support ingress secret&skip mcp validate (alibaba#36)

Makefile.core.mk

@@ -4,6 +4,8 @@ export BASE_VERSION ?= 2022-10-27T19-02-22
 
 export HUB ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
 
+export CHARTS ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/charts
+
 GO ?= go
 
 GOARCH_LOCAL := $(TARGET_ARCH)
@@ -94,11 +96,11 @@ build-gateway: prebuild external/package/envoy.tar.gz
 	cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
 
 helm-push:
-	cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(HUB)/charts"
+	cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)"
 
 helm-push-istio:
 	cd helm/istio; helm dependency update
-	cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(HUB)/charts"
+	cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)"
 
 
 DIRS_TO_CLEAN := $(OUT)

helm/higress/templates/clusterrole.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.gateway.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

istio/1.12/patches/istio/20221107-mcp-skip-validate.patch

@@ -0,0 +1,12 @@
+diff -Naur istio/pilot/pkg/bootstrap/configcontroller.go new/pilot/pkg/bootstrap/configcontroller.go
+--- istio/pilot/pkg/bootstrap/configcontroller.go	2022-11-07 21:47:11.000000000 +0800
++++ new/pilot/pkg/bootstrap/configcontroller.go	2022-11-07 21:50:31.000000000 +0800
+@@ -250,7 +250,7 @@
+ 			if err != nil {
+ 				return fmt.Errorf("failed to dial XDS %s %v", configSource.Address, err)
+ 			}
+-			store := memory.Make(collections.Pilot)
++			store := memory.MakeSkipValidation(collections.Pilot)
+ 			configController := memory.NewController(store)
+ 			configController.RegisterHasSyncedHandler(xdsMCP.HasSynced)
+ 			xdsMCP.Store = model.MakeIstioStore(configController)

istio/1.12/patches/istio/20221107-support-ingress-secret.patch

@@ -0,0 +1,37 @@
+diff -Naur istio/pilot/pkg/model/credentials/ali_resource.go new/pilot/pkg/model/credentials/ali_resource.go
+--- istio/pilot/pkg/model/credentials/ali_resource.go	2022-11-07 21:40:10.000000000 +0800
++++ new/pilot/pkg/model/credentials/ali_resource.go	2022-11-07 19:03:22.000000000 +0800
+@@ -4,6 +4,7 @@
+ 	"fmt"
+ 	"strings"
+
++	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pkg/cluster"
+ )
+
+@@ -13,6 +14,9 @@
+ )
+
+ func ToKubernetesIngressResource(clusterId, namespace, name string) string {
++	if clusterId == "" {
++		clusterId = features.ClusterName
++	}
+ 	return fmt.Sprintf("%s://%s/%s/%s", KubernetesIngressSecretType, clusterId, namespace, name)
+ }
+
+diff -Naur istio/pilot/pkg/xds/sds.go new/pilot/pkg/xds/sds.go
+--- istio/pilot/pkg/xds/sds.go	2022-11-07 21:40:10.000000000 +0800
++++ new/pilot/pkg/xds/sds.go	2022-11-07 21:44:28.000000000 +0800
+@@ -229,6 +229,12 @@
+ 			} else {
+ 				deniedResources = append(deniedResources, r.Name)
+ 			}
++		case credentials.KubernetesIngressSecretType:
++			if isAuthorized() {
++				allowedResources = append(allowedResources, r)
++			} else {
++				deniedResources = append(deniedResources, r.Name)
++			}
+ 		default:
+ 			// Should never happen
+ 			log.Warnf("unknown credential type %q", r.Type)