From 80cb45fd9600ac6d14797780954cc3ed8fce8bab Mon Sep 17 00:00:00 2001 From: Pamme Crandall Date: Wed, 27 Jul 2022 10:16:21 -0600 Subject: [PATCH] Helm release - 1.5.0 --- helm-chart/Chart.yaml | 4 +- .../configs/grafana-dashboard-conf.yaml | 11 - .../configs/grafana-datasources-conf.yaml | 12 - helm-chart/configs/grafana-top-dashboard.json | 697 ------------------ helm-chart/configs/grafana.ini | 15 - helm-chart/configs/mesh-config.conf | 9 +- helm-chart/crds/httproutegroup.yaml | 94 ++- helm-chart/crds/tcproute.yaml | 37 +- helm-chart/crds/trafficsplit.yaml | 114 +-- helm-chart/crds/traffictarget.yaml | 124 ++-- helm-chart/templates/_helpers.tpl | 36 +- helm-chart/templates/grafana.yaml | 137 ---- helm-chart/templates/jaeger.yaml | 60 -- helm-chart/templates/nats.yaml | 21 +- helm-chart/templates/nginx-mesh-api.yaml | 24 +- helm-chart/templates/nginx-mesh-metrics.yaml | 13 +- helm-chart/templates/post-upgrade-hook.yaml | 78 +- helm-chart/templates/pre-upgrade-hook.yaml | 85 ++- helm-chart/templates/prometheus.yaml | 114 --- helm-chart/templates/spire-agent.yaml | 4 +- helm-chart/templates/spire-server.yaml | 4 +- helm-chart/templates/zipkin.yaml | 46 -- helm-chart/values.schema.json | 38 +- helm-chart/values.yaml | 45 +- 24 files changed, 445 insertions(+), 1377 deletions(-) delete mode 100644 helm-chart/configs/grafana-dashboard-conf.yaml delete mode 100644 helm-chart/configs/grafana-datasources-conf.yaml delete mode 100644 helm-chart/configs/grafana-top-dashboard.json delete mode 100644 helm-chart/configs/grafana.ini delete mode 100644 helm-chart/templates/grafana.yaml delete mode 100644 helm-chart/templates/jaeger.yaml delete mode 100644 helm-chart/templates/prometheus.yaml delete mode 100644 helm-chart/templates/zipkin.yaml diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml index 7aadef69..e6f70328 100644 --- a/helm-chart/Chart.yaml +++ b/helm-chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: nginx-service-mesh description: NGINX Service Mesh -version: 0.4.1 -appVersion: 1.4.1 +version: 0.5.0 +appVersion: 1.5.0 kubeVersion: ">= 1.18-0" icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png diff --git a/helm-chart/configs/grafana-dashboard-conf.yaml b/helm-chart/configs/grafana-dashboard-conf.yaml deleted file mode 100644 index 9ee1af72..00000000 --- a/helm-chart/configs/grafana-dashboard-conf.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: 1 -providers: -- name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: nginx-mesh-top diff --git a/helm-chart/configs/grafana-datasources-conf.yaml b/helm-chart/configs/grafana-datasources-conf.yaml deleted file mode 100644 index acce701b..00000000 --- a/helm-chart/configs/grafana-datasources-conf.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: 1 -datasources: -- name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://{{ include "prometheus.address" . }} - isDefault: true - jsonData: - timeInterval: "5s" -version: 1 -editable: true diff --git a/helm-chart/configs/grafana-top-dashboard.json b/helm-chart/configs/grafana-top-dashboard.json deleted file mode 100644 index d7a46b4f..00000000 --- a/helm-chart/configs/grafana-top-dashboard.json +++ /dev/null @@ -1,697 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "id": null, - "links": [], - "panels": [ - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "prometheus", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 0 - }, - "id": 4, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))", - "format": "time_series", - "interval": "5s", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "GLOBAL SUCCESS RATE", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "prometheus", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "format": "reqps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 6, - "w": 13, - "x": 8, - "y": 0 - }, - "id": 6, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(nginxplus_http_requests_total[30s]))", - "format": "time_series", - "interval": "5s", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "GLOBAL REQUEST VOLUME", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "prometheus", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 6, - "w": 3, - "x": 21, - "y": 0 - }, - "id": 5, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "count(nginxplus_http_requests_total)", - "format": "time_series", - "interval": "5s", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "PODS MONITORED", - "type": "singlestat", - "valueFontSize": "200%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "prometheus", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 9, - "w": 12, - "x": 0, - "y": 6 - }, - "hiddenSeries": false, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.3.4", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(nginxplus_http_requests_total[30s])", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Request Volume", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "reqps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "prometheus", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 9, - "w": 12, - "x": 12, - "y": 6 - }, - "hiddenSeries": false, - "id": 123124, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.3.4", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)", - "format": "time_series", - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pod Success", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "description": "RSS used by NGINX Service Mesh sidecars", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 15 - }, - "hiddenSeries": false, - "id": 123126, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.3.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "nginxplus_workers_mem_rss", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Sidecar Memory Usage (RSS)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "description": "Private memory used by NGINX Service Mesh sidecars", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 15 - }, - "hiddenSeries": false, - "id": 123128, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.3.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "nginxplus_workers_mem_private", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Sidecar Memory Usage (Private)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 27, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "NGINX Mesh Top", - "uid": "N3zQ72OWk", - "version": 1 - } diff --git a/helm-chart/configs/grafana.ini b/helm-chart/configs/grafana.ini deleted file mode 100644 index 4e289e19..00000000 --- a/helm-chart/configs/grafana.ini +++ /dev/null @@ -1,15 +0,0 @@ -instance_name = nginx-mesh-grafana - -[auth] -disable_login_form = true - -[auth.anonymous] -enabled = true -org_role = Admin - -[auth.basic] -enabled = false - -[analytics] -check_for_updates = false -Events: diff --git a/helm-chart/configs/mesh-config.conf b/helm-chart/configs/mesh-config.conf index facc8e26..caeb66bf 100644 --- a/helm-chart/configs/mesh-config.conf +++ b/helm-chart/configs/mesh-config.conf @@ -6,6 +6,7 @@ "port": 443 }, "autoInjectorPort": 9443, + "clientMaxBodySize": {{ quote .Values.clientMaxBodySize }}, "environment": {{ quote .Values.environment }}, "isUDPEnabled": {{ .Values.enableUDP }}, "injection": { @@ -20,11 +21,10 @@ "svidTTL": {{ quote .Values.mtls.svidTTL }}, "caKeyType": {{ quote .Values.mtls.caKeyType }} }, - "mtlsMode": {{ quote .Values.mtls.mode }}, "namespace": {{ quote .Release.Namespace }}, "nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }}, "nginxLogFormat": {{ quote .Values.nginxLogFormat }}, - "prometheusAddress": {{ include "prometheus.address" . | quote }}, + "prometheusAddress": {{ quote .Values.prometheusAddress }}, "proxy": { "ports": { "incoming": 8888, @@ -60,10 +60,9 @@ "image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag | quote }}, "name": "nginx-mesh-init" }, - "tracing": {{if .Values.tracing }}{ + "tracing": {{ if .Values.tracing }}{ "backend": {{ quote .Values.tracing.backend }}, - "backendAddress": {{ include "tracing.address" . | quote }}, - "isEnabled": {{ not .Values.tracing.disable }}, + "backendAddress": {{ quote .Values.tracing.address }}, "sampleRate": {{ .Values.tracing.sampleRate }} },{{ else }}{},{{ end }} "telemetry": {{ if .Values.telemetry }}{ diff --git a/helm-chart/crds/httproutegroup.yaml b/helm-chart/crds/httproutegroup.yaml index b1ee68f8..e60a1f84 100644 --- a/helm-chart/crds/httproutegroup.yaml +++ b/helm-chart/crds/httproutegroup.yaml @@ -7,62 +7,76 @@ metadata: app.kubernetes.io/part-of: nginx-service-mesh spec: group: specs.smi-spec.io - scope: Namespaced names: kind: HTTPRouteGroup + listKind: HTTPRouteGroupList + plural: httproutegroups shortNames: - htr - plural: httproutegroups singular: httproutegroup + scope: Namespaced versions: - name: v1alpha3 - served: true - storage: true schema: openAPIV3Schema: - type: object + description: HTTPRouteGroup is the Schema for the httproutegroups API It is + used to describe HTTP/1 and HTTP/2 traffic. It enumerates the routes that + can be served by an application. properties: - spec: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: type: object - required: - - matches + spec: + description: HTTPRouteGroupSpec defines the desired state of HTTPRouteGroup + It is the specification for a HTTPRouteGroup properties: matches: - description: Match conditions of this route group. - type: array + description: Routes for inbound traffic items: - type: object - required: - - name + description: HTTPMatch defines an individual route for HTTP traffic properties: - name: - description: Name of the HTTP route. - type: string - pathRegex: - description: URI path regex of the HTTP route. - type: string + headers: + additionalProperties: + type: string + description: Headers is a list of headers used to match HTTP traffic + type: object methods: - description: The HTTP methods of this HTTP route. - type: array + description: Methods for inbound traffic as defined in RFC 7231 + https://tools.ietf.org/html/rfc7231#section-4 items: type: string - description: The HTTP method of this HTTP route. - enum: - - "*" - - GET - - HEAD - - PUT - - POST - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - headers: - description: Header match conditions of this route. type: array - items: - description: Header match condition of this route. - type: object - additionalProperties: - type: string + name: + description: Name is the name of the match for referencing in a TrafficTarget + type: string + pathRegex: + description: PathRegex is a regular expression defining the route + type: string + type: object + type: array + type: object + status: + description: HTTPRouteGroupStatus defines the observed state of HTTPRouteGroup + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/helm-chart/crds/tcproute.yaml b/helm-chart/crds/tcproute.yaml index 4f91f25a..69bcee92 100644 --- a/helm-chart/crds/tcproute.yaml +++ b/helm-chart/crds/tcproute.yaml @@ -7,17 +7,46 @@ metadata: app.kubernetes.io/part-of: nginx-service-mesh spec: group: specs.smi-spec.io - scope: Namespaced names: kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes shortNames: - tr - plural: tcproutes singular: tcproute + scope: Namespaced versions: - name: v1alpha3 - served: true - storage: true schema: openAPIV3Schema: + description: TCPRoute is the Schema for the tcproutes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TCPRouteSpec defines the desired state of TCPRoute + type: object + status: + description: TCPRouteStatus defines the observed state of TCPRoute + type: object type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/helm-chart/crds/trafficsplit.yaml b/helm-chart/crds/trafficsplit.yaml index 90ca7010..3eec481f 100644 --- a/helm-chart/crds/trafficsplit.yaml +++ b/helm-chart/crds/trafficsplit.yaml @@ -7,66 +7,96 @@ metadata: app.kubernetes.io/part-of: nginx-service-mesh spec: group: split.smi-spec.io - scope: Namespaced names: kind: TrafficSplit listKind: TrafficSplitList + plural: trafficsplits shortNames: - ts - plural: trafficsplits singular: trafficsplit + scope: Namespaced versions: - name: v1alpha3 - served: true - storage: true - additionalPrinterColumns: - - name: Service - type: string - description: The apex service of this split. - jsonPath: .spec.service schema: openAPIV3Schema: - type: object + description: TrafficSplit is the Schema for the trafficsplits API properties: - spec: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: type: object - required: - - service - - backends + spec: + description: TrafficSplitSpec defines the desired state of TrafficSplit properties: - service: - description: The apex service of this split. - type: string - matches: - description: The HTTP route groups that this traffic split should - match. - type: array + backends: + description: Backends defines a list of Kubernetes services used as + the traffic split destination items: - type: object - required: - - kind - - name + description: TrafficSplitBackend defines a backend properties: - kind: - description: Kind of the matching group. - type: string - enum: - - HTTPRouteGroup - name: - description: Name of the matching group. + service: + description: Service is the name of a Kubernetes service type: string - backends: - description: The backend services of this split. - type: array - items: - type: object + weight: + description: Weight defines the traffic split percentage + minimum: 0 + type: integer required: - service - weight + type: object + type: array + matches: + description: Matches allows defining a list of HTTP route groups that + this traffic split object should match + items: + description: TypedLocalObjectReference contains enough information + to let you locate the typed referenced object inside the same + namespace. properties: - service: - description: Name of the Kubernetes service. + apiGroup: + description: APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in + the core API group. For any other third-party types, APIGroup + is required. type: string - weight: - description: Traffic weight value of this backend. - type: number + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + type: array + service: + description: Service represents the apex service + type: string + required: + - backends + - service + type: object + status: + description: TrafficSplitStatus defines the observed state of TrafficSplit + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/helm-chart/crds/traffictarget.yaml b/helm-chart/crds/traffictarget.yaml index 24bae142..77dbc8f5 100644 --- a/helm-chart/crds/traffictarget.yaml +++ b/helm-chart/crds/traffictarget.yaml @@ -7,86 +7,122 @@ metadata: app.kubernetes.io/part-of: nginx-service-mesh spec: group: access.smi-spec.io - scope: Namespaced names: kind: TrafficTarget + listKind: TrafficTargetList + plural: traffictargets shortNames: - tt - plural: traffictargets singular: traffictarget + scope: Namespaced versions: - name: v1alpha2 - served: true - storage: true schema: openAPIV3Schema: - type: object + description: TrafficTarget associates a set of traffic definitions (rules) + with a service identity which is allocated to a group of pods. Access is + controlled via referenced TrafficSpecs and by a list of source service identities. + * If a pod which holds the referenced service identity makes a call to the + destination on one of the defined routes then access will be allowed * + Any pod which attempts to connect and is not in the defined list of sources + will be denied * Any pod which is in the defined list, but attempts to connect + on a route which is not in the list of the TrafficSpecs will be denied properties: - spec: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: type: object - required: - - destination + spec: + description: TrafficTargetSpec is the specification of a TrafficTarget properties: destination: - description: The destination of this traffic target. - type: object - required: - - name - - kind + description: Selector is the pod or group of pods to allow ingress + traffic properties: kind: - description: Kind of the destination. + description: Kind is the type of Subject to allow ingress (ServiceAccount | Group) type: string name: - description: Name of the destination. + description: Name of the Subject, i.e. ServiceAccountName type: string namespace: - description: Namespace of the destination. + description: Namespace where the Subject is deployed type: string port: - description: Port number of the destination. - type: number + description: Port defines a TCP port to apply the TrafficTarget to + type: integer + required: + - kind + - name + type: object rules: - description: Specifications of this traffic target. - type: array + description: Rules are the traffic rules to allow (HTTPRoutes | TCPRoute) items: - type: object - required: - - name - - kind + description: TrafficTargetRule is the TrafficSpec to allow for a TrafficTarget properties: kind: - description: Kind of this spec. - type: string - enum: - - HTTPRouteGroup - - TCPRoute - name: - description: Name of this spec. + description: Kind is the kind of TrafficSpec to allow type: string matches: - description: Match conditions of this spec. - type: array + description: Matches is a list of TrafficSpec routes to allow traffic for items: type: string - sources: - description: Sources of this traffic target. - type: array - items: - type: object + type: array + name: + description: Name of the TrafficSpec to use + type: string required: - - name - kind + - name + type: object + type: array + sources: + description: Sources are the pod or group of pods to allow ingress traffic + items: + description: IdentityBindingSubject is a Kubernetes objects which + should be allowed access to the TrafficTarget properties: kind: - description: Kind of this source. + description: Kind is the type of Subject to allow ingress (ServiceAccount | Group) type: string name: - description: Name of this source. + description: Name of the Subject, i.e. ServiceAccountName type: string namespace: - description: Namespace of this source. + description: Namespace where the Subject is deployed type: string port: - description: Port number of the source. - type: number + description: Port defines a TCP port to apply the TrafficTarget to + type: integer + required: + - kind + - name + type: object + type: array + required: + - destination + type: object + status: + description: TrafficTargetStatus defines the observed state of UDPRoute + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/helm-chart/templates/_helpers.tpl b/helm-chart/templates/_helpers.tpl index 4e2d4b0d..ef801379 100644 --- a/helm-chart/templates/_helpers.tpl +++ b/helm-chart/templates/_helpers.tpl @@ -1,37 +1,3 @@ -{{- define "jaeger.image-server" -}} -{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }} -{{- end }} - -{{- define "zipkin.image-server" -}} -{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }} -{{- end }} - -{{- define "tracing.address" -}} -{{- if ne .Values.tracing.address "" -}} -{{ .Values.tracing.address }} -{{- else if eq .Values.tracing.backend "jaeger" -}} -jaeger.{{.Release.Namespace}}.svc.cluster.local:6831 -{{- else if eq .Values.tracing.backend "zipkin" -}} -zipkin.{{.Release.Namespace}}.svc.cluster.local:9411 -{{- end }} -{{- end }} - -{{- define "prometheus.address" -}} -{{- if eq .Values.prometheusAddress "" -}} -prometheus.{{.Release.Namespace}}.svc.cluster.local:9090 -{{- else -}} -{{ .Values.prometheusAddress }} -{{- end }} -{{- end }} - -{{- define "prometheus.image-server" -}} -{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }} -{{- end }} - -{{- define "grafana.image-server" -}} -{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }} -{{- end }} - {{- define "nats.image-server" -}} {{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }} {{- end }} @@ -41,7 +7,7 @@ prometheus.{{.Release.Namespace}}.svc.cluster.local:9090 {{- end }} {{- define "node-driver.image-server" -}} -{{- if not .Values.registry.disablePublicImages }}quay.io/k8scsi{{ else }}{{ .Values.registry.server }}{{ end }} +{{- if not .Values.registry.disablePublicImages }}k8s.gcr.io/sig-storage{{ else }}{{ .Values.registry.server }}{{ end }} {{- end }} {{- define "hook.image-server" -}} diff --git a/helm-chart/templates/grafana.yaml b/helm-chart/templates/grafana.yaml deleted file mode 100644 index 782c9f4f..00000000 --- a/helm-chart/templates/grafana.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{- if .Values.deployGrafana }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: grafana - labels: - app.kubernetes.io/part-of: nginx-service-mesh -imagePullSecrets: -- name: {{ include "registry-key-name" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: grafana.metrics.builtin.nsm.nginx - labels: - app.kubernetes.io/part-of: nginx-service-mesh -rules: -- apiGroups: - - '' - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: grafana.metrics.builtin.nsm.nginx - labels: - app.kubernetes.io/part-of: nginx-service-mesh -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: grafana.metrics.builtin.nsm.nginx -subjects: -- kind: ServiceAccount - name: grafana - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-config - labels: - app.kubernetes.io/part-of: nginx-service-mesh -data: - dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }} - datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }} - grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-dashboards - labels: - app.kubernetes.io/part-of: nginx-service-mesh -data: - top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }} ---- -apiVersion: v1 -kind: Service -metadata: - name: grafana - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: nginx-service-mesh -spec: - selector: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: nginx-service-mesh - type: ClusterIP - ports: - - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: nginx-service-mesh -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: nginx-service-mesh - template: - metadata: - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: nginx-service-mesh - spec: - serviceAccountName: grafana - containers: - - name: grafana - image: {{ include "grafana.image-server" . }}/grafana:8.3.4 - imagePullPolicy: {{ .Values.registry.imagePullPolicy }} - ports: - - containerPort: 3000 - volumeMounts: - - name: grafana-config-volume - mountPath: "/etc/grafana" - - name: grafana-dashboard-volume - mountPath: "/var/lib/grafana/dashboards" - - name: grafana-dashboard-home - mountPath: "/usr/share/grafana/public/dashboards" - volumes: - - name: grafana-config-volume - configMap: - name: grafana-config - items: - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: grafana.ini - path: grafana.ini - - name: grafana-dashboard-volume - configMap: - name: grafana-dashboards - items: - - key: top.json - path: top.json - - name: grafana-dashboard-home - configMap: - name: grafana-dashboards - items: - - key: top.json - path: home.json -{{- end }} diff --git a/helm-chart/templates/jaeger.yaml b/helm-chart/templates/jaeger.yaml deleted file mode 100644 index 040862a1..00000000 --- a/helm-chart/templates/jaeger.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.tracing }} {{ if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }} ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger - labels: - app.kubernetes.io/name: jaeger - app.kubernetes.io/part-of: nginx-service-mesh -spec: - selector: - app.kubernetes.io/name: jaeger - app.kubernetes.io/part-of: nginx-service-mesh - type: ClusterIP - ports: - - name: frontend - port: 16686 - targetPort: 16686 - - name: collector - port: 6831 - targetPort: 6831 - protocol: UDP - - name: collector-http - port: 14268 - protocol: TCP - targetPort: 14268 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jaeger - labels: - app.kubernetes.io/name: jaeger - app.kubernetes.io/part-of: nginx-service-mesh -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: jaeger - app.kubernetes.io/part-of: nginx-service-mesh - template: - metadata: - labels: - app.kubernetes.io/name: jaeger - app.kubernetes.io/part-of: nginx-service-mesh - annotations: - prometheus.io/scrape: 'true' - prometheus.io/port: '16686' - spec: - imagePullSecrets: - - name: {{ include "registry-key-name" . }} - containers: - - name: jaeger - image: {{ include "jaeger.image-server" . }}/all-in-one:1.31.0 - imagePullPolicy: {{ .Values.registry.imagePullPolicy }} - ports: - - containerPort: 16686 - - containerPort: 6831 - protocol: UDP -{{- end }}{{- end }} diff --git a/helm-chart/templates/nats.yaml b/helm-chart/templates/nats.yaml index e5bf6393..4b0a2f78 100644 --- a/helm-chart/templates/nats.yaml +++ b/helm-chart/templates/nats.yaml @@ -82,6 +82,16 @@ spec: - name: nginx-mesh-cert-reloader-init image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsUser: 2102 + capabilities: + drop: + - all + add: + - NET_ADMIN + - KILL volumeMounts: - name: tls mountPath: "/etc/ssl" @@ -103,7 +113,7 @@ spec: - name: spire-agent-socket mountPath: "/run/spire/sockets" - name: nats-server - image: {{ include "nats.image-server" . }}nats:2.7.2-alpine3.15 + image: {{ include "nats.image-server" . }}nats:2.8.4-alpine3.15 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} ports: - containerPort: 4222 @@ -114,6 +124,15 @@ spec: - nats-server - "--config" - "/etc/nats-config/nats.conf" + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsUser: 2102 + capabilities: + drop: + - all + add: + - NET_ADMIN env: - name: POD_NAME valueFrom: diff --git a/helm-chart/templates/nginx-mesh-api.yaml b/helm-chart/templates/nginx-mesh-api.yaml index b9604314..a3fef5c5 100644 --- a/helm-chart/templates/nginx-mesh-api.yaml +++ b/helm-chart/templates/nginx-mesh-api.yaml @@ -349,6 +349,7 @@ spec: imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - "-meshconfig=/etc/config/mesh-config.json" + - "-tlsDir=/tmp/webhooks" - "-logtostderr" - "-v=3" env: @@ -366,8 +367,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - securityContext: - runAsUser: 0 readinessProbe: httpGet: path: "/healthz" @@ -375,6 +374,15 @@ spec: initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 30 + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsUser: 2102 + capabilities: + drop: + - all + add: + - NET_ADMIN livenessProbe: httpGet: path: "/healthz" @@ -470,7 +478,7 @@ seLinuxContext: type: MustRunAs readOnlyRootFilesystem: false runAsUser: - type: RunAsAny + type: MustRunAsNonRoot fsGroup: type: MustRunAs volumes: @@ -522,21 +530,15 @@ allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: - NET_ADMIN -- NET_RAW -- SYS_RESOURCE -- SYS_ADMIN seLinuxContext: type: RunAsAny runAsUser: - type: RunAsAny + type: MustRunAsNonRoot fsGroup: type: MustRunAs readOnlyRootFilesystem: false requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID +- ALL volumes: - configMap - downwardAPI diff --git a/helm-chart/templates/nginx-mesh-metrics.yaml b/helm-chart/templates/nginx-mesh-metrics.yaml index b14fe9ee..126b5561 100644 --- a/helm-chart/templates/nginx-mesh-metrics.yaml +++ b/helm-chart/templates/nginx-mesh-metrics.yaml @@ -128,7 +128,18 @@ spec: image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }} imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - - "--prometheus-address={{ include "prometheus.address" . }}" + {{ if .Values.prometheusAddress }} + - "--prometheus-address={{ .Values.prometheusAddress }}" + {{ end }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsUser: 2102 + capabilities: + drop: + - all + add: + - NET_ADMIN readinessProbe: httpGet: scheme: HTTPS diff --git a/helm-chart/templates/post-upgrade-hook.yaml b/helm-chart/templates/post-upgrade-hook.yaml index a73e799d..ac56eeeb 100644 --- a/helm-chart/templates/post-upgrade-hook.yaml +++ b/helm-chart/templates/post-upgrade-hook.yaml @@ -1,3 +1,4 @@ +# This hook reads the ConfigMap created by the pre-upgrade hook, and applies all updated HTTPRouteGroups. --- apiVersion: v1 kind: ServiceAccount @@ -26,18 +27,49 @@ rules: - apiGroups: - '' resources: - - pods + - configmaps verbs: - get - - list + - delete - apiGroups: - - spiffeid.spiffe.io + - specs.smi-spec.io resources: - - spiffeids + - httproutegroups verbs: - get - - list - - delete + - patch +{{- if eq .Values.environment "openshift" }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - post-upgrade-permissions.builtin.nsm.nginx + verbs: + - use +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: post-upgrade-permissions.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +runAsUser: + type: RunAsAny +readOnlyRootFilesystem: false +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -61,7 +93,7 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: remove-extra-spiffeids + name: update-httproutegroups labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: @@ -71,32 +103,26 @@ metadata: spec: template: metadata: - name: remove-extra-spiffeids + name: update-httproutegroups spec: restartPolicy: Never serviceAccountName: post-upgrade containers: - - name: remove-extra-spiffeids + - name: update-httproutegroups image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} - securityContext: - runAsUser: 0 command: - /bin/bash - -c - | - IFS=$'\n' - for n in $(kubectl get spiffeids -A | awk '{print $1,$2}' | tail -n +2); do - ns=$(echo $n | cut -d ' ' -f 1) - name=$(echo $n | cut -d ' ' -f 2) - if [[ $ns == {{ .Release.Namespace }} ]]; then - continue - fi - pod=$(kubectl get pods -n $ns $name -o yaml) - case $pod in - *"nsm.nginx.com/status: injected"*) ;; - *"nsm.nginx.com/enable-ingress: \"true\""*) ;; - *"nsm.nginx.com/enable-egress: \"true\""*) ;; - *) kubectl delete spiffeid -n $ns $name;; - esac - done + res=$(kubectl get configmap httproutegroups --ignore-not-found -o jsonpath='{.data.httproutegroups}') + if [ -n "$res" ]; then + n=0 + until [ "$n" -ge 30 ] + do + echo $res | jq -c '.[]' | while read -r i; do kubectl apply -f - <<< $i; done && break + n=$((n+1)) + sleep 1 + done + fi + kubectl delete configmap httproutegroups --ignore-not-found diff --git a/helm-chart/templates/pre-upgrade-hook.yaml b/helm-chart/templates/pre-upgrade-hook.yaml index 42e7c11c..92d6462a 100644 --- a/helm-chart/templates/pre-upgrade-hook.yaml +++ b/helm-chart/templates/pre-upgrade-hook.yaml @@ -1,4 +1,5 @@ -{{- if eq .Values.environment "openshift" }} +# This hook saves all existing HTTPRouteGroups, replaces their header list with an object +# (due to the SMI API breakage), then saves the output in a ConfigMap. The new CRD definition is then applied. --- apiVersion: v1 kind: ServiceAccount @@ -14,9 +15,9 @@ imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: pre-upgrade + name: pre-upgrade.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: @@ -25,16 +26,62 @@ metadata: "helm.sh/hook-weight": "-5" rules: - apiGroups: - - apps + - '' + resources: + - configmaps + verbs: + - create +- apiGroups: + - specs.smi-spec.io + resources: + - httproutegroups + verbs: + - get + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - patch +{{- if eq .Values.environment "openshift" }} +- apiGroups: + - security.openshift.io resources: - - daemonsets + - securitycontextconstraints + resourceNames: + - pre-upgrade-permissions.builtin.nsm.nginx verbs: - - delete + - use +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: pre-upgrade-permissions.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +runAsUser: + type: RunAsAny +readOnlyRootFilesystem: false +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: pre-upgrade + name: pre-upgrade.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: @@ -42,9 +89,9 @@ metadata: "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pre-upgrade + apiGroup: "" + kind: ClusterRole + name: pre-upgrade.builtin.nsm.nginx subjects: - kind: ServiceAccount name: pre-upgrade @@ -53,7 +100,7 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: delete-spire-agent + name: save-httproutegroups labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: @@ -63,17 +110,21 @@ metadata: spec: template: metadata: - name: delete-spire-agent + name: save-httproutegroups spec: restartPolicy: Never serviceAccountName: pre-upgrade containers: - - name: delete-spire-agent + - name: save-httproutegroups image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} command: - - /bin/sh + - /bin/bash - -c - | - kubectl delete daemonset spire-agent -{{- end }} + res=$(kubectl get httproutegroups.specs.smi-spec.io -A -o json | sed -e 's/\\n//g' | jq -c '.items[]' | while read -r i; do jq '(.spec.matches[] | select(.headers != null)).headers |= add' <<< $i; done | jq -s -c '.') + if [ -n "$res" ] && [ $res != "[]" ]; then + kubectl create configmap httproutegroups --from-literal httproutegroups="$res" + crd={{ .Files.Get "crds/httproutegroup.yaml" | fromYaml | toJson | quote }} + echo $crd | kubectl apply -f - + fi diff --git a/helm-chart/templates/prometheus.yaml b/helm-chart/templates/prometheus.yaml deleted file mode 100644 index e9695036..00000000 --- a/helm-chart/templates/prometheus.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- if eq .Values.prometheusAddress "" }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus - labels: - app.kubernetes.io/part-of: nginx-service-mesh -imagePullSecrets: -- name: {{ include "registry-key-name" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus.metrics.builtin.nsm.nginx - labels: - app.kubernetes.io/part-of: nginx-service-mesh -rules: -- apiGroups: - - '' - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch -- nonResourceURLs: - - "/metrics" - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus.metrics.builtin.nsm.nginx - labels: - app.kubernetes.io/part-of: nginx-service-mesh -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus.metrics.builtin.nsm.nginx -subjects: -- kind: ServiceAccount - name: prometheus - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: prometheus-configuration - labels: - app.kubernetes.io/part-of: nginx-service-mesh -binaryData: - prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }} ---- -apiVersion: v1 -kind: Service -metadata: - name: prometheus - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: nginx-service-mesh -spec: - selector: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: nginx-service-mesh - type: ClusterIP - ports: - - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: prometheus - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: nginx-service-mesh -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: nginx-service-mesh - template: - metadata: - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: nginx-service-mesh - spec: - serviceAccountName: prometheus - containers: - - name: prometheus - image: {{ include "prometheus.image-server" . }}/prometheus:v2.33.1 - imagePullPolicy: {{ .Values.registry.imagePullPolicy }} - args: - - "--config.file=/etc/prometheus/prometheus.yaml" - - "--storage.tsdb.path=/prometheus/" - ports: - - containerPort: 9090 - volumeMounts: - - name: prometheus-config-volume - mountPath: "/etc/prometheus" - - name: prometheus-storage-volume - mountPath: "/prometheus/" - volumes: - - name: prometheus-config-volume - configMap: - name: prometheus-configuration - - name: prometheus-storage-volume - emptyDir: {} -{{- end }} diff --git a/helm-chart/templates/spire-agent.yaml b/helm-chart/templates/spire-agent.yaml index 77c35502..2fb53ec2 100644 --- a/helm-chart/templates/spire-agent.yaml +++ b/helm-chart/templates/spire-agent.yaml @@ -100,7 +100,7 @@ spec: done containers: - name: spire-agent - image: {{ include "spire.image-server" . }}/spire-agent:1.2.0 + image: {{ include "spire.image-server" . }}/spire-agent:1.3.2 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - "-config" @@ -178,7 +178,7 @@ spec: securityContext: privileged: true - name: node-driver-registrar - image: {{ include "node-driver.image-server" . }}/csi-node-driver-registrar:v2.0.1 + image: {{ include "node-driver.image-server" . }}/csi-node-driver-registrar:v2.5.1 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - "-csi-address" diff --git a/helm-chart/templates/spire-server.yaml b/helm-chart/templates/spire-server.yaml index 9914ecd1..a19b1c6b 100644 --- a/helm-chart/templates/spire-server.yaml +++ b/helm-chart/templates/spire-server.yaml @@ -277,7 +277,7 @@ spec: shareProcessNamespace: true containers: - name: spire-server - image: {{ include "spire.image-server" . }}/spire-server:1.2.0 + image: {{ include "spire.image-server" . }}/spire-server:1.3.2 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - '-config' @@ -326,7 +326,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 5 - name: k8s-workload-registrar - image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.2.0 + image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.3.2 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - '-config' diff --git a/helm-chart/templates/zipkin.yaml b/helm-chart/templates/zipkin.yaml deleted file mode 100644 index d5788077..00000000 --- a/helm-chart/templates/zipkin.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.tracing }} {{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }} ---- -apiVersion: v1 -kind: Service -metadata: - name: zipkin - labels: - app.kubernetes.io/name: zipkin - app.kubernetes.io/part-of: nginx-service-mesh -spec: - selector: - app.kubernetes.io/name: zipkin - app.kubernetes.io/part-of: nginx-service-mesh - type: ClusterIP - ports: - - port: 9411 - targetPort: 9411 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: zipkin - labels: - app.kubernetes.io/name: zipkin - app.kubernetes.io/part-of: nginx-service-mesh -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: zipkin - app.kubernetes.io/part-of: nginx-service-mesh - template: - metadata: - labels: - app.kubernetes.io/name: zipkin - app.kubernetes.io/part-of: nginx-service-mesh - spec: - imagePullSecrets: - - name: {{ include "registry-key-name" . }} - containers: - - name: zipkin - image: {{ include "zipkin.image-server" . }}/zipkin:2.23.16 - imagePullPolicy: {{ .Values.registry.imagePullPolicy }} - ports: - - containerPort: 9411 -{{- end }}{{- end }} diff --git a/helm-chart/values.schema.json b/helm-chart/values.schema.json index e6aab9dd..7408dd22 100644 --- a/helm-chart/values.schema.json +++ b/helm-chart/values.schema.json @@ -308,7 +308,7 @@ "imageTag": { "description": "Tag used for pulling images from registry. ", "type": "string", - "default": "1.4.1" + "default": "1.5.0" }, "key": { "description": "Contents of your Google Cloud JSON key file", @@ -373,10 +373,6 @@ "description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.", "type": "boolean" }, - "deployGrafana": { - "description": "Deploy Grafana as a part of the NGINX Service Mesh", - "type": "boolean" - }, "nginxErrorLogLevel": { "description": "NGINX error log level", "type": "string", @@ -392,6 +388,11 @@ "type": "string", "enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"] }, + "clientMaxBodySize": { + "description": "NGINX client max body size", + "type": "string", + "pattern": "^\\d+[kKmMgG]?$" + }, "prometheusAddress": { "description": "The address of a Prometheus server deployed in your Kubernetes cluster", "type": "string" @@ -530,10 +531,6 @@ }, "tracingConfig": { "properties": { - "disable": { - "description": "Disable tracing for all services", - "type": "boolean" - }, "sampleRate": { "description": "The sample rate to use for tracing. Float between 0 and 1", "type": "number", @@ -547,28 +544,14 @@ }, "address": { "description": "The address of a tracing server deployed in your Kubernetes cluster", - "type": "string" - } - }, - "required": ["disable", "sampleRate"], - "if": { - "properties": { - "backend": { - "const": "datadog" - } + "type": "string", + "minLength": 1 } }, - "then": { - "properties": { - "address": { - "type": "string", - "minLength": 1 - } - } - } + "required": ["address", "backend", "sampleRate"] } }, - "oneOf": [ + "anyOf": [ { "properties": { "telemetry": { @@ -605,7 +588,6 @@ "registry", "accessControlMode", "environment", - "deployGrafana", "nginxErrorLogLevel", "nginxLogFormat", "nginxLBMethod", diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 978b6115..d26bf287 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -6,7 +6,7 @@ registry: # Tag used for pulling images from registry # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar - imageTag: "1.4.1" + imageTag: "1.5.0" # Note: Currently only works with Google Cloud registry. # Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=.json" @@ -40,11 +40,6 @@ environment: "kubernetes" # Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required. enableUDP: false -# Deploy Grafana as a part of the NGINX Service Mesh. -# Note: This configurable will be removed in version 1.5 -# Valid values: true, false -deployGrafana: true - # NGINX error log level. # Valid values: debug, info, notice, warn, error, crit, alert, emerg nginxErrorLogLevel: "warn" @@ -58,6 +53,10 @@ nginxLogFormat: "default" # random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin] nginxLBMethod: "least_time" +# NGINX client max body size. +# Setting to "0" disables checking of client request body size. +clientMaxBodySize: "1m" + # The address of a Prometheus server deployed in your Kubernetes cluster. # Address should be in the format .:. prometheusAddress: "" @@ -76,25 +75,6 @@ autoInjection: # Must be used with "disable". enabledNamespaces: [] -# NGINX Service Mesh tracing settings. -# Cannot be set when telemetry is set. -# If deploying with tracing, make sure the telemetry object is set to {}. -tracing: - # Disable tracing for all services. - # Note: This configurable will be removed in version 1.5 - disable: false - - # The address of a tracing server deployed in your Kubernetes cluster. - # Address should be in the format .:. - address: "" - - # The tracing backend that you want to use. - # Valid values: datadog, jaeger, zipkin - backend: "jaeger" - - # The sample rate to use for tracing. Float between 0 and 1. - sampleRate: 0.01 - # NGINX Service Mesh telemetry settings. # Cannot be set when tracing is set. # To enable telemetry, uncomment the following object and set the tracing object to {}. @@ -109,6 +89,21 @@ telemetry: {} # host: "" # # The port of the OpenTelemetry gRPC exporter to connect to. # port: 4317 + +# NGINX Service Mesh tracing settings. Deprecated in favor of telemetry. +# Cannot be set when telemetry is set. +# If deploying with tracing, uncomment the following object and set the telemetry object to {}. +tracing: {} + # The address of a tracing server deployed in your Kubernetes cluster. + # Address should be in the format .:. + # address: "" + + # The tracing backend that you want to use. + # Valid values: datadog, jaeger, zipkin + # backend: "" + + # The sample rate to use for tracing. Float between 0 and 1. + # sampleRate: 0.01 # Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info. mtls: