Add istio and sds values to GatewayParameters

changelog/v1.17.0-beta29/add-sds-and-istio-gw-params.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/6048
+    resolvesIssue: false
+    description: >-
+      Adds SDS and Istio values to GatewayParameters. Adds e2e tests for deploying k8s Gateway with GatewayParameters 
+      that overrides the default SDS and Istio values.

install/helm/gloo/crds/gateway.gloo.solo.io_crds.yaml

@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    crd.solo.io/specHash: b770956ad3c60ed2
+    crd.solo.io/specHash: f7620f31f9f0fad8
   labels:
     app: gloo-gateway
     app.kubernetes.io/name: gloo-gateway
@@ -583,6 +583,207 @@ spec:
                           type: object
                         type: array
                     type: object
+                  sds:
+                    properties:
+                      istioIntegration:
+                        properties:
+                          istioContainer:
+                            properties:
+                              image:
+                                properties:
+                                  digest:
+                                    type: string
+                                  pullPolicy:
+                                    enum:
+                                    - Unspecified
+                                    - IfNotPresent
+                                    - Always
+                                    - Never
+                                    type: string
+                                  registry:
+                                    type: string
+                                  repository:
+                                    type: string
+                                  tag:
+                                    type: string
+                                type: object
+                              logLevel:
+                                type: string
+                              resources:
+                                properties:
+                                  limits:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  requests:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                              securityContext:
+                                properties:
+                                  allowPrivilegeEscalation:
+                                    type: boolean
+                                  capabilities:
+                                    properties:
+                                      add:
+                                        items:
+                                          type: string
+                                        type: array
+                                      drop:
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  privileged:
+                                    type: boolean
+                                  procMount:
+                                    type: string
+                                  readOnlyRootFilesystem:
+                                    type: boolean
+                                  runAsGroup:
+                                    format: int64
+                                    type: integer
+                                  runAsNonRoot:
+                                    type: boolean
+                                  runAsUser:
+                                    format: int64
+                                    type: integer
+                                  seLinuxOptions:
+                                    properties:
+                                      level:
+                                        type: string
+                                      role:
+                                        type: string
+                                      type:
+                                        type: string
+                                      user:
+                                        type: string
+                                    type: object
+                                  seccompProfile:
+                                    properties:
+                                      localhostProfile:
+                                        type: string
+                                      type:
+                                        type: string
+                                    type: object
+                                  windowsOptions:
+                                    properties:
+                                      gmsaCredentialSpec:
+                                        type: string
+                                      gmsaCredentialSpecName:
+                                        type: string
+                                      hostProcess:
+                                        type: boolean
+                                      runAsUserName:
+                                        type: string
+                                    type: object
+                                type: object
+                            type: object
+                          istioDiscoveryAddress:
+                            type: string
+                          istioMetaClusterId:
+                            type: string
+                          istioMetaMeshId:
+                            type: string
+                        type: object
+                      sdsContainer:
+                        properties:
+                          bootstrap:
+                            properties:
+                              logLevel:
+                                type: string
+                            type: object
+                          image:
+                            properties:
+                              digest:
+                                type: string
+                              pullPolicy:
+                                enum:
+                                - Unspecified
+                                - IfNotPresent
+                                - Always
+                                - Never
+                                type: string
+                              registry:
+                                type: string
+                              repository:
+                                type: string
+                              tag:
+                                type: string
+                            type: object
+                          resources:
+                            properties:
+                              limits:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
+                          securityContext:
+                            properties:
+                              allowPrivilegeEscalation:
+                                type: boolean
+                              capabilities:
+                                properties:
+                                  add:
+                                    items:
+                                      type: string
+                                    type: array
+                                  drop:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              privileged:
+                                type: boolean
+                              procMount:
+                                type: string
+                              readOnlyRootFilesystem:
+                                type: boolean
+                              runAsGroup:
+                                format: int64
+                                type: integer
+                              runAsNonRoot:
+                                type: boolean
+                              runAsUser:
+                                format: int64
+                                type: integer
+                              seLinuxOptions:
+                                properties:
+                                  level:
+                                    type: string
+                                  role:
+                                    type: string
+                                  type:
+                                    type: string
+                                  user:
+                                    type: string
+                                type: object
+                              seccompProfile:
+                                properties:
+                                  localhostProfile:
+                                    type: string
+                                  type:
+                                    type: string
+                                type: object
+                              windowsOptions:
+                                properties:
+                                  gmsaCredentialSpec:
+                                    type: string
+                                  gmsaCredentialSpecName:
+                                    type: string
+                                  hostProcess:
+                                    type: boolean
+                                  runAsUserName:
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
+                    type: object
                   service:
                     properties:
                       clusterIP:

projects/gateway2/api/v1alpha1/gateway_parameters.proto

@@ -48,6 +48,10 @@ message KubernetesProxyConfig {
 
   // Autoscaling configuration.
   kube.gateway.gloo.solo.io.Autoscaling autoscaling = 5;
+
+  // Sds configuration.
+  // A non-nil value will enable sds integration.  If empty config is provided, the default values will be used.
+  SdsIntegration sds = 6;
 }
 
 // Configuration for the Proxy deployment in Kubernetes.
@@ -109,6 +113,96 @@ message EnvoyBootstrap {
   map<string, string> component_log_levels = 2;
 }
 
+// Configuration for the sds integration settings used by a Gloo Gateway's data plane (Envoy proxy instance)
+// If not set, internal mtls authentication will not be used.
+message SdsIntegration {
+  // Configuration for the container running Gloo sds.
+  // If not provided, the default values will be used.
+  SdsContainer sds_container = 1;
+
+  // Istio integration configuration
+  // A non-nil value will enable sds integration. If empty config is provided, the default values will be used.
+  IstioIntegration istio_integration = 2;
+
+}
+
+// Configuration for the Istio integration settings used by a Gloo Gateway's data plane (Envoy proxy instance)
+message IstioIntegration {
+  // Configuration for the container running istio-proxy.
+  IstioContainer istio_container = 1;
+
+  // The address of the istio discovery service. Defaults to "istiod.istio-system.svc:15012".
+  string istio_discovery_address = 2;
+
+  // The mesh id of the istio mesh. Defaults to "cluster.local".
+  string istio_meta_mesh_id = 3;
+
+  // The cluster id of the istio cluster. Defaults to "Kubernetes".
+  string istio_meta_cluster_id = 4;
+}
+
+// Configuration for the container running Gloo sds.
+message SdsContainer {
+  // The sds container image. See
+  // https://kubernetes.io/docs/concepts/containers/images
+  // for details.
+  //
+  // Default values for Edge OSS, which may be overridden individually:
+  //   registry: quay.io/solo-io
+  //   repository: sds / sds-ee
+  //   tag: <gloo version> (OSS) / <gloo-ee version> (EE)
+  //   pullPolicy: IfNotPresent
+  kube.gateway.gloo.solo.io.Image image = 1;
+
+  // The security context for this container. See
+  // https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core
+  // for details.
+  k8s.io.api.core.v1.SecurityContext security_context = 2;
+
+  // The compute resources required by this container. See
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  // for details.
+  kube.gateway.gloo.solo.io.ResourceRequirements resources = 3;
+
+  // Initial SDS container configuration.
+  SdsBootstrap bootstrap = 4;
+}
+
+// Configuration for the sds instance that is provisioned from a Kubernetes Gateway.
+message SdsBootstrap {
+  // Log level for sds.  Options include "info", "debug", "warn", "error", "panic" and "fatal".
+  // Default level is "info".
+  string log_level = 1;
+}
+
+// Configuration for the container running the istio-proxy.
+message IstioContainer {
+  // The envoy container image. See
+  // https://kubernetes.io/docs/concepts/containers/images
+  // for details.
+  //
+  // Default values, which may be overridden individually:
+  //   registry: docker.io/istio
+  //   repository: proxyv2
+  //   tag: <gloo version> (OSS) / <gloo-ee version> (EE)
+  //   pullPolicy: IfNotPresent
+  kube.gateway.gloo.solo.io.Image image = 1;
+
+  // The security context for this container. See
+  // https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core
+  // for details.
+  k8s.io.api.core.v1.SecurityContext security_context = 2;
+
+  // The compute resources required by this container. See
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  // for details.
+  kube.gateway.gloo.solo.io.ResourceRequirements resources = 3;
+
+  // Log level for istio-proxy. Options include "info", "debug", "warning", and "error".
+  // Default level is info Default is "warning".
+  string log_level = 4;
+}
+
 message GatewayParametersStatus {
   // The current conditions of the GatewayParameters. This is not currently
   // implemented.

projects/gateway2/deployer/deployer.go

@@ -192,12 +192,20 @@ func (d *Deployer) getValues(ctx context.Context, gw *api.Gateway) (*helmConfig,
 				Port: &d.inputs.ControlPlane.Kube.XdsPort,
 			},
 			Image: getDefaultEnvoyImageValues(d.inputs.Extensions.GetEnvoyImage()),
-			IstioSDS: &helmIstioSds{
+			// TODO(npolshak): Remove once default GatewayParameters are supported: https://github.com/solo-io/solo-projects/issues/6107
+			IstioSDS: &istioSDS{
 				Enabled: &d.inputs.IstioValues.SDSEnabled,
 			},
 		},
 	}
 
+	// TODO(npolshak): Remove once default GatewayParameters are supported: https://github.com/solo-io/solo-projects/issues/6107
+	if d.inputs.IstioValues.SDSEnabled {
+		// Is Istio integration is enabled, we need to set the SDS image tag
+		vals.Gateway.Sds = getDefaultSdsValues(d.inputs.Extensions.GetSdsImage())
+		vals.Gateway.Sds.Istio = getDefaultIstioValues()
+	}
+
 	// check if there is a GatewayParameters associated with this Gateway
 	gwp, err := d.getGatewayParametersForGateway(ctx, gw)
 	if err != nil {
@@ -216,6 +224,7 @@ func (d *Deployer) getValues(ctx context.Context, gw *api.Gateway) (*helmConfig,
 	podConfig := kubeProxyConfig.GetPodTemplate()
 	envoyContainerConfig := kubeProxyConfig.GetEnvoyContainer()
 	svcConfig := kubeProxyConfig.GetService()
+	sds := kubeProxyConfig.GetSds()
 
 	// deployment values
 	autoscalingVals := getAutoscalingValues(kubeProxyConfig.GetAutoscaling())
@@ -240,13 +249,16 @@ func (d *Deployer) getValues(ctx context.Context, gw *api.Gateway) (*helmConfig,
 	// envoy container values
 	logLevel := envoyContainerConfig.GetBootstrap().GetLogLevel()
 	compLogLevels := envoyContainerConfig.GetBootstrap().GetComponentLogLevels()
-
 	vals.Gateway.LogLevel = &logLevel
 	compLogLevelStr, err := ComponentLogLevelsToString(compLogLevels)
 	if err != nil {
 		return nil, err
 	}
 	vals.Gateway.ComponentLogLevel = &compLogLevelStr
+
+	// sds values
+	vals.Gateway.Sds = getSdsValues(sds, d.inputs.Extensions.GetSdsImage())
+
 	vals.Gateway.Resources = envoyContainerConfig.GetResources()
 	vals.Gateway.SecurityContext = envoyContainerConfig.GetSecurityContext()
 	vals.Gateway.Image = getMergedEnvoyImageValues(d.inputs.Extensions.GetEnvoyImage(), envoyContainerConfig.GetImage())