Upgrade to Go 1.22.6 & RBAC fixes (#48)

* Upgrade to Go 1.22.6 Signed-off-by: Waleed Malik <[email protected]> * Fix RBAC Signed-off-by: Waleed Malik <[email protected]> --------- Signed-off-by: Waleed Malik <[email protected]>
kubermatic · Aug 13, 2024 · 44df530 · 44df530
1 parent 992788c
commit 44df530
Show file tree

Hide file tree

Showing 25 changed files with 298 additions and 121 deletions.
diff --git a/.gitignore b/.gitignore
@@ -9,4 +9,5 @@ _build
 /bin
 cover.out
 kubelb-*.tgz
-__debug*
+__debug*
+charts/*/charts
diff --git a/.prow/postsubmits.yaml b/.prow/postsubmits.yaml
@@ -30,7 +30,7 @@ postsubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - /bin/bash
             - -c
@@ -60,7 +60,7 @@ postsubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - "./hack/ci/upload-gocache.sh"
           resources:
@@ -83,7 +83,7 @@ postsubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - make
           args:

diff --git a/.prow/verify.yaml b/.prow/verify.yaml
@@ -57,7 +57,7 @@ presubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - make
           args:
@@ -72,7 +72,7 @@ presubmits:
     clone_uri: "ssh://[email protected]/kubermatic/kubelb.git"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - make
           args:
@@ -84,7 +84,7 @@ presubmits:
     clone_uri: "ssh://[email protected]/kubermatic/kubelb.git"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - make
           args:
@@ -141,7 +141,7 @@ presubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           securityContext:
             privileged: true
           env:
@@ -175,7 +175,7 @@ presubmits:
     clone_uri: "ssh://[email protected]/kubermatic/kubelb.git"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - shfmt
           args:
@@ -205,7 +205,7 @@ presubmits:
       preset-goproxy: "true"
     spec:
       containers:
-        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11
+        - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12
           command:
             - ./hack/verify-licenses.sh
           resources:

diff --git a/Makefile b/Makefile
@@ -9,7 +9,7 @@ KUBELB_CCM_IMG ?= quay.io/kubermatic/kubelb-ccm
 ENVTEST_K8S_VERSION = 1.30.0
 KUSTOMIZE_VERSION ?= v5.4.3
 CONTROLLER_TOOLS_VERSION ?= v0.15.0
-GO_VERSION = 1.22.5
+GO_VERSION = 1.22.6
 
 export GOPATH?=$(shell go env GOPATH)
 export CGO_ENABLED=0

diff --git a/ccm.dockerfile b/ccm.dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM docker.io/golang:1.22.5 as builder
+FROM docker.io/golang:1.22.6 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

diff --git a/charts/kubelb-ccm/README.md b/charts/kubelb-ccm/README.md
@@ -55,7 +55,7 @@ helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-na
 | kubelb.disableIngressController | bool | `false` | disableIngressController specifies whether to disable the Ingress Controller. |
 | kubelb.enableLeaderElection | bool | `true` | Enable the leader election. |
 | kubelb.enableSecretSynchronizer | bool | `false` | Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way. |
-| kubelb.nodeAddressType | string | `"InternalIP"` |  |
+| kubelb.nodeAddressType | string | `"ExternalIP"` |  |
 | kubelb.tenantName | string | `nil` | Name of the tenant, must be unique against a load balancer cluster. |
 | kubelb.useGatewayClass | bool | `true` | useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources. |
 | kubelb.useIngressClass | bool | `true` | useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources. |

diff --git a/charts/kubelb-ccm/templates/clusterrole.yaml b/charts/kubelb-ccm/templates/clusterrole.yaml
@@ -43,6 +43,16 @@ rules:
   - get
   - list
   - watch
+  - patch
+  - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gateways/status
+  verbs:
+  - get
+  - update
+  - patch
 {{- end }}
 {{- if not .Values.kubelb.disableGRPCRouteController }}
 - apiGroups:
@@ -53,6 +63,16 @@ rules:
   - get
   - list
   - watch
+  - patch
+  - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - grpcroutes/status
+  verbs:
+  - get
+  - update
+  - patch
 {{- end }}
 {{- if not .Values.kubelb.disableHTTPRouteController }}
 - apiGroups:
@@ -63,6 +83,16 @@ rules:
   - get
   - list
   - watch
+  - patch
+  - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes/status
+  verbs:
+  - get
+  - update
+  - patch
 {{- end }}
 {{- end }}
 {{- if not .Values.kubelb.disableIngressController }}
@@ -74,6 +104,16 @@ rules:
   - get
   - list
   - watch
+  - patch
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - get
+  - update
+  - patch
 {{- end }}
 {{ if .Values.kubelb.enableSecretSynchronizer -}}
 - apiGroups:
@@ -88,6 +128,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets/finalizers
+  verbs:
+  - get
+  - update
+  - patch
 {{- end }}
 - apiGroups:
   - kubelb.k8c.io

diff --git a/charts/kubelb-ccm/templates/deployment.yaml b/charts/kubelb-ccm/templates/deployment.yaml
@@ -31,18 +31,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - args:
-          - --secure-listen-address=0.0.0.0:8443
-          - --upstream=http://127.0.0.1:8080/
-          - --v=0
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          name: kube-rbac-proxy
-          ports:
-          - protocol: TCP
-            containerPort: 8443
-            name: https
-        - name: {{ .Chart.Name }}
+        - name: ccm
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -81,10 +70,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
@@ -105,6 +90,17 @@ spec:
           {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 8 }}
           {{- end }}
+        - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:8080/
+          - --v=0
+          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          name: kube-rbac-proxy
+          ports:
+          - protocol: TCP
+            containerPort: 8443
+            name: https
       volumes:
         - name: kubelb-cluster
           secret:

diff --git a/charts/kubelb-ccm/values.yaml b/charts/kubelb-ccm/values.yaml
@@ -13,19 +13,22 @@ kubelb:
   # -- Name of the secret that contains kubeconfig for the loadbalancer cluster
   clusterSecretName: kubelb-cluster
 
-  # -- Enable the leader election.
-  enableLeaderElection: true
-  nodeAddressType: InternalIP
+  # Important configurations.
+  # Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
+  nodeAddressType: ExternalIP
+  # -- useLoadBalancerClass specifies whether to target services of type LoadBalancer with `kubelb` load balancer class or all services of type LoadBalancer.
+  useLoadBalancerClass: false
+  # -- disableGatewayAPI specifies whether to disable the Gateway API and Gateway Controllers.
+  disableGatewayAPI: false
   # -- Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
   enableSecretSynchronizer: false
+
+  # -- Enable the leader election.
+  enableLeaderElection: true
   # -- useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources.
   useIngressClass: true
   # -- useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources.
   useGatewayClass: true
-  # -- useLoadBalancerClass specifies whether to target services of type LoadBalancer with `kubelb` load balancer class or all services of type LoadBalancer.
-  useLoadBalancerClass: false
-  # -- disableGatewayAPI specifies whether to disable the Gateway API and Gateway Controllers.
-  disableGatewayAPI: false
   # -- disableIngressController specifies whether to disable the Ingress Controller.
   disableIngressController: false
   # -- disableGatewayController specifies whether to disable the Gateway Controller.

diff --git a/charts/kubelb-manager/README.md b/charts/kubelb-manager/README.md
@@ -35,7 +35,7 @@ helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --c
 | image.repository | string | `"quay.io/kubermatic/kubelb-manager"` |  |
 | image.tag | string | `"v1.0.0"` |  |
 | imagePullSecrets | list | `[]` |  |
-| kubelb.debug | bool | `false` |  |
+| kubelb.debug | bool | `true` |  |
 | kubelb.enableLeaderElection | bool | `true` |  |
 | kubelb.envoyProxy.affinity | object | `{}` |  |
 | kubelb.envoyProxy.nodeSelector | object | `{}` |  |

diff --git a/charts/kubelb-manager/templates/deployment.yaml b/charts/kubelb-manager/templates/deployment.yaml
@@ -31,18 +31,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - args:
-          - --secure-listen-address=0.0.0.0:8443
-          - --upstream=http://127.0.0.1:8080/
-          - --v=0
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          name: kube-rbac-proxy
-          ports:
-          - protocol: TCP
-            containerPort: 8443
-            name: https
-        - name: {{ .Chart.Name }}
+        - name: manager
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -55,10 +44,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
@@ -77,6 +62,17 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+        - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:8080/
+          - --v=0
+          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          name: kube-rbac-proxy
+          ports:
+          - protocol: TCP
+            containerPort: 8443
+            name: https
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/kubelb-manager/values.yaml b/charts/kubelb-manager/values.yaml
@@ -8,7 +8,7 @@ imagePullSecrets: []
 
 kubelb:
   enableLeaderElection: true
-  debug: false
+  debug: true
   # -- Set to true to skip the generation of the Config CR. Useful when the config CR needs to be managed manually.
   skipConfigGeneration: false
   envoyProxy:

diff --git a/cmd/kubelb/main.go b/cmd/kubelb/main.go
@@ -73,7 +73,7 @@ func main() {
 	flag.BoolVar(&opt.enableLeaderElection, "enable-leader-election", true,
 		"Enable leader election for controller kubelb. Enabling this will ensure there is only one active controller kubelb.")
 	flag.BoolVar(&opt.enableDebugMode, "debug", false, "Enables debug mode")
-	flag.StringVar(&opt.namespace, "namespace", "", "The namespace where the controller will run.")
+	flag.StringVar(&opt.namespace, "namespace", "kubelb", "The namespace where the controller will run.")
 
 	flag.BoolVar(&opt.enableTenantMigrationController, "enable-tenant-migration", true, "Enables a controller that performs automated migration from namespaces to tenants")
 	flag.BoolVar(&opt.disableGatewayAPI, "disable-gateway-api", false, "Disable the Gateway APIs and controllers.")