconfig: ""
       resync_interval: "30s"
-      app_namespaces:
-      - "*"
+      namespace_selector:
+      - "apisix.ingress=watching"
       ingress_class: "apisix"
       ingress_version: "networking/v1"
       apisix_route_version: "apisix.apache.org/v2beta1"

docs/en/latest/upgrade.md

@@ -0,0 +1,71 @@
+---
+title: Upgrade Guide
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Validate Compatibility
+
+Apache APISIX Ingress project is a continuously actively developed project.
+In order to make it better, some broken changes will be added when the new version is released.
+For users, how to upgrade safely becomes very important.
+
+The policy directory of this project contains these compatibility check strategies,
+you can use the [`conftest`](https://github.com/open-policy-agent/conftest) tool to check the compatibility.
+
+Here's a quick example.
+
+```yaml
+apiVersion: apisix.apache.org/v2beta2
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /ip
+     exprs:
+     - subject:
+         scope: Header
+         name: X-Foo
+       op: Equal
+       value: bar
+   backend:
+     serviceName: httpbin
+     servicePort: 80
+```
+
+It uses the `spec.http.backend` field that has been removed.
+Save as httpbin-route.yaml.
+
+Use conftest for compatibility check.
+
+```bash
+$ conftest test httpbin-route.yaml
+FAIL - httpbin-route.yaml - main - ApisixRoute/httpbin-route: rule1 field http.backend has been removed, use http.backends instead.
+
+2 tests, 1 passed, 0 warnings, 1 failure, 0 exceptions
+```
+
+Incompatible parts will generate errors.

pkg/config/config.go

@@ -17,12 +17,14 @@ package config
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"strings"
 	"time"
 
 	"gopkg.in/yaml.v2"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
 
 	"github.com/apache/apisix-ingress-controller/pkg/types"
 )
@@ -77,6 +79,7 @@ type KubernetesConfig struct {
 	Kubeconfig          string             `json:"kubeconfig" yaml:"kubeconfig"`
 	ResyncInterval      types.TimeDuration `json:"resync_interval" yaml:"resync_interval"`
 	AppNamespaces       []string           `json:"app_namespaces" yaml:"app_namespaces"`
+	NamespaceSelector   []string           `json:"namespace_selector" yaml:"namespace_selector"`
 	ElectionID          string             `json:"election_id" yaml:"election_id"`
 	IngressClass        string             `json:"ingress_class" yaml:"ingress_class"`
 	IngressVersion      string             `json:"ingress_version" yaml:"ingress_version"`
@@ -174,6 +177,10 @@ func (cfg *Config) Validate() error {
 		return errors.New("unsupported ingress version")
 	}
 	cfg.Kubernetes.AppNamespaces = purifyAppNamespaces(cfg.Kubernetes.AppNamespaces)
+	ok, err := cfg.verifyNamespaceSelector()
+	if !ok {
+		return err
+	}
 	return nil
 }
 
@@ -191,3 +198,48 @@ func purifyAppNamespaces(namespaces []string) []string {
 	}
 	return ultimate
 }
+
+func (cfg *Config) verifyNamespaceSelector() (bool, error) {
+	labels := cfg.Kubernetes.NamespaceSelector
+	// default is [""]
+	if len(labels) == 1 && labels[0] == "" {
+		cfg.Kubernetes.NamespaceSelector = []string{}
+	}
+
+	for _, s := range cfg.Kubernetes.NamespaceSelector {
+		parts := strings.Split(s, "=")
+		if len(parts) != 2 {
+			return false, fmt.Errorf("Illegal namespaceSelector: %s, should be key-value pairs divided by = ", s)
+		} else {
+			if err := cfg.validateLabelKey(parts[0]); err != nil {
+				return false, err
+			}
+			if err := cfg.validateLabelValue(parts[1]); err != nil {
+				return false, err
+			}
+		}
+	}
+	return true, nil
+}
+
+// validateLabelKey validate the key part of label
+// ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+func (cfg *Config) validateLabelKey(key string) error {
+	errorMsg := validation.IsQualifiedName(key)
+	msg := strings.Join(errorMsg, "\n")
+	if msg == "" {
+		return nil
+	}
+	return fmt.Errorf("Illegal namespaceSelector: %s, "+msg, key)
+}
+
+// validateLabelValue validate the value part of label
+// ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+func (cfg *Config) validateLabelValue(value string) error {
+	errorMsg := validation.IsValidLabelValue(value)
+	msg := strings.Join(errorMsg, "\n")
+	if msg == "" {
+		return nil
+	}
+	return fmt.Errorf("Illegal namespaceSelector: %s, "+msg, value)
+}

pkg/ingress/apisix_cluster_config.go

@@ -143,7 +143,7 @@ func (c *apisixClusterConfigController) sync(ctx context.Context, ev *types.Even
 				zap.Any("opts", clusterOpts),
 			)
 			c.controller.recorderEvent(acc, corev1.EventTypeWarning, _resourceSyncAborted, err)
-			c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse)
+			c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse, acc.GetGeneration())
 			return err
 		}
 	}
@@ -157,7 +157,7 @@ func (c *apisixClusterConfigController) sync(ctx context.Context, ev *types.Even
 			zap.Any("object", acc),
 		)
 		c.controller.recorderEvent(acc, corev1.EventTypeWarning, _resourceSyncAborted, err)
-		c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse)
+		c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse, acc.GetGeneration())
 		return err
 	}
 	log.Debugw("translated global_rule",
@@ -176,11 +176,11 @@ func (c *apisixClusterConfigController) sync(ctx context.Context, ev *types.Even
 			zap.Any("cluster", acc.Name),
 		)
 		c.controller.recorderEvent(acc, corev1.EventTypeWarning, _resourceSyncAborted, err)
-		c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse)
+		c.controller.recordStatus(acc, _resourceSyncAborted, err, metav1.ConditionFalse, acc.GetGeneration())
 		return err
 	}
 	c.controller.recorderEvent(acc, corev1.EventTypeNormal, _resourceSynced, nil)
-	c.controller.recordStatus(acc, _resourceSynced, nil, metav1.ConditionTrue)
+	c.controller.recordStatus(acc, _resourceSynced, nil, metav1.ConditionTrue, acc.GetGeneration())
 	return nil
 }
 

pkg/ingress/apisix_consumer.go

@@ -116,7 +116,7 @@ func (c *apisixConsumerController) sync(ctx context.Context, ev *types.Event) er
 			zap.Any("ApisixConsumer", ac),
 		)
 		c.controller.recorderEvent(ac, corev1.EventTypeWarning, _resourceSyncAborted, err)
-		c.controller.recordStatus(ac, _resourceSyncAborted, err, metav1.ConditionFalse)
+		c.controller.recordStatus(ac, _resourceSyncAborted, err, metav1.ConditionFalse, ac.GetGeneration())
 		return err
 	}
 	log.Debug("got consumer object from ApisixConsumer",
@@ -130,7 +130,7 @@ func (c *apisixConsumerController) sync(ctx context.Context, ev *types.Event) er
 			zap.Any("consumer", consumer),
 		)
 		c.controller.recorderEvent(ac, corev1.EventTypeWarning, _resourceSyncAborted, err)
-		c.controller.recordStatus(ac, _resourceSyncAborted, err, metav1.ConditionFalse)
+		c.controller.recordStatus(ac, _resourceSyncAborted, err, metav1.ConditionFalse, ac.GetGeneration())
 		return err
 	}