Merge pull request #555 from kartverket/istio-v1

Istio: Upgrade to V1 of APIs

Author: evenh

Makefile

@@ -23,7 +23,7 @@ PROMETHEUS_VERSION                 := $(call extract-version,github.com/promethe
 
 #### VARS ####
 SKIPERATOR_CONTEXT         ?= kind-$(KIND_CLUSTER_NAME)
-KUBERNETES_VERSION          = 1.29.0
+KUBERNETES_VERSION          = 1.30.0
 KIND_IMAGE                 ?= kindest/node:v$(KUBERNETES_VERSION)
 KIND_CLUSTER_NAME          ?= skiperator
 

config/crd/skiperator.kartverket.no_applications.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.16.4
   name: applications.skiperator.kartverket.no
 spec:
   group: skiperator.kartverket.no

config/crd/skiperator.kartverket.no_routings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.16.4
   name: routings.skiperator.kartverket.no
 spec:
   group: skiperator.kartverket.no

config/crd/skiperator.kartverket.no_skipjobs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.16.4
   name: skipjobs.skiperator.kartverket.no
 spec:
   group: skiperator.kartverket.no

internal/controllers/application.go

@@ -3,6 +3,8 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"regexp"
+
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/internal/controllers/common"
@@ -30,8 +32,8 @@ import (
 	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
 	pov1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"golang.org/x/exp/maps"
-	networkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
-	securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
+	istionetworkingv1 "istio.io/client-go/pkg/apis/networking/v1"
+	securityv1 "istio.io/client-go/pkg/apis/security/v1"
 	telemetryv1 "istio.io/client-go/pkg/apis/telemetry/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
@@ -42,7 +44,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"regexp"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -83,18 +84,18 @@ func (r *ApplicationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&appsv1.Deployment{}).
 		Owns(&corev1.Service{}).
 		Owns(&corev1.ConfigMap{}).
-		Owns(&networkingv1beta1.ServiceEntry{}).
-		Owns(&networkingv1beta1.Gateway{}, builder.WithPredicates(
-			util.MatchesPredicate[*networkingv1beta1.Gateway](isIngressGateway),
+		Owns(&istionetworkingv1.ServiceEntry{}).
+		Owns(&istionetworkingv1.Gateway{}, builder.WithPredicates(
+			util.MatchesPredicate[*istionetworkingv1.Gateway](isIngressGateway),
 		)).
 		Owns(&telemetryv1.Telemetry{}).
 		Owns(&autoscalingv2.HorizontalPodAutoscaler{}).
-		Owns(&networkingv1beta1.VirtualService{}).
-		Owns(&securityv1beta1.PeerAuthentication{}).
+		Owns(&istionetworkingv1.VirtualService{}).
+		Owns(&securityv1.PeerAuthentication{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&policyv1.PodDisruptionBudget{}).
 		Owns(&networkingv1.NetworkPolicy{}).
-		Owns(&securityv1beta1.AuthorizationPolicy{}).
+		Owns(&securityv1.AuthorizationPolicy{}).
 		Owns(&nais_io_v1.MaskinportenClient{}).
 		Owns(&nais_io_v1.IDPortenClient{}).
 		Owns(&pov1.ServiceMonitor{}).
@@ -385,7 +386,7 @@ func handleApplicationCertRequest(_ context.Context, obj client.Object) []reconc
 	return requests
 }
 
-func isIngressGateway(gateway *networkingv1beta1.Gateway) bool {
+func isIngressGateway(gateway *istionetworkingv1.Gateway) bool {
 	match, _ := regexp.MatchString("^.*-ingress-.*$", gateway.Name)
 
 	return match

internal/controllers/namespace.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/internal/controllers/common"
 	"github.com/kartverket/skiperator/pkg/log"
@@ -12,7 +13,7 @@ import (
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/networkpolicy/defaultdeny"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/resourceutils"
 	"github.com/kartverket/skiperator/pkg/util"
-	istionetworkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	istionetworkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -37,7 +38,7 @@ func (r *NamespaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Namespace{}).
 		Owns(&networkingv1.NetworkPolicy{}).
-		Owns(&istionetworkingv1beta1.Sidecar{}).
+		Owns(&istionetworkingv1.Sidecar{}).
 		Owns(&corev1.Secret{}, builder.WithPredicates(
 			util.MatchesPredicate[*corev1.Secret](github.IsImagePullSecret),
 		)).

internal/controllers/routing.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/internal/controllers/common"
@@ -13,7 +14,7 @@ import (
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/istio/virtualservice"
 	networkpolicy "github.com/kartverket/skiperator/pkg/resourcegenerator/networkpolicy/dynamic"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/resourceutils"
-	istionetworkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	istionetworkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -37,9 +38,9 @@ type RoutingReconciler struct {
 func (r *RoutingReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&skiperatorv1alpha1.Routing{}).
-		Owns(&istionetworkingv1beta1.Gateway{}).
+		Owns(&istionetworkingv1.Gateway{}).
 		Owns(&networkingv1.NetworkPolicy{}).
-		Owns(&istionetworkingv1beta1.VirtualService{}).
+		Owns(&istionetworkingv1.VirtualService{}).
 		Watches(&certmanagerv1.Certificate{}, handler.EnqueueRequestsFromMapFunc(r.skiperatorRoutingCertRequests)).
 		Watches(
 			&skiperatorv1alpha1.Application{},

internal/controllers/skipjob.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/internal/controllers/common"
 	"github.com/kartverket/skiperator/pkg/log"
@@ -15,7 +16,7 @@ import (
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/podmonitor"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/resourceutils"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/serviceaccount"
-	istionetworkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	istionetworkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	telemetryv1 "istio.io/client-go/pkg/apis/telemetry/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -76,7 +77,7 @@ func (r *SKIPJobReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			return nil
 		})).
 		Owns(&networkingv1.NetworkPolicy{}).
-		Owns(&istionetworkingv1beta1.ServiceEntry{}).
+		Owns(&istionetworkingv1.ServiceEntry{}).
 		Owns(&telemetryv1.Telemetry{}).
 		// Some NetPol entries are not added unless an application is present. If we reconcile all jobs when there has been changes to NetPols, we can assume
 		// that changes to an Applications AccessPolicy will cause a reconciliation of Jobs

pkg/resourcegenerator/istio/authorizationpolicy/authorization_policy.go

@@ -2,12 +2,13 @@ package authorizationpolicy
 
 import (
 	"fmt"
+
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
-	securityv1beta1api "istio.io/api/security/v1beta1"
+	securityv1api "istio.io/api/security/v1"
 	typev1beta1 "istio.io/api/type/v1beta1"
-	securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
+	securityv1 "istio.io/client-go/pkg/apis/security/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -54,29 +55,29 @@ func Generate(r reconciliation.Reconciliation) error {
 	return nil
 }
 
-func getGeneralFromRule() []*securityv1beta1api.Rule_From {
-	return []*securityv1beta1api.Rule_From{
+func getGeneralFromRule() []*securityv1api.Rule_From {
+	return []*securityv1api.Rule_From{
 		{
-			Source: &securityv1beta1api.Source{
+			Source: &securityv1api.Source{
 				Namespaces: []string{"istio-gateways"},
 			},
 		},
 	}
 }
 
-func getDefaultDenyPolicy(application *skiperatorv1alpha1.Application, denyPaths []string) securityv1beta1.AuthorizationPolicy {
-	return securityv1beta1.AuthorizationPolicy{
+func getDefaultDenyPolicy(application *skiperatorv1alpha1.Application, denyPaths []string) securityv1.AuthorizationPolicy {
+	return securityv1.AuthorizationPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: application.Namespace,
 			Name:      application.Name + "-deny",
 		},
-		Spec: securityv1beta1api.AuthorizationPolicy{
-			Action: securityv1beta1api.AuthorizationPolicy_DENY,
-			Rules: []*securityv1beta1api.Rule{
+		Spec: securityv1api.AuthorizationPolicy{
+			Action: securityv1api.AuthorizationPolicy_DENY,
+			Rules: []*securityv1api.Rule{
 				{
-					To: []*securityv1beta1api.Rule_To{
+					To: []*securityv1api.Rule_To{
 						{
-							Operation: &securityv1beta1api.Operation{
+							Operation: &securityv1api.Operation{
 								Paths: denyPaths,
 							},
 						},

pkg/resourcegenerator/istio/gateway/application.go

@@ -6,8 +6,8 @@ import (
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
-	networkingv1beta1api "istio.io/api/networking/v1beta1"
-	networkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	networkingv1api "istio.io/api/networking/v1"
+	networkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -36,15 +36,15 @@ func generateForApplication(r reconciliation.Reconciliation) error {
 	// Generate separate gateway for each ingress
 	for _, h := range hosts.AllHosts() {
 		name := fmt.Sprintf("%s-ingress-%x", application.Name, util.GenerateHashFromName(h.Hostname))
-		gateway := networkingv1beta1.Gateway{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: name}}
+		gateway := networkingv1.Gateway{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: name}}
 
 		gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h.Hostname)
 
-		gatewayServersToAdd := []*networkingv1beta1api.Server{}
+		gatewayServersToAdd := []*networkingv1api.Server{}
 
-		baseHttpGatewayServer := &networkingv1beta1api.Server{
+		baseHttpGatewayServer := &networkingv1api.Server{
 			Hosts: []string{h.Hostname},
-			Port: &networkingv1beta1api.Port{
+			Port: &networkingv1api.Port{
 				Number:   80,
 				Name:     "http",
 				Protocol: "HTTP",
@@ -56,15 +56,15 @@ func generateForApplication(r reconciliation.Reconciliation) error {
 			determinedCredentialName = *h.CustomCertificateSecret
 		}
 
-		httpsGatewayServer := &networkingv1beta1api.Server{
+		httpsGatewayServer := &networkingv1api.Server{
 			Hosts: []string{h.Hostname},
-			Port: &networkingv1beta1api.Port{
+			Port: &networkingv1api.Port{
 				Number:   443,
 				Name:     "https",
 				Protocol: "HTTPS",
 			},
-			Tls: &networkingv1beta1api.ServerTLSSettings{
-				Mode:           networkingv1beta1api.ServerTLSSettings_SIMPLE,
+			Tls: &networkingv1api.ServerTLSSettings{
+				Mode:           networkingv1api.ServerTLSSettings_SIMPLE,
 				CredentialName: determinedCredentialName,
 			},
 		}

pkg/resourcegenerator/istio/gateway/routing.go

@@ -6,8 +6,8 @@ import (
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
-	networkingv1beta1api "istio.io/api/networking/v1beta1"
-	networkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	networkingv1api "istio.io/api/networking/v1"
+	networkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -32,7 +32,7 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 		return err
 	}
 
-	gateway := networkingv1beta1.Gateway{ObjectMeta: metav1.ObjectMeta{Namespace: routing.Namespace, Name: routing.GetGatewayName()}}
+	gateway := networkingv1.Gateway{ObjectMeta: metav1.ObjectMeta{Namespace: routing.Namespace, Name: routing.GetGatewayName()}}
 
 	var determinedCredentialName string
 	if h.UsesCustomCert() {
@@ -45,24 +45,24 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 	}
 
 	gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h.Hostname)
-	gateway.Spec.Servers = []*networkingv1beta1api.Server{
+	gateway.Spec.Servers = []*networkingv1api.Server{
 		{
 			Hosts: []string{h.Hostname},
-			Port: &networkingv1beta1api.Port{
+			Port: &networkingv1api.Port{
 				Number:   80,
 				Name:     "http",
 				Protocol: "HTTP",
 			},
 		},
 		{
 			Hosts: []string{h.Hostname},
-			Port: &networkingv1beta1api.Port{
+			Port: &networkingv1api.Port{
 				Number:   443,
 				Name:     "https",
 				Protocol: "HTTPS",
 			},
-			Tls: &networkingv1beta1api.ServerTLSSettings{
-				Mode:           networkingv1beta1api.ServerTLSSettings_SIMPLE,
+			Tls: &networkingv1api.ServerTLSSettings{
+				Mode:           networkingv1api.ServerTLSSettings_SIMPLE,
 				CredentialName: determinedCredentialName,
 			},
 		},

pkg/resourcegenerator/istio/peerauthentication/peer_authentication.go

@@ -2,12 +2,13 @@ package peerauthentication
 
 import (
 	"fmt"
+
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
-	securityv1beta1api "istio.io/api/security/v1beta1"
+	securityv1api "istio.io/api/security/v1"
 	typev1beta1 "istio.io/api/type/v1beta1"
-	securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
+	securityv1 "istio.io/client-go/pkg/apis/security/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -24,14 +25,14 @@ func Generate(r reconciliation.Reconciliation) error {
 	}
 	ctxLog.Debug("Attempting to generate peer authentication for application", "application", application.Name)
 
-	peerAuthentication := securityv1beta1.PeerAuthentication{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: application.Name}}
+	peerAuthentication := securityv1.PeerAuthentication{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: application.Name}}
 
-	peerAuthentication.Spec = securityv1beta1api.PeerAuthentication{
+	peerAuthentication.Spec = securityv1api.PeerAuthentication{
 		Selector: &typev1beta1.WorkloadSelector{
 			MatchLabels: util.GetPodAppSelector(application.Name),
 		},
-		Mtls: &securityv1beta1api.PeerAuthentication_MutualTLS{
-			Mode: securityv1beta1api.PeerAuthentication_MutualTLS_STRICT,
+		Mtls: &securityv1api.PeerAuthentication_MutualTLS{
+			Mode: securityv1api.PeerAuthentication_MutualTLS_STRICT,
 		},
 	}