Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Mesh and Ingress Gateway CRDs for 1.12 #1168

Merged
merged 1 commit into from
Apr 14, 2022
+935 −194
Merged

Update Mesh and Ingress Gateway CRDs for 1.12 #1168

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ IMPROVEMENTS:
* Helm
* API Gateway: Allow controller to read ReferencePolicy in order to determine if route is allowed for backend in different namespace. [[GH-1148](https://github.com/hashicorp/consul-k8s/pull/1148)]
* Allow `consul` to be a destination namespace. [[GH-1163](https://github.com/hashicorp/consul-k8s/pull/1163)]
* CRDs: Update Mesh and Ingress Gateway CRDs to support TLS config. [[GH-1168](https://github.com/hashicorp/consul-k8s/pull/1168)]

## 0.42.0 (April 04, 2022)

Expand Down
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ ifeq (, $(shell which controller-gen))
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.0 ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(shell go env GOPATH)/bin/controller-gen
Expand All @@ -109,4 +109,4 @@ DEV_IMAGE?=consul-k8s-control-plane-dev
GIT_COMMIT?=$(shell git rev-parse --short HEAD)
GIT_DIRTY?=$(shell test -n "`git status --porcelain`" && echo "+CHANGES" || true)
GIT_DESCRIBE?=$(shell git describe --tags --always)
CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true"
CRD_OPTIONS ?= "crd:allowDangerousTypes=true"
4 changes: 2 additions & 2 deletions charts/consul/templates/crd-exportedservices.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: exportedservices.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -55,7 +55,7 @@ spec:
metadata:
type: object
spec:
description: ExportedServicesSpec defines the desired state of ExportedServices
description: ExportedServicesSpec defines the desired state of ExportedServices.
properties:
services:
description: Services is a list of services to be exported and the
Expand Down
137 changes: 98 additions & 39 deletions charts/consul/templates/crd-ingressgateways.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: ingressgateways.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -55,7 +55,7 @@ spec:
metadata:
type: object
spec:
description: IngressGatewaySpec defines the desired state of IngressGateway
description: IngressGatewaySpec defines the desired state of IngressGateway.
properties:
listeners:
description: Listeners declares what ports the ingress gateway should
Expand All @@ -64,25 +64,6 @@ spec:
description: IngressListener manages the configuration for a listener
on a specific port.
properties:
tls:
description: TLS config for this listener.
properties:
enabled:
description: Indicates that TLS should be enabled for this
gateway service.
type: boolean
sds:
description: SDS allows configuring TLS certificate from
an SDS service.
properties:
certResource:
type: string
clusterName:
type: string
type: object
required:
- enabled
type: object
port:
description: Port declares the port on which the ingress gateway
should listen for traffic.
Expand All @@ -95,28 +76,14 @@ spec:
values are: (tcp | http | http2 | grpc).'
type: string
services:
description: "Services declares the set of services to which
the listener forwards traffic. \n For \"tcp\" protocol listeners,
only a single service is allowed. For \"http\" listeners,
multiple services can be declared."
description: Services declares the set of services to which
the listener forwards traffic. For "tcp" protocol listeners,
only a single service is allowed. For "http" listeners, multiple
services can be declared.
items:
description: IngressService manages configuration for services
that are exposed to ingress traffic.
properties:
tls:
description: TLS allows specifying some TLS configuration
per listener.
properties:
sds:
description: SDS allows configuring TLS certificate
from an SDS service.
properties:
certResource:
type: string
clusterName:
type: string
type: object
type: object
hosts:
description: "Hosts is a list of hostnames which should
be associated to this service on the defined listener.
Expand Down Expand Up @@ -201,13 +168,86 @@ spec:
any existing header values of the same name.
type: object
type: object
tls:
description: TLS allows specifying some TLS configuration
per listener.
properties:
sds:
description: SDS allows configuring TLS certificate
from an SDS service.
properties:
certResource:
description: CertResource is the SDS resource
curtbushko marked this conversation as resolved.
Show resolved Hide resolved
name to request when fetching the certificate
from the SDS service.
type: string
clusterName:
description: ClusterName is the SDS cluster name
to connect to, to retrieve certificates. This
cluster must be specified in the Gateway's bootstrap
configuration.
type: string
type: object
type: object
type: object
type: array
tls:
description: TLS config for this listener.
properties:
cipherSuites:
description: Define a subset of cipher suites to restrict
Only applicable to connections negotiated via TLS 1.2
or earlier.
items:
type: string
type: array
enabled:
description: Indicates that TLS should be enabled for this
gateway service.
type: boolean
sds:
description: SDS allows configuring TLS certificate from
an SDS service.
properties:
certResource:
description: CertResource is the SDS resource name to
request when fetching the certificate from the SDS
service.
type: string
clusterName:
description: ClusterName is the SDS cluster name to
connect to, to retrieve certificates. This cluster
must be specified in the Gateway's bootstrap configuration.
type: string
type: object
tlsMaxVersion:
description: TLSMaxVersion sets the default maximum TLS
version supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or
`TLSv1_3`. If unspecified, Envoy will default to TLS 1.3
as a max version for incoming connections.
type: string
tlsMinVersion:
description: TLSMinVersion sets the default minimum TLS
version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`,
`TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0
and newer will default to TLS 1.2 as a min version, while
older releases of Envoy default to TLS 1.0.
type: string
required:
- enabled
type: object
type: object
type: array
tls:
description: TLS holds the TLS configuration for this gateway.
properties:
cipherSuites:
description: Define a subset of cipher suites to restrict Only
applicable to connections negotiated via TLS 1.2 or earlier.
items:
type: string
type: array
enabled:
description: Indicates that TLS should be enabled for this gateway
service.
Expand All @@ -217,10 +257,29 @@ spec:
service.
properties:
certResource:
description: CertResource is the SDS resource name to request
when fetching the certificate from the SDS service.
type: string
clusterName:
description: ClusterName is the SDS cluster name to connect
to, to retrieve certificates. This cluster must be specified
in the Gateway's bootstrap configuration.
type: string
type: object
tlsMaxVersion:
description: TLSMaxVersion sets the default maximum TLS version
supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version
for incoming connections.
type: string
tlsMinVersion:
description: TLSMinVersion sets the default minimum TLS version
supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`,
or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default
to TLS 1.2 as a min version, while older releases of Envoy default
to TLS 1.0.
type: string
required:
- enabled
type: object
Expand Down
76 changes: 73 additions & 3 deletions charts/consul/templates/crd-meshes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: meshes.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -53,10 +53,80 @@ spec:
metadata:
type: object
spec:
description: MeshSpec defines the desired state of Mesh
description: MeshSpec defines the desired state of Mesh.
properties:
tls:
description: TLS defines the TLS configuration for the service mesh.
properties:
incoming:
description: Incoming defines the TLS configuration for inbound
mTLS connections targeting the public listener on Connect and
TerminatingGateway proxy kinds.
properties:
cipherSuites:
description: CipherSuites sets the default list of TLS cipher
suites to support when negotiating connections using TLS
1.2 or earlier. If unspecified, Envoy will use a default
server cipher list. The list of supported cipher suites
can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169
and is dependent on underlying support in Envoy. Future
releases of Envoy may remove currently-supported but insecure
cipher suites, and future releases of Consul may add new
supported cipher suites if any are added to Envoy.
items:
type: string
type: array
tlsMaxVersion:
description: TLSMaxVersion sets the default maximum TLS version
supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version
for incoming connections.
type: string
tlsMinVersion:
description: TLSMinVersion sets the default minimum TLS version
supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`,
or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will
default to TLS 1.2 as a min version, while older releases
of Envoy default to TLS 1.0.
type: string
type: object
outgoing:
description: Outgoing defines the TLS configuration for outbound
mTLS connections dialing upstreams from Connect and IngressGateway
proxy kinds.
properties:
cipherSuites:
description: CipherSuites sets the default list of TLS cipher
suites to support when negotiating connections using TLS
1.2 or earlier. If unspecified, Envoy will use a default
server cipher list. The list of supported cipher suites
can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169
and is dependent on underlying support in Envoy. Future
releases of Envoy may remove currently-supported but insecure
cipher suites, and future releases of Consul may add new
supported cipher suites if any are added to Envoy.
items:
type: string
type: array
tlsMaxVersion:
description: TLSMaxVersion sets the default maximum TLS version
supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version
for incoming connections.
type: string
tlsMinVersion:
description: TLSMinVersion sets the default minimum TLS version
supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`,
or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will
default to TLS 1.2 as a min version, while older releases
of Envoy default to TLS 1.0.
type: string
type: object
type: object
transparentProxy:
description: TransparentProxyMeshConfig controls configuration specific
description: TransparentProxy controls the configuration specific
to proxies in "transparent" mode. Added in v1.10.0.
properties:
meshDestinationsOnly:
Expand Down
4 changes: 2 additions & 2 deletions charts/consul/templates/crd-proxydefaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: proxydefaults.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -55,7 +55,7 @@ spec:
metadata:
type: object
spec:
description: ProxyDefaultsSpec defines the desired state of ProxyDefaults
description: ProxyDefaultsSpec defines the desired state of ProxyDefaults.
properties:
config:
description: Config is an arbitrary map of configuration values used
Expand Down
4 changes: 2 additions & 2 deletions charts/consul/templates/crd-servicedefaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: servicedefaults.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -55,7 +55,7 @@ spec:
metadata:
type: object
spec:
description: ServiceDefaultsSpec defines the desired state of ServiceDefaults
description: ServiceDefaultsSpec defines the desired state of ServiceDefaults.
properties:
expose:
description: Expose controls the default expose path configuration
Expand Down
4 changes: 2 additions & 2 deletions charts/consul/templates/crd-serviceintentions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.0
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: serviceintentions.consul.hashicorp.com
labels:
Expand Down Expand Up @@ -55,7 +55,7 @@ spec:
metadata:
type: object
spec:
description: ServiceIntentionsSpec defines the desired state of ServiceIntentions
description: ServiceIntentionsSpec defines the desired state of ServiceIntentions.
properties:
destination:
description: Destination is the intention destination that will have
Expand Down
Loading