Merge pull request #82 from nginxinc/release-1.6.0

Helm release - 1.6.0

Author: sjberman

Diff for: helm-chart/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: nginx-service-mesh
 description: NGINX Service Mesh
-version: 0.5.0
-appVersion: 1.5.0
+version: 0.6.0
+appVersion: 1.6.0
 kubeVersion: ">= 1.18-0"
 icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png

Diff for: helm-chart/README.md

@@ -6,6 +6,6 @@ Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx
 
 For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/).
 
-## Rancher users
+We recommend deploying the mesh with auto-injection disabled globally, using the `--set disableAutoInjection=true` flag. This ensures that Pods are not automatically injected without your consent, especially in system namespaces.
 
-When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces.
+To opt-in a namespace you can label it with `injector.nsm.nginx.com/auto-inject=enabled` or use the flag `--set autoInjection.enabledNamespaces={namespace-1, namespace-2}`.

Diff for: helm-chart/configs/mesh-config.conf

@@ -9,10 +9,12 @@
     "clientMaxBodySize": {{ quote .Values.clientMaxBodySize }},
     "environment": {{ quote .Values.environment }},
     "isUDPEnabled": {{ .Values.enableUDP }},
+    "enabledNamespaces": [{{ if .Values.enabledNamespaces }} {{ range $idx, $elem := .Values.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}} {{ else }} {{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}} {{ end }}],
+    "isAutoInjectEnabled": {{ if eq .Values.disableAutoInjection .Values.autoInjection.disable }} {{ not .Values.disableAutoInjection }} {{ else if .Values.disableAutoInjection }} {{ not .Values.disableAutoInjection }} {{ else }} {{ not .Values.autoInjection.disable }} {{ end }},
     "injection": {
       "disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
-      "enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
-      "isAutoInjectEnabled": {{ not .Values.autoInjection.disable }}
+      "enabledNamespaces": [{{ if .Values.enabledNamespaces }} {{ range $idx, $elem := .Values.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}} {{ else }} {{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}} {{ end }}],
+      "isAutoInjectEnabled": {{ if eq .Values.disableAutoInjection .Values.autoInjection.disable }} {{ not .Values.disableAutoInjection }} {{ else if .Values.disableAutoInjection }} {{ not .Values.disableAutoInjection }} {{ else }} {{ not .Values.autoInjection.disable }} {{ end }}
     },
     "loadBalancingMethod": {{ quote .Values.nginxLBMethod }},
     "mtls": {

Diff for: helm-chart/templates/_helpers.tpl

@@ -7,7 +7,7 @@
 {{- end }}
 
 {{- define "node-driver.image-server" -}}
-{{- if not .Values.registry.disablePublicImages }}k8s.gcr.io/sig-storage{{ else }}{{ .Values.registry.server }}{{ end }}
+{{- if not .Values.registry.disablePublicImages }}registry.k8s.io/sig-storage{{ else }}{{ .Values.registry.server }}{{ end }}
 {{- end }}
 
 {{- define "hook.image-server" -}}
@@ -18,6 +18,10 @@
 {{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
 {{- end }}
 
+{{- define "curl.image-server" -}}
+{{- if not .Values.registry.disablePublicImages }}curlimages{{ else }}{{ .Values.registry.server }}{{ end }}
+{{- end }}
+
 {{- define "registry-key-name" -}}
 nginx-mesh-registry-key
 {{- end }}

Diff for: helm-chart/templates/nats.yaml

@@ -113,7 +113,7 @@ spec:
         - name: spire-agent-socket
           mountPath: "/run/spire/sockets"
       - name: nats-server
-        image: {{ include "nats.image-server" . }}nats:2.8.4-alpine3.15
+        image: {{ include "nats.image-server" . }}nats:2.9.3-alpine3.16
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 4222

Diff for: helm-chart/templates/nginx-mesh-api.yaml

@@ -249,10 +249,11 @@ webhooks:
 - name: nginx-mesh-api.sidecar.injector
   namespaceSelector:
     matchExpressions:
-    - key: injector.nsm.nginx.com/auto-inject
+    - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
-      - 'false'
+      - "kube-system"
+      - {{ .Release.Namespace }}
   clientConfig:
     service:
       name: nginx-mesh-webhook

Diff for: helm-chart/templates/post-upgrade-hook.yaml

@@ -1,4 +1,4 @@
-# This hook reads the ConfigMap created by the pre-upgrade hook, and applies all updated HTTPRouteGroups.
+# This hook removes vestigial labels from select namespaces that the mesh no longer uses
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -27,26 +27,20 @@ rules:
 - apiGroups:
   - ''
   resources:
-  - configmaps
-  verbs:
-  - get
-  - delete
-- apiGroups:
-  - specs.smi-spec.io
-  resources:
-  - httproutegroups
+  - namespaces
   verbs:
   - get
+  - list
   - patch
 {{- if eq .Values.environment "openshift" }}
 - apiGroups:
-  - security.openshift.io
+    - security.openshift.io
   resources:
-  - securitycontextconstraints
+    - securitycontextconstraints
   resourceNames:
-  - post-upgrade-permissions.builtin.nsm.nginx
+    - post-upgrade-permissions.builtin.nsm.nginx
   verbs:
-  - use
+    - use
 ---
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
@@ -86,14 +80,14 @@ roleRef:
   kind: ClusterRole
   name: post-upgrade.builtin.nsm.nginx
 subjects:
-- kind: ServiceAccount
-  name: post-upgrade
-  namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: post-upgrade
+    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: update-httproutegroups
+  name: remove-namespace-labels
   labels:
     app.kubernetes.io/part-of: nginx-service-mesh
   annotations:
@@ -103,26 +97,27 @@ metadata:
 spec:
   template:
     metadata:
-      name: update-httproutegroups
+      name: remove-namespace-labels
     spec:
       restartPolicy: Never
       serviceAccountName: post-upgrade
       containers:
-      - name: update-httproutegroups
-        image: {{ include "hook.image-server" . }}/kubectl
-        imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
-        command:
-        - /bin/bash
-        - -c
-        - |
-          res=$(kubectl get configmap httproutegroups --ignore-not-found -o jsonpath='{.data.httproutegroups}')
-          if [ -n "$res" ]; then
-            n=0
-            until [ "$n" -ge 30 ]
-            do
-              echo $res | jq -c '.[]' | while read -r i; do kubectl apply -f - <<< $i; done && break
-              n=$((n+1))
-              sleep 1
-            done
-          fi
-          kubectl delete configmap httproutegroups --ignore-not-found
+        - name: remove-namespace-labels
+          image: {{ include "hook.image-server" . }}/kubectl
+          imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
+          securityContext:
+            runAsUser: 0
+          command:
+            - /bin/bash
+            - -c
+            - |
+              kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject-
+              kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of-
+              {{- if .Values.rancher }}
+              kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject-
+              for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
+                case "$ns" in
+                  cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;;
+                esac
+              done
+              {{- end }}