Merge refs/heads/v1.13.x into go-grpc-cve-1.13

changelog/v1.13.32/fix-readiness-probe.yaml

@@ -0,0 +1,10 @@
+changelog:
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/8288
+  description: >- 
+    Fixes the issue of defining a custom readiness probe for the gateway proxy for zero downtime upgrades via helm with the `--wait` flag and via ArgoCD.
+- type: HELM
+  issueLink: https://github.com/solo-io/solo-projects/issues/5490
+  resolvesIssue: false
+  description: Adds a new helm value `global.extraCustomResources` to allow users to add additional custom resources to create, as defined by a helm partial
+

docs/content/reference/values.txt

@@ -352,7 +352,7 @@
 |gateway.rolloutJob.resources.requests.cpu|string||amount of CPUs|
 |gateway.rolloutJob.floatingUserId|bool||If true, allows the cluster to dynamically assign a user ID for the processes running in the container.|
 |gateway.rolloutJob.runAsUser|float64||Explicitly set the user ID for the processes in the container to run as. Default is 10101.|
-|gateway.rolloutJob.timeout|int|600|Time to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 600|
+|gateway.rolloutJob.timeout|int|120|Time to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 120|
 |gateway.cleanupJob.restartPolicy|string|OnFailure|restart policy to use when the pod exits|
 |gateway.cleanupJob.priorityClassName|string||name of a defined priority class|
 |gateway.cleanupJob.nodeName|string||name of node to run on|
@@ -398,7 +398,7 @@
 |gateway.compressedProxySpec|bool||if true, enables compression for the Proxy CRD spec|
 |gateway.logLevel|string||Level at which the pod should log. Options include "info", "debug", "warn", "error", "panic" and "fatal". Default level is info|
 |gateway.persistProxySpec|bool||Enable writing Proxy CRD to etcd. Disabled by default for performance.|
-|gateway.translateEmptyGateways|bool|false|This field is a no-op for now|
+|gateway.translateEmptyGateways|bool|false|If true, the gateways will be translated into Envoy listeners even if no VirtualServices exist.|
 |gateway.kubeResourceOverride.NAME|interface||override fields in the generated resource by specifying the yaml structure to override under the top-level key.|
 |gatewayProxies.NAME.kind.deployment.replicas|int||number of instances to deploy|
 |gatewayProxies.NAME.kind.deployment.customEnv[].name|string|||
@@ -1059,3 +1059,4 @@
 |global.configMaps[].name|string||Name of the ConfigMap to create (required).|
 |global.configMaps[].namespace|string||Namespace in which to create the ConfigMap. If empty, defaults to Gloo Edge install namespace.|
 |global.configMaps[].data.NAME|string||Key-value pairs of ConfigMap data.|
+|global.extraCustomResources|bool||Add additional custom resources to create, as defined by a helm partial. Defaults to false in open source, and true in enterprise.|

install/helm/gloo/generate/values.go

@@ -23,18 +23,19 @@ type Config struct {
 }
 
 type Global struct {
-	Image             *Image             `json:"image,omitempty"`
-	Extensions        interface{}        `json:"extensions,omitempty"`
-	GlooRbac          *Rbac              `json:"glooRbac,omitempty"`
-	GlooStats         Stats              `json:"glooStats,omitempty" desc:"Config used as the default values for Prometheus stats published from Gloo Edge pods. Can be overridden by individual deployments"`
-	GlooMtls          Mtls               `json:"glooMtls,omitempty" desc:"Config used to enable internal mtls authentication"`
-	IstioSDS          IstioSDS           `json:"istioSDS,omitempty" desc:"Config used for installing Gloo Edge with Istio SDS cert rotation features to facilitate Istio mTLS"`
-	IstioIntegration  IstioIntegration   `json:"istioIntegration,omitempty" desc:"Configs user to manage Gloo pod visibility for Istio's' automatic discovery and sidecar injection."`
-	ExtraSpecs        *bool              `json:"extraSpecs,omitempty" desc:"Add additional specs to include in the settings manifest, as defined by a helm partial. Defaults to false in open source, and true in enterprise."`
-	ExtauthCustomYaml *bool              `json:"extauthCustomYaml,omitempty" desc:"Inject whatever yaml exists in .Values.global.extensions.extAuth into settings.spec.extauth, instead of structured yaml (which is enterprise only). Defaults to true in open source, and false in enterprise"`
-	Console           interface{}        `json:"console,omitempty" desc:"Configuration options for the Enterprise Console (UI)."`
-	Graphql           interface{}        `json:"graphql,omitempty" desc:"(Enterprise Only): GraphQL configuration options."`
-	ConfigMaps        []*GlobalConfigMap `json:"configMaps,omitempty" desc:"Config used to create ConfigMaps at install time to store arbitrary data."`
+	Image                *Image             `json:"image,omitempty"`
+	Extensions           interface{}        `json:"extensions,omitempty"`
+	GlooRbac             *Rbac              `json:"glooRbac,omitempty"`
+	GlooStats            Stats              `json:"glooStats,omitempty" desc:"Config used as the default values for Prometheus stats published from Gloo Edge pods. Can be overridden by individual deployments"`
+	GlooMtls             Mtls               `json:"glooMtls,omitempty" desc:"Config used to enable internal mtls authentication"`
+	IstioSDS             IstioSDS           `json:"istioSDS,omitempty" desc:"Config used for installing Gloo Edge with Istio SDS cert rotation features to facilitate Istio mTLS"`
+	IstioIntegration     IstioIntegration   `json:"istioIntegration,omitempty" desc:"Configs user to manage Gloo pod visibility for Istio's' automatic discovery and sidecar injection."`
+	ExtraSpecs           *bool              `json:"extraSpecs,omitempty" desc:"Add additional specs to include in the settings manifest, as defined by a helm partial. Defaults to false in open source, and true in enterprise."`
+	ExtauthCustomYaml    *bool              `json:"extauthCustomYaml,omitempty" desc:"Inject whatever yaml exists in .Values.global.extensions.extAuth into settings.spec.extauth, instead of structured yaml (which is enterprise only). Defaults to true in open source, and false in enterprise"`
+	Console              interface{}        `json:"console,omitempty" desc:"Configuration options for the Enterprise Console (UI)."`
+	Graphql              interface{}        `json:"graphql,omitempty" desc:"(Enterprise Only): GraphQL configuration options."`
+	ConfigMaps           []*GlobalConfigMap `json:"configMaps,omitempty" desc:"Config used to create ConfigMaps at install time to store arbitrary data."`
+	ExtraCustomResources *bool              `json:"extraCustomResources,omitempty" desc:"Add additional custom resources to create, as defined by a helm partial. Defaults to false in open source, and true in enterprise."`
 }
 
 type Namespace struct {
@@ -303,7 +304,7 @@ type Gateway struct {
 	CompressedProxySpec            *bool             `json:"compressedProxySpec,omitempty" desc:"if true, enables compression for the Proxy CRD spec"`
 	LogLevel                       *string           `json:"logLevel,omitempty" desc:"Level at which the pod should log. Options include \"info\", \"debug\", \"warn\", \"error\", \"panic\" and \"fatal\". Default level is info"`
 	PersistProxySpec               *bool             `json:"persistProxySpec,omitempty" desc:"Enable writing Proxy CRD to etcd. Disabled by default for performance."`
-	TranslateEmptyGateways         *bool             `json:"translateEmptyGateways,omitempty" desc:"This field is a no-op for now"`
+	TranslateEmptyGateways         *bool             `json:"translateEmptyGateways,omitempty" desc:"If true, the gateways will be translated into Envoy listeners even if no VirtualServices exist."`
 	Service                        *KubeResourceOverride
 }
 
@@ -360,7 +361,7 @@ type RolloutJob struct {
 	Resources      *ResourceRequirements `json:"resources,omitempty"`
 	FloatingUserId *bool                 `json:"floatingUserId,omitempty" desc:"If true, allows the cluster to dynamically assign a user ID for the processes running in the container."`
 	RunAsUser      *float64              `json:"runAsUser,omitempty" desc:"Explicitly set the user ID for the processes in the container to run as. Default is 10101."`
-	Timeout        *int                  `json:"timeout,omitempty" desc:"Time to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 600"`
+	Timeout        *int                  `json:"timeout,omitempty" desc:"Time to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 120"`
 }
 
 type CleanupJob struct {

install/helm/gloo/templates/5-resource-configmap.yaml

@@ -12,3 +12,13 @@ data:
   custom-resources: |
 {{ $cr }}
   has-custom-resources: "{{- $hasCr -}}"
+{{- if .Values.global.extraCustomResources }}
+  {{- /* Since the OSS values context is passed to enterprise, we ensure that enterprise can refer to (i) gloo values as .Values.gloo (ii) global values as .Values.global (iii) release values as .Release. That way any changes in enterprise are minimized */}}
+  {{- $values := dict "global" .Values.global "gloo" .Values }}
+  {{- $data := dict "Values" $values "Release" .Release }}
+  {{- $extraCr := include "gloo.extraCustomResources" $data | indent 4 -}}
+  {{- $hasExtraCr := contains "kind:" $extraCr -}}{{/* whether there are any custom resources in enterprise */}}
+  extra-custom-resources: |
+{{ $extraCr }}
+  has-extra-custom-resources: "{{- $hasExtraCr -}}"
+{{- end -}}

install/helm/gloo/templates/5-resource-rollout-check-job.yaml

@@ -0,0 +1,137 @@
+{{- if .Values.gateway.rolloutJob.enabled }}
+{{- $image := .Values.gateway.rolloutJob.image }}
+{{- if .Values.global }}
+{{- $image = merge .Values.gateway.rolloutJob.image .Values.global.image }}
+{{- end }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app: gloo
+    gloo: resource-rollout
+  name: gloo-resource-rollout-check
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "5"
+    {{- include "gloo.jobHelmDeletePolicySucceededAndBeforeCreation" .Values.gateway.rolloutJob | nindent 4 }}
+spec:
+  {{- include "gloo.jobSpecStandardFields" .Values.gateway.rolloutJob | nindent 2 -}}
+  template:
+    metadata:
+      labels:
+        gloo: resource-rollout
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.gateway.rolloutJob.extraPodLabels }}
+        {{- range $key, $value := .Values.gateway.rolloutJob.extraPodLabels }}
+        {{ $key | quote }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+      {{- if or .Values.settings.linkerd .Values.gateway.rolloutJob.extraPodAnnotations }}
+      annotations:
+        {{- if .Values.settings.linkerd }}
+        "linkerd.io/inject": disabled
+        {{- end }}
+        {{- range $key, $value := .Values.gateway.rolloutJob.extraPodAnnotations }}
+        {{ $key | quote }}: {{ $value | quote }}
+        {{- end }}
+      {{- end }}
+    spec:
+      {{- include "gloo.pullSecret" $image | nindent 6 -}}
+      serviceAccountName: gloo-resource-rollout
+      {{- include "gloo.podSpecStandardFields" .Values.gateway.rolloutJob | nindent 6 -}}
+      volumes:
+        - name: custom-resource-config-volume
+          configMap:
+            name: gloo-custom-resource-config
+            items:
+              - key: custom-resources
+                path: custom-resources
+            {{- if .Values.global.extraCustomResources }}
+              - key: extra-custom-resources
+                path: extra-custom-resources
+            {{- end }}
+      containers:
+        - name: kubectl
+          image: {{template "gloo.image" $image}}
+          imagePullPolicy: {{ $image.pullPolicy }}
+          env:
+            - name: HAS_CUSTOM_RESOURCES
+              valueFrom:
+                configMapKeyRef:
+                  name: gloo-custom-resource-config
+                  key: has-custom-resources
+          {{- if .Values.global.extraCustomResources }}
+            - name: HAS_EXTRA_CUSTOM_RESOURCES
+              valueFrom:
+                configMapKeyRef:
+                  name: gloo-custom-resource-config
+                  key: has-extra-custom-resources
+          {{- end }}
+          volumeMounts:
+            - name: custom-resource-config-volume
+              mountPath: /etc/gloo-custom-resources
+          securityContext:
+            runAsNonRoot: true
+            {{- if not .Values.gateway.rolloutJob.floatingUserId }}
+            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.rolloutJob.runAsUser) -}}
+            {{- end }}
+          {{- with .Values.gateway.rolloutJob.resources }}
+          resources: {{ toYaml . | nindent 12}}
+          {{- end }}
+          command:
+          - /bin/sh
+          - -c
+          - |
+            # Check if Gloo Edge applied custom resources
+            if [ "$HAS_CUSTOM_RESOURCES" == "true" ]
+            then
+              # Wait for the resource rollout job to complete
+              kubectl -n {{ .Release.Namespace }} get job gloo-resource-rollout &> /dev/null
+              if [ $? -eq 0 ]
+              then
+                # Exit immediately if the rollout job failed
+                kubectl -n {{ .Release.Namespace }} get job gloo-resource-rollout -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' | grep -i "True" &> /dev/null
+                if [ $? -eq 0 ]
+                then
+                    echo "Rollout job failed. Not all resources were successfully created."
+                    exit 1
+                fi
+                echo "Waiting for the resource rollout job to complete"
+                kubectl -n {{ .Release.Namespace }} wait --for=condition=complete job gloo-resource-rollout --timeout={{ .Values.gateway.rolloutJob.timeout }}s || exit 1
+
+                # Clean up the rollout job up so it doesn't cause issues with upgrades
+                kubectl -n {{ .Release.Namespace }} delete job gloo-resource-rollout || exit $?
+              fi
+
+              # If the resource has been applied, re-applying it should output something like this
+              # gateway.gateway.solo.io/default unchanged
+              # If not it will output
+              # gateway.gateway.solo.io/default configured
+              # gateway.gateway.solo.io/default created
+              # This indicates that the resource was not applied in the resource rollout job
+              if [ "$HAS_EXTRA_CUSTOM_RESOURCES" == "true" ]
+              then
+                FAILED_RESOURCES=$(kubectl apply -f /etc/gloo-custom-resources/extra-custom-resources | grep -iv ' unchanged')
+                if [ ! -z "$FAILED_RESOURCES" ]
+                then
+                  echo "The following extra resources failed to be applied by the resource rollout job $FAILED_RESOURCES. As a consequence, other custom resources (eg. Gateways) were not applied."
+                  exit 1
+                else
+                  echo "The resource rollout job successfully applied all the extra resources"
+                fi
+              fi
+
+              FAILED_RESOURCES=$(kubectl apply -f /etc/gloo-custom-resources/custom-resources | grep -iv ' unchanged')
+              if [ ! -z "$FAILED_RESOURCES" ]
+              then
+                echo "The following resources failed to be applied by the resource rollout job $FAILED_RESOURCES"
+                exit 1
+              else
+                echo "The resource rollout job successfully applied all the resources"
+              fi
+            else
+              echo "no custom resources to check"
+            fi
+{{- end }}{{/* if .Values.gateway.rolloutJob.enabled  */}}
+