Skip to content

🔄 synced file(s) with Kong/kong-operator #1435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
team-k8s-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

🔄 synced file(s) with Kong/kong-operator #1435

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions charts/kong-operator/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changelog

## 1.1.0

### Changed

- Update Gateway API to 1.4.0
[#2451](https://github.com/Kong/kong-operator/pull/2451)

## 1.0.2

### Fixes
Expand Down
8 changes: 4 additions & 4 deletions charts/kong-operator/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ dependencies:
version: 1.0.1
- name: gwapi-standard-crds
repository: ""
version: 1.3.0
version: 1.4.1
- name: gwapi-experimental-crds
repository: ""
version: 1.3.0
digest: sha256:a8f11fae93e4fbca0454f52c4eb037953000cb445db571ac40b98841019e3f12
generated: "2025-09-30T16:42:41.790242+02:00"
version: 1.4.1
digest: sha256:2550f3a4f3a8538f587fd68e1d74751ba8f18cd06f52f7d34cb41b02fd591ad2
generated: "2025-12-09T11:06:58.232872+01:00"
6 changes: 3 additions & 3 deletions charts/kong-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ name: kong-operator
sources:
- https://github.com/Kong/kong-operator/charts/kong-operator/
version: 1.0.2
appVersion: "2.0"
appVersion: "2.1.0-beta.0"
annotations:
artifacthub.io/category: networking
artifacthub.io/prerelease: "false"
Expand All @@ -24,8 +24,8 @@ dependencies:
- name: ko-crds
version: 1.0.1
- name: gwapi-standard-crds
version: 1.3.0
version: 1.4.1
condition: gwapi-standard-crds.enabled
- name: gwapi-experimental-crds
version: 1.3.0
version: 1.4.1
condition: gwapi-experimental-crds.enabled
4 changes: 2 additions & 2 deletions charts/kong-operator/charts/gwapi-experimental-crds/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
name: gwapi-experimental-crds
version: 1.3.0
appVersion: "1.3.0"
version: 1.4.1
appVersion: "1.4.1"
description: A Helm chart for Kubernetes Gateway API experimental channel CRDs
21,943 changes: 12,524 additions & 9,419 deletions charts/kong-operator/charts/gwapi-experimental-crds/crds/gwapi-crds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions charts/kong-operator/charts/gwapi-standard-crds/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
name: gwapi-standard-crds
version: 1.3.0
appVersion: "1.3.0"
version: 1.4.1
appVersion: "1.4.1"
description: A Helm chart for Kubernetes Gateway API standard channel CRDs
1,502 changes: 1,466 additions & 36 deletions charts/kong-operator/charts/gwapi-standard-crds/crds/gwapi-crds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

3,427 changes: 2,698 additions & 729 deletions charts/kong-operator/charts/ko-crds/templates/ko-crds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/affinity-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/controlplane-config-dump.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/disable-gateway-controller-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/env-and-args-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/env-and-customenv-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/extra-labels-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,535 changes: 2,781 additions & 754 deletions charts/kong-operator/ci/__snapshots__/image-pull-secrets-and-image-digest-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,535 changes: 2,781 additions & 754 deletions charts/kong-operator/ci/__snapshots__/nightly-can-be-used-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/pod-annotations-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/probes-and-args-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,537 changes: 2,782 additions & 755 deletions charts/kong-operator/ci/__snapshots__/tolerations-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,352 changes: 2,691 additions & 661 deletions charts/kong-operator/ci/__snapshots__/validating-policies-dataplane-ports-disabled.snap
View file
Open in desktop

Large diffs are not rendered by default.

2,194 changes: 1,553 additions & 641 deletions charts/kong-operator/ci/__snapshots__/webhook-conversion-disabled-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

3,639 changes: 2,833 additions & 806 deletions charts/kong-operator/ci/__snapshots__/webhook-conversion-enabled-cert-manager.snap
View file
Open in desktop

Large diffs are not rendered by default.

2,052 changes: 1,482 additions & 570 deletions ...ts/kong-operator/ci/__snapshots__/webhooks-validating-and-conversion-disabled-values.snap
View file
Open in desktop

Large diffs are not rendered by default.

53 changes: 27 additions & 26 deletions charts/kong-operator/templates/cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ rules:
- kongclusterplugins
- kongcustomentities
- konglicenses
- kongreferencegrants
- kongupstreampolicies
verbs:
- get
Expand All @@ -153,13 +154,11 @@ rules:
- configuration.konghq.com
resources:
- kongcacertificates
- kongcertificates
- kongconsumergroups
- kongconsumers
- kongdataplaneclientcertificates
- kongdataplaneclientcertificates/status
- kongkeys
- kongkeysets
- kongsnis
- kongvaults
verbs:
- get
Expand All @@ -173,7 +172,6 @@ rules:
- kongcacertificates/finalizers
- kongcacertificates/status
- kongcertificates/finalizers
- kongcertificates/status
- kongconsumergroups/finalizers
- kongconsumers/finalizers
- kongcredentialacls/finalizers
Expand All @@ -187,15 +185,13 @@ rules:
- kongcredentialjwts/finalizers
- kongcredentialjwts/status
- kongdataplaneclientcertificates/finalizers
- kongdataplaneclientcertificates/status
- kongkeys/finalizers
- kongkeys/status
- kongkeysets/finalizers
- kongkeysets/status
- kongroutes/finalizers
- kongservices/finalizers
- kongsnis/finalizers
- kongsnis/status
- kongtargets/finalizers
- kongupstreams/finalizers
- kongvaults/finalizers
Expand All @@ -205,35 +201,18 @@ rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
- kongconsumergroups/status
- kongconsumers/status
- kongcustomentities/status
- konglicenses/status
- kongpluginbindings/status
- kongplugins/status
- kongroutes/status
- kongservices/status
- kongtargets/status
- kongupstreampolicies/status
- kongupstreams/status
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongcertificates
- kongcredentialacls
- kongcredentialapikeys
- kongcredentialbasicauths
- kongcredentialhmacs
- kongcredentialjwts
- kongdataplaneclientcertificates
- kongpluginbindings
- kongplugins
- kongroutes
- kongservices
- kongsnis
- kongtargets
- kongupstreams
verbs:
Expand All @@ -244,6 +223,28 @@ rules:
- patch
- update
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongcertificates/status
- kongclusterplugins/status
- kongconsumergroups/status
- kongconsumers/status
- kongcustomentities/status
- konglicenses/status
- kongpluginbindings/status
- kongplugins/status
- kongroutes/status
- kongservices/status
- kongsnis/status
- kongtargets/status
- kongupstreampolicies/status
- kongupstreams/status
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
133 changes: 66 additions & 67 deletions charts/kong-operator/templates/validation-policy-dataplane.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,88 +1,86 @@
{{- if .Values.global.validatingPolicies.dataplanePorts.enabled }}
# This file is auto-generated by KO's hack/generators/validating-policy/main.go generator.
{{- if and (.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy") (.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicyBinding") -}}
{{- if .Values.global.validatingPolicies.dataplanePorts.enabled }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: ports.dataplane.gateway-operator.konghq.com
spec:
matchConstraints:
resourceRules:
- apiGroups:
- "gateway-operator.konghq.com"
apiVersions:
- "v1beta1"
operations:
- "CREATE"
- "UPDATE"
resources:
- "dataplanes"
- apiGroups:
- gateway-operator.konghq.com
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- dataplanes
validations:
- expression: |
variables.isNotValidatable ||
variables.envPortMaps == null ||
variables.ingressPorts.all(p, string(p.targetPort) in variables.portMapPorts)
messageExpression: '''Each port from spec.network.services.ingress.ports has to
have an accompanying port in KONG_PORT_MAPS env'''
reason: Invalid
- expression: |
variables.isNotValidatable ||
variables.envProxyListen == null ||
variables.ingressPorts.all(p, string(p.targetPort) in variables.proxyListenPorts)
messageExpression: '''Each port from spec.network.services.ingress.ports has to
have an accompanying port in KONG_PROXY_LISTEN env'''
reason: Invalid
variables:
- name: ingressPorts
expression: object.spec.network.services.ingress.ports
- name: podTemplateSpec
expression: object.spec.deployment.podTemplateSpec
- name: proxyContainers
expression: |
- expression: object.spec.network.services.ingress.ports
name: ingressPorts
- expression: object.spec.deployment.podTemplateSpec
name: podTemplateSpec
- expression: |
variables.podTemplateSpec.spec.containers.filter(c, c.name == 'proxy')
- name: proxyContainer
expression: |
name: proxyContainers
- expression: |
variables.proxyContainers.size() > 0 ?
variables.proxyContainers[0] :
null
- name: envFilteredPortMaps
expression: |
variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS")
- name: envFilteredProxyListen
expression: |
variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN")
- name: envPortMaps
expression: |
name: proxyContainer
- expression: |
variables.proxyContainer != null && has(variables.proxyContainer.env) ?
variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS") : []
name: envFilteredPortMaps
- expression: |
variables.proxyContainer != null && has(variables.proxyContainer.env) ?
variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN") : []
name: envFilteredProxyListen
- expression: |
variables.envFilteredPortMaps.size() > 0 ? variables.envFilteredPortMaps[0].value : null
- name: envProxyListen
expression: |
name: envPortMaps
- expression: |
variables.envFilteredProxyListen.size() > 0 ? variables.envFilteredProxyListen[0].value : null

# NOTE: Rules below do not validate the ports from the spec.network.services.ingress.ports
# when no KONG_PORT_MAPS or KONG_PROXY_LISTEN env variables are present in the proxy container.
# This has been the case before the introduction of validating admission policies so we are keeping
# the same behavior.

# Using string functions from: https://pkg.go.dev/github.com/google/cel-go/ext
validations:
- messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PORT_MAPS env'"
expression: |
name: envProxyListen
- expression: |
!has(object.spec.network) ||
!has(object.spec.network.services) ||
!has(object.spec.network.services.ingress) ||
!has(object.spec.network.services.ingress.ports) ||
!has(variables.proxyContainer.env) ||
variables.envPortMaps == null ||
(
variables.ingressPorts.all(p, variables.envPortMaps.
split(",").
exists(pm,
pm.split(":")[1].trim() == string(p.targetPort)
)
)
)
reason: Invalid
- messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PROXY_LISTEN env'"
expression: |
!has(object.spec.network) ||
!has(object.spec.network.services) ||
!has(object.spec.network.services.ingress) ||
!has(object.spec.network.services.ingress.ports) ||
!has(variables.proxyContainer.env) ||
variables.envProxyListen == null ||
(
variables.ingressPorts.all(p, variables.envProxyListen.
split(",").
exists(pm,
pm.trim().split(" ")[0].split(":")[1].trim() == string(p.targetPort)
)
)
)
reason: Invalid
variables.proxyContainer == null ||
!has(variables.proxyContainer.env)
name: isNotValidatable
- expression: |
variables.envProxyListen != null ?
variables.envProxyListen.split(',').map(s,
s.trim().split(' ')[0]
).map(addr,
addr.substring(addr.lastIndexOf(':') + 1)
) : []
name: proxyListenPorts
- expression: |
variables.envPortMaps != null ?
variables.envPortMaps.split(',').map(s,
s.substring(s.lastIndexOf(':') + 1).trim()
) : []
name: portMapPorts
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
Expand All @@ -92,6 +90,7 @@ spec:
policyName: ports.dataplane.gateway-operator.konghq.com
validationActions:
- Deny
---

{{- end -}}

{{- end -}}
2 changes: 1 addition & 1 deletion charts/kong-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
image:
repository: docker.io/kong/kong-operator
tag: "2.0"
tag: "2.1.0-beta.0"
# If you want only the digest to be used, set tag to "" in your values.yaml.
digest: ""
# Optionally set a semantic version for version-gated features. This can normally
Expand Down
Loading