diff --git a/Makefile b/Makefile index 692e0c06d..78744b1ee 100644 --- a/Makefile +++ b/Makefile @@ -42,15 +42,15 @@ ci-release: build build-image push-image clean: rm -rf bin -.PHONY: path-to-referenced-charts -path-to-referenced-charts: - @echo "resources/core" - # Install CRDs into a cluster install: manifests kustomize build config/crd | kubectl apply -f - @if ! kubectl get crd virtualservices.networking.istio.io > /dev/null 2>&1 ; then kubectl apply -f hack/networking.istio.io_virtualservice.yaml; fi; +# Generate static installation files +static: manifests + kustomize build config/default -o install/k8s + # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: manifests kustomize build config/default | kubectl apply -f - diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 8402c5191..d676710f8 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -33,6 +33,7 @@ patchesStrategicMerge: # Only one of manager_auth_proxy_patch.yaml and # manager_prometheus_metrics_patch.yaml should be enabled. #- manager_prometheus_metrics_patch.yaml +- manager_sa_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml #- manager_webhook_patch.yaml diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index b25a5c631..970780994 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -7,6 +7,6 @@ spec: template: spec: containers: - - image: api-gateway-controller:latest + - image: eu.gcr.io/kyma-project/incubator/develop/api-gateway-controller:1669a1f9 name: manager imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/config/default/manager_sa_patch.yaml b/config/default/manager_sa_patch.yaml new file mode 100644 index 000000000..748f5275c --- /dev/null +++ b/config/default/manager_sa_patch.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + serviceAccountName: api-gateway-sa \ No newline at end of file diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 817f1fe61..0e49d6e10 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -3,9 +3,13 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml +- service_account.yaml # Comment the following 3 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml +# - auth_proxy_service.yaml +# - auth_proxy_role.yaml +# - auth_proxy_role_binding.yaml + +patchesStrategicMerge: +- patches/role_vs_patch.yaml \ No newline at end of file diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index eed16906f..98a2e5caa 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: default - namespace: system + name: api-gateway-api-gateway-sa + namespace: api-gateway-system diff --git a/config/rbac/patches/role_vs_patch.yaml b/config/rbac/patches/role_vs_patch.yaml new file mode 100644 index 000000000..fb2eec4cf --- /dev/null +++ b/config/rbac/patches/role_vs_patch.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: ["gateway.kyma-project.io"] + resources: ["gates", "gates/status"] + verbs: ["*"] + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices"] + verbs: ["create", "delete", "get", "patch", "list", "watch"] diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 8f2658702..f2694bcd5 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: manager-role subjects: - kind: ServiceAccount - name: default - namespace: system + name: api-gateway-api-gateway-sa + namespace: api-gateway-system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 000000000..76675a869 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: api-gateway-sa diff --git a/install/README.md b/install/README.md new file mode 100644 index 000000000..fdbcfabf7 --- /dev/null +++ b/install/README.md @@ -0,0 +1,38 @@ +# Installation guide + +This directory contains two methods of installation for the controller. + +## Static manifests +The `k8s` directory contains static kubernetes manifests generated by kubebuilder. They can be used to quickly deploy a simple installation of the controller (deployment, RBAC). +To install simply run: + +```bash +kubectl apply -f k8s +``` + +## Helm chart +The `helm` directory contains a helm chart for the Gateway controller. It consists of the following elements: +- CustomResourceDefinition(CRD) managed by a job (for installation and upgrade) +- Controller deployment +- RBAC settings + +To install simply run: + +```bash +helm install --name gatekeeper --namespace default helm/api-gateway +``` + +>**NOTE:** This CRD requires and uses the following applications/CRD, which should be installed beforehand: +> - Istio [VirtualService](https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/) +> - Istio [Policy](https://istio.io/docs/reference/config/istio.authentication.v1alpha1/) +> - Oathkeeper [AccessRule](https://www.ory.sh/docs/oathkeeper/) +> + Oathkeeper CRD resources are available as charts in [this repo](https://github.com/ory/k8s) + +## HowTo +Installation example (required tools: `minikube`, `kubectl`, `helm`): +- Create a k8s cluster using minikube (`minikube start --memory=8192 --cpus=4`) +- Installer tiller on the cluster (`helm init`) +- Apply required CRDs (`kubectl apply -f hack/`) +- Install the Gatekeeper chart (`helm install --name gatekeeper --namespace some-namespace install/helm/api-gateway`) +- Create sample resource (`kubectl apply -f config/samples/valid.yaml`) +- Check controller logs (`kubectl logs -n default -lapp.kubernetes.io/name=api-gateway -c api-gateway`) diff --git a/install/helm/api-gateway/.helmignore b/install/helm/api-gateway/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/install/helm/api-gateway/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/install/helm/api-gateway/Chart.yaml b/install/helm/api-gateway/Chart.yaml new file mode 100644 index 000000000..a1bec2a42 --- /dev/null +++ b/install/helm/api-gateway/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2alpha1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: api-gateway +version: 0.1.0 diff --git a/install/helm/api-gateway/files/crd-gates.yaml b/install/helm/api-gateway/files/crd-gates.yaml new file mode 100644 index 000000000..235a132fc --- /dev/null +++ b/install/helm/api-gateway/files/crd-gates.yaml @@ -0,0 +1,487 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: gates.gateway.kyma-project.io +spec: + group: gateway.kyma-project.io + names: + kind: Gate + plural: gates + scope: "" + subresources: + status: {} + validation: + openAPIV3Schema: + description: Gate is the Schema for the apis Gate + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map stored with + a resource that may be set by external tools to store and retrieve + arbitrary metadata. They are not queryable and should be preserved + when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + clusterName: + description: The name of the cluster which the object belongs to. This + is used to distinguish resources with same name and namespace in different + clusters. This field is not set anywhere right now and apiserver is + going to ignore it if set in create or update request. + type: string + creationTimestamp: + description: "CreationTimestamp is a timestamp representing the server + time when this object was created. It is not guaranteed to be set + in happens-before order across separate operations. Clients may not + set this value. It is represented in RFC3339 form and is in UTC. \n + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + deletionGracePeriodSeconds: + description: Number of seconds allowed for this object to gracefully + terminate before it will be removed from the system. Only set when + deletionTimestamp is also set. May only be shortened. Read-only. + format: int64 + type: integer + deletionTimestamp: + description: "DeletionTimestamp is RFC 3339 date and time at which this + resource will be deleted. This field is set by the server when a graceful + deletion is requested by the user, and is not directly settable by + a client. The resource is expected to be deleted (no longer visible + from resource lists, and not reachable by name) after the time in + this field, once the finalizers list is empty. As long as the finalizers + list contains items, deletion is blocked. Once the deletionTimestamp + is set, this value may not be unset or be set further into the future, + although it may be shortened or the resource may be deleted prior + to this time. For example, a user may request that a pod is deleted + in 30 seconds. The Kubelet will react by sending a graceful termination + signal to the containers in the pod. After that 30 seconds, the Kubelet + will send a hard termination signal (SIGKILL) to the container and + after cleanup, remove the pod from the API. In the presence of network + partitions, this object may still exist after this timestamp, until + an administrator or automated process can determine the resource is + fully terminated. If not set, graceful deletion of the object has + not been requested. \n Populated by the system when a graceful deletion + is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + finalizers: + description: Must be empty before the object is deleted from the registry. + Each entry is an identifier for the responsible component that will + remove the entry from the list. If the deletionTimestamp of the object + is non-nil, entries in this list can only be removed. + items: + type: string + type: array + generateName: + description: "GenerateName is an optional prefix, used by the server, + to generate a unique name ONLY IF the Name field has not been provided. + If this field is used, the name returned to the client will be different + than the name passed. This value will also be combined with a unique + suffix. The provided value has the same validation rules as the Name + field, and may be truncated by the length of the suffix required to + make the value unique on the server. \n If this field is specified + and the generated name exists, the server will NOT return a 409 - + instead, it will either return 201 Created or 500 with Reason ServerTimeout + indicating a unique name could not be found in the time allotted, + and the client should retry (optionally after the time indicated in + the Retry-After header). \n Applied only if Name is not specified. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" + type: string + generation: + description: A sequence number representing a specific generation of + the desired state. Populated by the system. Read-only. + format: int64 + type: integer + initializers: + description: "An initializer is a controller which enforces some system + invariant at object creation time. This field is a list of initializers + that have not yet acted on this object. If nil or empty, this object + has been completely initialized. Otherwise, the object is considered + uninitialized and is hidden (in list/watch and get calls) from clients + that haven't explicitly asked to observe uninitialized objects. \n + When an object is created, the system will populate this list with + the current set of initializers. Only privileged users may set or + modify this list. Once it is empty, it may not be modified further + by any user. \n DEPRECATED - initializers are an alpha field and will + be removed in v1.15." + properties: + pending: + description: Pending is a list of initializers that must execute + in order before this object is visible. When the last pending + initializer is removed, and no failing result is set, the initializers + struct will be set to nil and the object is considered as initialized + and visible to all clients. + items: + properties: + name: + description: name of the process that is responsible for initializing + this object. + type: string + required: + - name + type: object + type: array + result: + description: If result is set with the Failure field, the object + will be persisted to storage and then deleted, ensuring that other + clients can observe the deletion. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + code: + description: Suggested HTTP return code for this status, 0 if + not set. + format: int32 + type: integer + details: + description: Extended data associated with the reason. Each + reason may define its own extended details. This field is + optional and the data returned is not guaranteed to conform + to any schema except that defined by the reason type. + properties: + causes: + description: The Causes array includes more details associated + with the StatusReason failure. Not all StatusReasons may + provide detailed causes. + items: + properties: + field: + description: "The field of the resource that has caused + this error, as named by its JSON serialization. + May include dot and postfix notation for nested + attributes. Arrays are zero-indexed. Fields may + appear more than once in an array of causes due + to fields having multiple errors. Optional. \n Examples: + \ \"name\" - the field \"name\" on the current + resource \"items[0].name\" - the field \"name\" + on the first array entry in \"items\"" + type: string + message: + description: A human-readable description of the cause + of the error. This field may be presented as-is + to a reader. + type: string + reason: + description: A machine-readable description of the + cause of the error. If this value is empty there + is no information available. + type: string + type: object + type: array + group: + description: The group attribute of the resource associated + with the status StatusReason. + type: string + kind: + description: 'The kind attribute of the resource associated + with the status StatusReason. On some operations may differ + from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: The name attribute of the resource associated + with the status StatusReason (when there is a single name + which can be described). + type: string + retryAfterSeconds: + description: If specified, the time in seconds before the + operation should be retried. Some errors may indicate + the client must take an alternate action - for those errors + this field may indicate how long to wait before taking + the alternate action. + format: int32 + type: integer + uid: + description: 'UID of the resource. (when there is a single + resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + message: + description: A human-readable description of the status of this + operation. + type: string + metadata: + description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + properties: + continue: + description: continue may be set if the user set a limit + on the number of items returned, and indicates that the + server has more data available. The value is opaque and + may be used to issue another request to the endpoint that + served this list to retrieve the next set of available + objects. Continuing a consistent list may not be possible + if the server configuration has changed or more than a + few minutes have passed. The resourceVersion field returned + when using this continue value will be identical to the + value in the first response, unless you have received + this token from an error message. + type: string + resourceVersion: + description: 'String that identifies the server''s internal + version of this object that can be used by clients to + determine when objects have changed. Value must be treated + as opaque by clients and passed unmodified back to the + server. Populated by the system. Read-only. More info: + https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + selfLink: + description: selfLink is a URL representing this object. + Populated by the system. Read-only. + type: string + type: object + reason: + description: A machine-readable description of why this operation + is in the "Failure" status. If this value is empty there is + no information available. A Reason clarifies an HTTP status + code but does not override it. + type: string + status: + description: 'Status of the operation. One of: "Success" or + "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' + type: string + type: object + required: + - pending + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used to organize + and categorize (scope and select) objects. May match selectors of + replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + type: object + managedFields: + description: "ManagedFields maps workflow-id and version to the set + of fields that are managed by that workflow. This is mostly for internal + housekeeping, and users typically shouldn't need to set or understand + this field. A workflow can be the user's name, a controller's name, + or the name of a specific apply path like \"ci-cd\". The set of fields + is always in the version that the workflow used when modifying the + object. \n This field is alpha and can be changed or removed without + notice." + items: + properties: + apiVersion: + description: APIVersion defines the version of this resource that + this field set applies to. The format is "group/version" just + like the top-level APIVersion field. It is necessary to track + the version of a field set because it cannot be automatically + converted. + type: string + fields: + additionalProperties: true + description: Fields identifies a set of fields. + type: object + manager: + description: Manager is an identifier of the workflow managing + these fields. + type: string + operation: + description: Operation is the type of operation which lead to + this ManagedFieldsEntry being created. The only valid values + for this field are 'Apply' and 'Update'. + type: string + time: + description: Time is timestamp of when these fields were set. + It should always be empty if Operation is 'Apply' + format: date-time + type: string + type: object + type: array + name: + description: 'Name must be unique within a namespace. Is required when + creating resources, although some resources may allow a client to + request the generation of an appropriate name automatically. Name + is primarily intended for creation idempotence and configuration definition. + Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + namespace: + description: "Namespace defines the space within each name must be unique. + An empty namespace is equivalent to the \"default\" namespace, but + \"default\" is the canonical representation. Not all objects are required + to be scoped to a namespace - the value of this field for those objects + will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: + http://kubernetes.io/docs/user-guide/namespaces" + type: string + ownerReferences: + description: List of objects depended by this object. If ALL objects + in the list have been deleted, this object will be garbage collected. + If this object is managed by a controller, then an entry in this list + will point to this controller, with the controller field set to true. + There cannot be more than one managing controller. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" + finalizer, then the owner cannot be deleted from the key-value + store until this reference is removed. Defaults to false. To + set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + type: array + resourceVersion: + description: "An opaque value that represents the internal version of + this object that can be used by clients to determine when objects + have changed. May be used for optimistic concurrency, change detection, + and the watch operation on a resource or set of resources. Clients + must treat these values as opaque and passed unmodified back to the + server. They may only be valid for a particular resource or set of + resources. \n Populated by the system. Read-only. Value must be treated + as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" + type: string + selfLink: + description: SelfLink is a URL representing this object. Populated by + the system. Read-only. + type: string + uid: + description: "UID is the unique in time and space value for this object. + It is typically generated by the server on successful creation of + a resource and is not allowed to change on PUT operations. \n Populated + by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" + type: string + type: object + spec: + properties: + auth: + description: Auth strategy to be used + properties: + config: + description: Config configures the auth strategy. Configuration + keys vary per strategy. + type: object + name: + enum: + - JWT + - OAUTH + - PASSTHROUGH + type: string + required: + - name + type: object + gateway: + description: Gateway to be used + pattern: ^(?:[_a-z0-9](?:[_a-z0-9-]+[a-z0-9])?\.)+(?:[a-z](?:[a-z0-9-]+[a-z0-9])?)?$ + type: string + service: + description: Definition of the service to expose + properties: + external: + description: Defines if the service is internal (in cluster) or + external + type: boolean + host: + description: URL on which the service will be visible + maxLength: 256 + minLength: 3 + pattern: ^(?:[_a-z0-9](?:[_a-z0-9-]+[a-z0-9])?\.)+(?:[a-z](?:[a-z0-9-]+[a-z0-9])?)?$ + type: string + name: + description: Name of the service + type: string + port: + description: Port of the service to expose + format: int32 + maximum: 99999 + minimum: 1 + type: integer + required: + - name + - port + - host + type: object + required: + - service + - auth + - gateway + type: object + status: + properties: + GateStatus: + properties: + code: + type: string + desc: + type: string + type: object + accessRuleStatus: + properties: + code: + type: string + desc: + type: string + type: object + lastProcessedTime: + format: date-time + type: string + observedGeneration: + format: int64 + type: integer + policyStatus: + properties: + code: + type: string + desc: + type: string + type: object + virtualServiceStatus: + properties: + code: + type: string + desc: + type: string + type: object + type: object + type: object + versions: + - name: v2alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/install/helm/api-gateway/templates/_helpers.tpl b/install/helm/api-gateway/templates/_helpers.tpl new file mode 100644 index 000000000..70a494c09 --- /dev/null +++ b/install/helm/api-gateway/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "api-gateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "api-gateway.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "api-gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "api-gateway.labels" -}} +app.kubernetes.io/name: {{ include "api-gateway.name" . }} +helm.sh/chart: {{ include "api-gateway.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} \ No newline at end of file diff --git a/install/helm/api-gateway/templates/crd-configmap.yaml b/install/helm/api-gateway/templates/crd-configmap.yaml new file mode 100644 index 000000000..6908ed338 --- /dev/null +++ b/install/helm/api-gateway/templates/crd-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-crd-gates + annotations: + "helm.sh/hook": "pre-install, pre-upgrade" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + gates.yaml: |- +{{.Files.Get "files/crd-gates.yaml" | printf "%s" | indent 4}} \ No newline at end of file diff --git a/install/helm/api-gateway/templates/crd-job.yaml b/install/helm/api-gateway/templates/crd-job.yaml new file mode 100644 index 000000000..618e66fae --- /dev/null +++ b/install/helm/api-gateway/templates/crd-job.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-crd-gates + annotations: + "helm.sh/hook-delete-policy": "before-hook-creation, hook-succeeded" + "helm.sh/hook": "pre-install, pre-upgrade" + "helm.sh/hook-weight": "10" +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: {{ .Release.Name }}-crd-init + containers: + - name: {{ .Release.Name }}-crd-gates + image: "{{ .Values.rbacJob.image.repository }}:{{ .Values.rbacJob.image.tag }}" + volumeMounts: + - name: crd-gates + mountPath: /etc/crd + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/crd/gates.yaml"] + volumes: + - name: crd-gates + configMap: + name: {{ .Release.Name }}-crd-gates + restartPolicy: OnFailure \ No newline at end of file diff --git a/install/helm/api-gateway/templates/crd-rbac.yaml b/install/helm/api-gateway/templates/crd-rbac.yaml new file mode 100644 index 000000000..f6d97125a --- /dev/null +++ b/install/helm/api-gateway/templates/crd-rbac.yaml @@ -0,0 +1,41 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-crd-init + annotations: + "helm.sh/hook": "pre-install, pre-upgrade" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "before-hook-creation" +rules: +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "watch", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-crd-init + annotations: + "helm.sh/hook": "pre-install, pre-upgrade" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "before-hook-creation" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-crd-init +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-crd-init + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-crd-init + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install, pre-upgrade" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "before-hook-creation" \ No newline at end of file diff --git a/install/helm/api-gateway/templates/deployment.yaml b/install/helm/api-gateway/templates/deployment.yaml new file mode 100644 index 000000000..181c9a96f --- /dev/null +++ b/install/helm/api-gateway/templates/deployment.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "api-gateway.fullname" . }} + labels: +{{ include "api-gateway.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 10 + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: {{ include "api-gateway.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: {{ include "api-gateway.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /manager + args: + - --metrics-addr=127.0.0.1:8080 + resources: + {{- toYaml .Values.deployment.resources | nindent 12 }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + serviceAccountName: {{ include "api-gateway.name" . }}-account + nodeSelector: + {{- with .Values.deployment.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.deployment.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/install/helm/api-gateway/templates/rbac.yaml b/install/helm/api-gateway/templates/rbac.yaml new file mode 100644 index 000000000..307f95c03 --- /dev/null +++ b/install/helm/api-gateway/templates/rbac.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "api-gateway.name" . }}-account + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ include "api-gateway.name" . }}-role + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: ["gateway.kyma-project.io"] + resources: ["gates", "gates/status"] + verbs: ["*"] + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices"] + verbs: ["create", "delete", "get", "patch", "list", "watch"] + - apiGroups: ["authentication.istio.io"] + resources: ["policies"] + verbs: ["create", "delete", "get", "patch", "list", "watch"] + - apiGroups: ["oathkeeper.ory.sh"] + resources: ["rules"] + verbs: ["create", "delete", "get", "patch", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ include "api-gateway.name" . }}-role-binding + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ include "api-gateway.name" . }}-account # Service account assigned to the controller pod. + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "api-gateway.name" . }}-role diff --git a/install/helm/api-gateway/values.yaml b/install/helm/api-gateway/values.yaml new file mode 100644 index 000000000..749ee62bb --- /dev/null +++ b/install/helm/api-gateway/values.yaml @@ -0,0 +1,38 @@ +replicaCount: 1 + +rbacJob: + image: + repository: eu.gcr.io/kyma-project/test-infra/alpine-kubectl + tag: "v20190325-ff66a3a" + +image: + repository: eu.gcr.io/kyma-project/incubator/develop/api-gateway-controller + tag: "1669a1f9" + # Image pull policy + pullPolicy: IfNotPresent + +deployment: + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 30Mi + # requests: + # cpu: 100m + # memory: 20Mi + + # Node labels for pod assignment. + nodeSelector: {} + # If you do want to specify node labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + # foo: bar + + # Configure node tolerations. + tolerations: [] + annotations: {} + +# Configure node affinity +affinity: {} \ No newline at end of file diff --git a/install/k8s/apiextensions.k8s.io_v1beta1_customresourcedefinition_gates.gateway.kyma-project.io.yaml b/install/k8s/apiextensions.k8s.io_v1beta1_customresourcedefinition_gates.gateway.kyma-project.io.yaml new file mode 100644 index 000000000..235a132fc --- /dev/null +++ b/install/k8s/apiextensions.k8s.io_v1beta1_customresourcedefinition_gates.gateway.kyma-project.io.yaml @@ -0,0 +1,487 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: gates.gateway.kyma-project.io +spec: + group: gateway.kyma-project.io + names: + kind: Gate + plural: gates + scope: "" + subresources: + status: {} + validation: + openAPIV3Schema: + description: Gate is the Schema for the apis Gate + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map stored with + a resource that may be set by external tools to store and retrieve + arbitrary metadata. They are not queryable and should be preserved + when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + clusterName: + description: The name of the cluster which the object belongs to. This + is used to distinguish resources with same name and namespace in different + clusters. This field is not set anywhere right now and apiserver is + going to ignore it if set in create or update request. + type: string + creationTimestamp: + description: "CreationTimestamp is a timestamp representing the server + time when this object was created. It is not guaranteed to be set + in happens-before order across separate operations. Clients may not + set this value. It is represented in RFC3339 form and is in UTC. \n + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + deletionGracePeriodSeconds: + description: Number of seconds allowed for this object to gracefully + terminate before it will be removed from the system. Only set when + deletionTimestamp is also set. May only be shortened. Read-only. + format: int64 + type: integer + deletionTimestamp: + description: "DeletionTimestamp is RFC 3339 date and time at which this + resource will be deleted. This field is set by the server when a graceful + deletion is requested by the user, and is not directly settable by + a client. The resource is expected to be deleted (no longer visible + from resource lists, and not reachable by name) after the time in + this field, once the finalizers list is empty. As long as the finalizers + list contains items, deletion is blocked. Once the deletionTimestamp + is set, this value may not be unset or be set further into the future, + although it may be shortened or the resource may be deleted prior + to this time. For example, a user may request that a pod is deleted + in 30 seconds. The Kubelet will react by sending a graceful termination + signal to the containers in the pod. After that 30 seconds, the Kubelet + will send a hard termination signal (SIGKILL) to the container and + after cleanup, remove the pod from the API. In the presence of network + partitions, this object may still exist after this timestamp, until + an administrator or automated process can determine the resource is + fully terminated. If not set, graceful deletion of the object has + not been requested. \n Populated by the system when a graceful deletion + is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + finalizers: + description: Must be empty before the object is deleted from the registry. + Each entry is an identifier for the responsible component that will + remove the entry from the list. If the deletionTimestamp of the object + is non-nil, entries in this list can only be removed. + items: + type: string + type: array + generateName: + description: "GenerateName is an optional prefix, used by the server, + to generate a unique name ONLY IF the Name field has not been provided. + If this field is used, the name returned to the client will be different + than the name passed. This value will also be combined with a unique + suffix. The provided value has the same validation rules as the Name + field, and may be truncated by the length of the suffix required to + make the value unique on the server. \n If this field is specified + and the generated name exists, the server will NOT return a 409 - + instead, it will either return 201 Created or 500 with Reason ServerTimeout + indicating a unique name could not be found in the time allotted, + and the client should retry (optionally after the time indicated in + the Retry-After header). \n Applied only if Name is not specified. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" + type: string + generation: + description: A sequence number representing a specific generation of + the desired state. Populated by the system. Read-only. + format: int64 + type: integer + initializers: + description: "An initializer is a controller which enforces some system + invariant at object creation time. This field is a list of initializers + that have not yet acted on this object. If nil or empty, this object + has been completely initialized. Otherwise, the object is considered + uninitialized and is hidden (in list/watch and get calls) from clients + that haven't explicitly asked to observe uninitialized objects. \n + When an object is created, the system will populate this list with + the current set of initializers. Only privileged users may set or + modify this list. Once it is empty, it may not be modified further + by any user. \n DEPRECATED - initializers are an alpha field and will + be removed in v1.15." + properties: + pending: + description: Pending is a list of initializers that must execute + in order before this object is visible. When the last pending + initializer is removed, and no failing result is set, the initializers + struct will be set to nil and the object is considered as initialized + and visible to all clients. + items: + properties: + name: + description: name of the process that is responsible for initializing + this object. + type: string + required: + - name + type: object + type: array + result: + description: If result is set with the Failure field, the object + will be persisted to storage and then deleted, ensuring that other + clients can observe the deletion. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + code: + description: Suggested HTTP return code for this status, 0 if + not set. + format: int32 + type: integer + details: + description: Extended data associated with the reason. Each + reason may define its own extended details. This field is + optional and the data returned is not guaranteed to conform + to any schema except that defined by the reason type. + properties: + causes: + description: The Causes array includes more details associated + with the StatusReason failure. Not all StatusReasons may + provide detailed causes. + items: + properties: + field: + description: "The field of the resource that has caused + this error, as named by its JSON serialization. + May include dot and postfix notation for nested + attributes. Arrays are zero-indexed. Fields may + appear more than once in an array of causes due + to fields having multiple errors. Optional. \n Examples: + \ \"name\" - the field \"name\" on the current + resource \"items[0].name\" - the field \"name\" + on the first array entry in \"items\"" + type: string + message: + description: A human-readable description of the cause + of the error. This field may be presented as-is + to a reader. + type: string + reason: + description: A machine-readable description of the + cause of the error. If this value is empty there + is no information available. + type: string + type: object + type: array + group: + description: The group attribute of the resource associated + with the status StatusReason. + type: string + kind: + description: 'The kind attribute of the resource associated + with the status StatusReason. On some operations may differ + from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: The name attribute of the resource associated + with the status StatusReason (when there is a single name + which can be described). + type: string + retryAfterSeconds: + description: If specified, the time in seconds before the + operation should be retried. Some errors may indicate + the client must take an alternate action - for those errors + this field may indicate how long to wait before taking + the alternate action. + format: int32 + type: integer + uid: + description: 'UID of the resource. (when there is a single + resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + message: + description: A human-readable description of the status of this + operation. + type: string + metadata: + description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + properties: + continue: + description: continue may be set if the user set a limit + on the number of items returned, and indicates that the + server has more data available. The value is opaque and + may be used to issue another request to the endpoint that + served this list to retrieve the next set of available + objects. Continuing a consistent list may not be possible + if the server configuration has changed or more than a + few minutes have passed. The resourceVersion field returned + when using this continue value will be identical to the + value in the first response, unless you have received + this token from an error message. + type: string + resourceVersion: + description: 'String that identifies the server''s internal + version of this object that can be used by clients to + determine when objects have changed. Value must be treated + as opaque by clients and passed unmodified back to the + server. Populated by the system. Read-only. More info: + https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + selfLink: + description: selfLink is a URL representing this object. + Populated by the system. Read-only. + type: string + type: object + reason: + description: A machine-readable description of why this operation + is in the "Failure" status. If this value is empty there is + no information available. A Reason clarifies an HTTP status + code but does not override it. + type: string + status: + description: 'Status of the operation. One of: "Success" or + "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' + type: string + type: object + required: + - pending + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used to organize + and categorize (scope and select) objects. May match selectors of + replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + type: object + managedFields: + description: "ManagedFields maps workflow-id and version to the set + of fields that are managed by that workflow. This is mostly for internal + housekeeping, and users typically shouldn't need to set or understand + this field. A workflow can be the user's name, a controller's name, + or the name of a specific apply path like \"ci-cd\". The set of fields + is always in the version that the workflow used when modifying the + object. \n This field is alpha and can be changed or removed without + notice." + items: + properties: + apiVersion: + description: APIVersion defines the version of this resource that + this field set applies to. The format is "group/version" just + like the top-level APIVersion field. It is necessary to track + the version of a field set because it cannot be automatically + converted. + type: string + fields: + additionalProperties: true + description: Fields identifies a set of fields. + type: object + manager: + description: Manager is an identifier of the workflow managing + these fields. + type: string + operation: + description: Operation is the type of operation which lead to + this ManagedFieldsEntry being created. The only valid values + for this field are 'Apply' and 'Update'. + type: string + time: + description: Time is timestamp of when these fields were set. + It should always be empty if Operation is 'Apply' + format: date-time + type: string + type: object + type: array + name: + description: 'Name must be unique within a namespace. Is required when + creating resources, although some resources may allow a client to + request the generation of an appropriate name automatically. Name + is primarily intended for creation idempotence and configuration definition. + Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + namespace: + description: "Namespace defines the space within each name must be unique. + An empty namespace is equivalent to the \"default\" namespace, but + \"default\" is the canonical representation. Not all objects are required + to be scoped to a namespace - the value of this field for those objects + will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: + http://kubernetes.io/docs/user-guide/namespaces" + type: string + ownerReferences: + description: List of objects depended by this object. If ALL objects + in the list have been deleted, this object will be garbage collected. + If this object is managed by a controller, then an entry in this list + will point to this controller, with the controller field set to true. + There cannot be more than one managing controller. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" + finalizer, then the owner cannot be deleted from the key-value + store until this reference is removed. Defaults to false. To + set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + type: array + resourceVersion: + description: "An opaque value that represents the internal version of + this object that can be used by clients to determine when objects + have changed. May be used for optimistic concurrency, change detection, + and the watch operation on a resource or set of resources. Clients + must treat these values as opaque and passed unmodified back to the + server. They may only be valid for a particular resource or set of + resources. \n Populated by the system. Read-only. Value must be treated + as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" + type: string + selfLink: + description: SelfLink is a URL representing this object. Populated by + the system. Read-only. + type: string + uid: + description: "UID is the unique in time and space value for this object. + It is typically generated by the server on successful creation of + a resource and is not allowed to change on PUT operations. \n Populated + by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" + type: string + type: object + spec: + properties: + auth: + description: Auth strategy to be used + properties: + config: + description: Config configures the auth strategy. Configuration + keys vary per strategy. + type: object + name: + enum: + - JWT + - OAUTH + - PASSTHROUGH + type: string + required: + - name + type: object + gateway: + description: Gateway to be used + pattern: ^(?:[_a-z0-9](?:[_a-z0-9-]+[a-z0-9])?\.)+(?:[a-z](?:[a-z0-9-]+[a-z0-9])?)?$ + type: string + service: + description: Definition of the service to expose + properties: + external: + description: Defines if the service is internal (in cluster) or + external + type: boolean + host: + description: URL on which the service will be visible + maxLength: 256 + minLength: 3 + pattern: ^(?:[_a-z0-9](?:[_a-z0-9-]+[a-z0-9])?\.)+(?:[a-z](?:[a-z0-9-]+[a-z0-9])?)?$ + type: string + name: + description: Name of the service + type: string + port: + description: Port of the service to expose + format: int32 + maximum: 99999 + minimum: 1 + type: integer + required: + - name + - port + - host + type: object + required: + - service + - auth + - gateway + type: object + status: + properties: + GateStatus: + properties: + code: + type: string + desc: + type: string + type: object + accessRuleStatus: + properties: + code: + type: string + desc: + type: string + type: object + lastProcessedTime: + format: date-time + type: string + observedGeneration: + format: int64 + type: integer + policyStatus: + properties: + code: + type: string + desc: + type: string + type: object + virtualServiceStatus: + properties: + code: + type: string + desc: + type: string + type: object + type: object + type: object + versions: + - name: v2alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/install/k8s/apps_v1_deployment_api-gateway-controller-manager.yaml b/install/k8s/apps_v1_deployment_api-gateway-controller-manager.yaml new file mode 100644 index 000000000..08430638f --- /dev/null +++ b/install/k8s/apps_v1_deployment_api-gateway-controller-manager.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: api-gateway-controller-manager + namespace: api-gateway-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + - --enable-leader-election + command: + - /manager + image: eu.gcr.io/kyma-project/incubator/develop/api-gateway-controller:1669a1f9 + imagePullPolicy: IfNotPresent + name: manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + serviceAccountName: api-gateway-api-gateway-sa + terminationGracePeriodSeconds: 10 diff --git a/install/k8s/rbac.authorization.k8s.io_v1_clusterrole_api-gateway-manager-role.yaml b/install/k8s/rbac.authorization.k8s.io_v1_clusterrole_api-gateway-manager-role.yaml new file mode 100644 index 000000000..babbfc48d --- /dev/null +++ b/install/k8s/rbac.authorization.k8s.io_v1_clusterrole_api-gateway-manager-role.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: api-gateway-manager-role +rules: +- apiGroups: + - gateway.kyma-project.io + resources: + - gates + - gates/status + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - create + - delete + - get + - patch + - list + - watch diff --git a/install/k8s/rbac.authorization.k8s.io_v1_clusterrolebinding_api-gateway-manager-rolebinding.yaml b/install/k8s/rbac.authorization.k8s.io_v1_clusterrolebinding_api-gateway-manager-rolebinding.yaml new file mode 100644 index 000000000..c6db0be9d --- /dev/null +++ b/install/k8s/rbac.authorization.k8s.io_v1_clusterrolebinding_api-gateway-manager-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: api-gateway-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: api-gateway-manager-role +subjects: +- kind: ServiceAccount + name: api-gateway-api-gateway-sa + namespace: api-gateway-system diff --git a/install/k8s/rbac.authorization.k8s.io_v1_role_api-gateway-leader-election-role.yaml b/install/k8s/rbac.authorization.k8s.io_v1_role_api-gateway-leader-election-role.yaml new file mode 100644 index 000000000..c44a36660 --- /dev/null +++ b/install/k8s/rbac.authorization.k8s.io_v1_role_api-gateway-leader-election-role.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: api-gateway-leader-election-role + namespace: api-gateway-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/install/k8s/rbac.authorization.k8s.io_v1_rolebinding_api-gateway-leader-election-rolebinding.yaml b/install/k8s/rbac.authorization.k8s.io_v1_rolebinding_api-gateway-leader-election-rolebinding.yaml new file mode 100644 index 000000000..ffe932826 --- /dev/null +++ b/install/k8s/rbac.authorization.k8s.io_v1_rolebinding_api-gateway-leader-election-rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: api-gateway-leader-election-rolebinding + namespace: api-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: api-gateway-leader-election-role +subjects: +- kind: ServiceAccount + name: api-gateway-api-gateway-sa + namespace: api-gateway-system diff --git a/install/k8s/~g_v1_namespace_api-gateway-system.yaml b/install/k8s/~g_v1_namespace_api-gateway-system.yaml new file mode 100644 index 000000000..a162593b0 --- /dev/null +++ b/install/k8s/~g_v1_namespace_api-gateway-system.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: api-gateway-system diff --git a/install/k8s/~g_v1_serviceaccount_api-gateway-api-gateway-sa.yaml b/install/k8s/~g_v1_serviceaccount_api-gateway-api-gateway-sa.yaml new file mode 100644 index 000000000..f9b58592c --- /dev/null +++ b/install/k8s/~g_v1_serviceaccount_api-gateway-api-gateway-sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: api-gateway-api-gateway-sa + namespace: api-gateway-system