Skip to content

Commit 9cb1b78

Browse files
authored
Merge pull request #67 from signadot/cluster-config-changes
v0.19.1 changes
2 parents 4c7c5a5 + cbac67c commit 9cb1b78

16 files changed

+313
-49
lines changed

signadot/operator/Chart.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ type: application
66
# This is the chart version. This version number should be incremented each time you make changes
77
# to the chart and its templates, including the app version.
88
# Versions are expected to follow Semantic Versioning (https://semver.org/)
9-
version: "0.19.0"
9+
version: "0.19.1"
1010

1111
# This is the version number of the application being deployed. This version number should be
1212
# incremented each time you make changes to the application. Versions are not expected to
1313
# follow Semantic Versioning. They should reflect the version the application is using.
1414
# It is recommended to use it with quotes.
15-
appVersion: "0.19.0"
15+
appVersion: "0.19.1"

signadot/operator/README.md

+37-2
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,14 @@ kubectl delete ns signadot
6666
| `serviceLabels` | Labels to add to all deployed `Service` objects | `{}` |
6767
| `serviceAnnotations` | Annotations to add to all deployed `Service` objects | `{}` |
6868

69+
### Controller Manager parameters
70+
71+
| Name | Description | Default |
72+
| ------------------------------- | --------------------------------------------------------------------------- | ------- |
73+
| `allowedNamespaces` | Restrict the namespaces in which `signadot-controller-manager` will operate | `[]` |
74+
| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true` |
75+
76+
6977
### Image customization parameters
7078

7179
The parameters in the table below allow one to specify image names for the
@@ -120,7 +128,6 @@ style resources and are not needed in an installation which uses the new
120128
| `jobExecutorProxy.image` | Job Executor Proxy container image override | `signadot/job-executor-proxy:vX.Y.Z` |
121129
| `jobExecutorProxy.imagePullPolicy` | Job Executor Proxy container image pull policy | `IfNotPresent` |
122130
| `jobExecutorProxy.imagePullSecret` | Job Executor Proxy container image pull secret | `""` |
123-
| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true` |
124131
| `sandboxTrafficManager.init.Image` | Sandbox traffic manager sidecar image override | `signadot/sandbox-traffic-manager:vX.Y.Z` |
125132
| `sandboxTrafficManager.init.ImagePullPolicy` | Sandbox traffic manager sidecar image pull policy | `IfNotPresent` |
126133
| `sandboxTrafficManager.init.ImagePullSecret` | Sandbox traffic manager sidecar image pull secret | `""` |
@@ -148,14 +155,42 @@ style resources and are not needed in an installation which uses the new
148155
| `tunnel.auditor.inboundRulesLuaScript` | All inbound traffic (from cluster to workstation) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` |
149156
| `tunnel.auditor.outboundRulesLuaScript` | All outbound traffic (from workstation to cluster) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""` |
150157
| | | |
151-
### Istio Parameters
158+
### Istio parameters
152159

153160
When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator. Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities.
154161

162+
Enabling Istio will activate the Istio proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests).
163+
155164
| Name | Description | Default |
156165
| ----------------------------------- | --------------------------------------------------------------------------------------------------------- | ------- |
157166
| `istio.enabled` | Enable Istio integration | `false` |
158167
| `istio.additionalAnnotations` | Annotations to add to istio VirtualServices if not present | `{}` |
159168
| `istio.additionalLabels` | Labels to add to istio VirtualServices if not present | `{}` |
160169
| `istio.enableDeprecatedHostRouting` | Enable sandbox routing by matching the `VirtualService.host` field. **This feature has been deprecated**. | `false` |
161170

171+
172+
### Linkerd parameters
173+
174+
Enabling Linkerd will activate the Linkerd proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests).
175+
176+
Note that, unlike with Istio, routing in Linkerd is not expressed via Linkerd CRDs, but by using the DevMesh sidecars in the relevant workloads.
177+
178+
| Name | Description | Default |
179+
| ----------------- | ------------------------ | ------- |
180+
| `linkerd.enabled` | Enable Linkerd integration | `false` |
181+
182+
183+
### Routing parameters
184+
185+
| Name | Description | Default |
186+
| ----------------------- | ----------------------------------------------- | ------- |
187+
| `routing.customHeaders` | List of custom headers used for sandbox routing | `[]` |
188+
189+
190+
### Traffic capture parameters
191+
192+
| Name | Description | Default |
193+
| ------------------------------------- | ----------------------------------------------------------- | ------- |
194+
| `trafficCapture.enabled` | Enable traffic capture | `true` |
195+
| `trafficCapture.requestHeadersElide` | List of request headers to be elided from traffic captures | `[]` |
196+
| `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]` |
+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
2+
{{/*
3+
cluster config template
4+
*/}}
5+
{{- define "compileClusterConfig" -}}
6+
{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
7+
allowedNamespaces: {{ if gt (len $allowedNamespaces) 0 }}{{ printf "\n" }}{{ toYaml $allowedNamespaces | indent 2}}{{- else -}}[]{{- end }}
8+
routing:
9+
istio:
10+
enabled: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") -}}{{ toString .Values.istio.enabled }}{{- else -}}false{{- end }}
11+
enableHostRouting: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enableDeprecatedHostRouting") -}}{{ toString .Values.istio.enableDeprecatedHostRouting }}{{- else -}}false{{- end }}
12+
linkerd:
13+
enabled: {{ if and (hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") -}}{{ toString .Values.linkerd.enabled }}{{- else -}}false{{- end }}
14+
customHeaders: {{ with .Values }}{{ with .routing }}{{ with .customHeaders }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
15+
sandboxTrafficManager:
16+
enabled: {{ if and (hasKey .Values "sandboxTrafficManager") (hasKey .Values.sandboxTrafficManager "enabled") -}}{{ toString .Values.sandboxTrafficManager.enabled }}{{- else -}}true{{- end }}
17+
trafficCapture:
18+
enabled: {{ if and (hasKey .Values "trafficCapture") (hasKey .Values.trafficCapture "enabled") -}}{{ toString .Values.trafficCapture.enabled }}{{- else -}}true{{- end }}
19+
requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
20+
responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
21+
{{- end -}}
22+
23+
24+
{{/*
25+
get allowed namespaces
26+
*/}}
27+
{{- define "getAllowedNamespaces" -}}
28+
{{- if .Values.allowedNamespaces }}
29+
{{- $userNamespaces := .Values.allowedNamespaces -}}
30+
{{- if not (has "signadot" $userNamespaces) }}
31+
{{- $userNamespaces = append $userNamespaces "signadot" -}}
32+
{{- end }}
33+
{{- $userNamespaces | toJson -}}
34+
{{- else -}}
35+
[]
36+
{{- end }}
37+
{{- end }}

signadot/operator/templates/agent-deployment.yaml

+13-2
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
# This file is generated. Do not edit.
2+
{{- $istioEnabled := false -}}
3+
{{- with .Values }}{{ with .istio }}{{- if hasKey . "enabled" }}{{ $istioEnabled = .enabled }}{{- end }}{{- end }}{{- end }}
4+
{{- $linkerdEnabled := false -}}
5+
{{- with .Values }}{{ with .linkerd }}{{- if hasKey . "enabled" }}{{ $linkerdEnabled = .enabled }}{{- end }}{{- end }}{{- end }}
26
{{ if not .Values.disableAgent }}
37
apiVersion: apps/v1
48
kind: Deployment
@@ -27,15 +31,22 @@ spec:
2731
{{- range $key, $val := .Values.podAnnotations }}
2832
{{ $key | quote }}: {{ $val | quote }}
2933
{{- end }}
34+
cluster-config-checksum: '{{ include (print $.Template.BasePath "/signadot-cluster-config-configmap.yaml")
35+
. | sha256sum }}'
36+
{{- if $linkerdEnabled }}
37+
linkerd.io/inject: enabled
38+
{{- end }}
3039
labels:
3140
app: signadot-agent
32-
sidecar.istio.io/inject: "true"
3341
{{- range $key, $val := .Values.commonLabels }}
3442
{{ $key | quote }}: {{ $val | quote }}
3543
{{- end }}
3644
{{- range $key, $val := .Values.podLabels }}
3745
{{ $key | quote }}: {{ $val | quote }}
3846
{{- end }}
47+
{{- if $istioEnabled }}
48+
sidecar.istio.io/inject: "true"
49+
{{- end }}
3950
spec:
4051
containers:
4152
- args:
@@ -48,7 +59,7 @@ spec:
4859
secretKeyRef:
4960
key: token
5061
name: cluster-agent
51-
image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }}
62+
image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }}
5263
imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
5364
livenessProbe:
5465
httpGet:

signadot/operator/templates/allowed_namespaces.yaml

+2-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# Bind the ClusterRole containing namespaced permissions to the
22
# controller-manager's ServiceAccount only in the specified namespaces.
3-
{{ range $namespace := .Values.allowedNamespaces }}
3+
{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
4+
{{ range $namespace := $allowedNamespaces }}
45
---
56
apiVersion: rbac.authorization.k8s.io/v1
67
kind: RoleBinding

signadot/operator/templates/io-context-server-deployment.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ spec:
4040
- /app/io-context-server
4141
- -tls=secretns=signadot
4242
- -port=8443
43-
image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}
43+
image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}
4444
imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
4545
name: io-context-server
4646
ports:

signadot/operator/templates/routeserver-deployment.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ spec:
3636
{{- end }}
3737
spec:
3838
containers:
39-
- image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }}
39+
- image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }}
4040
imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
4141
name: routeserver
4242
ports:

signadot/operator/templates/signadot-agent-clusterrole.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -75,4 +75,14 @@ rules:
7575
- get
7676
- list
7777
- watch
78+
- apiGroups:
79+
- ""
80+
resourceNames:
81+
- signadot-cluster-config
82+
resources:
83+
- configmaps
84+
verbs:
85+
- get
86+
- list
87+
- watch
7888
{{ end }}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{{- if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") .Values.istio.enabled
2+
(hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") .Values.linkerd.enabled
3+
}}
4+
{{ fail "istio and linkerd cannot be enabled at the same time" }}
5+
{{- end }}
6+
7+
apiVersion: v1
8+
kind: ConfigMap
9+
metadata:
10+
name: signadot-cluster-config
11+
namespace: signadot
12+
data:
13+
cluster_config.yaml: |
14+
{{- include "compileClusterConfig" . | nindent 4 }}

0 commit comments

Comments
 (0)