diff --git a/.gitignore b/.gitignore index 0959165..0055a71 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,5 @@ _build /bin cover.out kubelb-*.tgz -__debug* \ No newline at end of file +__debug* +charts/*/charts diff --git a/.prow/postsubmits.yaml b/.prow/postsubmits.yaml index 380dcb0..daa7bbb 100644 --- a/.prow/postsubmits.yaml +++ b/.prow/postsubmits.yaml @@ -30,7 +30,7 @@ postsubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - /bin/bash - -c @@ -60,7 +60,7 @@ postsubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - "./hack/ci/upload-gocache.sh" resources: @@ -83,7 +83,7 @@ postsubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - make args: diff --git a/.prow/verify.yaml b/.prow/verify.yaml index ff6dbd7..a80adfc 100644 --- a/.prow/verify.yaml +++ b/.prow/verify.yaml @@ -57,7 +57,7 @@ presubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - make args: @@ -72,7 +72,7 @@ presubmits: clone_uri: "ssh://git@github.com/kubermatic/kubelb.git" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - make args: @@ -84,7 +84,7 @@ presubmits: clone_uri: "ssh://git@github.com/kubermatic/kubelb.git" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - make args: @@ -141,7 +141,7 @@ presubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 securityContext: privileged: true env: @@ -175,7 +175,7 @@ presubmits: clone_uri: "ssh://git@github.com/kubermatic/kubelb.git" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - shfmt args: @@ -205,7 +205,7 @@ presubmits: preset-goproxy: "true" spec: containers: - - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 + - image: quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 command: - ./hack/verify-licenses.sh resources: diff --git a/Makefile b/Makefile index 0d55850..e164ea3 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ KUBELB_CCM_IMG ?= quay.io/kubermatic/kubelb-ccm ENVTEST_K8S_VERSION = 1.30.0 KUSTOMIZE_VERSION ?= v5.4.3 CONTROLLER_TOOLS_VERSION ?= v0.15.0 -GO_VERSION = 1.22.5 +GO_VERSION = 1.22.6 export GOPATH?=$(shell go env GOPATH) export CGO_ENABLED=0 diff --git a/ccm.dockerfile b/ccm.dockerfile index 173067f..77d6085 100644 --- a/ccm.dockerfile +++ b/ccm.dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM docker.io/golang:1.22.5 as builder +FROM docker.io/golang:1.22.6 as builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/charts/kubelb-ccm/README.md b/charts/kubelb-ccm/README.md index b7ee0aa..239f46f 100644 --- a/charts/kubelb-ccm/README.md +++ b/charts/kubelb-ccm/README.md @@ -55,7 +55,7 @@ helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-na | kubelb.disableIngressController | bool | `false` | disableIngressController specifies whether to disable the Ingress Controller. | | kubelb.enableLeaderElection | bool | `true` | Enable the leader election. | | kubelb.enableSecretSynchronizer | bool | `false` | Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way. | -| kubelb.nodeAddressType | string | `"InternalIP"` | | +| kubelb.nodeAddressType | string | `"ExternalIP"` | | | kubelb.tenantName | string | `nil` | Name of the tenant, must be unique against a load balancer cluster. | | kubelb.useGatewayClass | bool | `true` | useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources. | | kubelb.useIngressClass | bool | `true` | useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources. | diff --git a/charts/kubelb-ccm/templates/clusterrole.yaml b/charts/kubelb-ccm/templates/clusterrole.yaml index 50e072d..bc597fc 100644 --- a/charts/kubelb-ccm/templates/clusterrole.yaml +++ b/charts/kubelb-ccm/templates/clusterrole.yaml @@ -43,6 +43,16 @@ rules: - get - list - watch + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - update + - patch {{- end }} {{- if not .Values.kubelb.disableGRPCRouteController }} - apiGroups: @@ -53,6 +63,16 @@ rules: - get - list - watch + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - update + - patch {{- end }} {{- if not .Values.kubelb.disableHTTPRouteController }} - apiGroups: @@ -63,6 +83,16 @@ rules: - get - list - watch + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - update + - patch {{- end }} {{- end }} {{- if not .Values.kubelb.disableIngressController }} @@ -74,6 +104,16 @@ rules: - get - list - watch + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - update + - patch {{- end }} {{ if .Values.kubelb.enableSecretSynchronizer -}} - apiGroups: @@ -88,6 +128,14 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - secrets/finalizers + verbs: + - get + - update + - patch {{- end }} - apiGroups: - kubelb.k8c.io diff --git a/charts/kubelb-ccm/templates/deployment.yaml b/charts/kubelb-ccm/templates/deployment.yaml index e69dfaf..2aff422 100644 --- a/charts/kubelb-ccm/templates/deployment.yaml +++ b/charts/kubelb-ccm/templates/deployment.yaml @@ -31,18 +31,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - imagePullPolicy: {{ .Values.image.pullPolicy }} - name: kube-rbac-proxy - ports: - - protocol: TCP - containerPort: 8443 - name: https - - name: {{ .Chart.Name }} + - name: ccm securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -81,10 +70,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - ports: - - name: http - containerPort: {{ .Values.service.port }} - protocol: TCP livenessProbe: httpGet: path: /healthz @@ -105,6 +90,17 @@ spec: {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: kube-rbac-proxy + ports: + - protocol: TCP + containerPort: 8443 + name: https volumes: - name: kubelb-cluster secret: diff --git a/charts/kubelb-ccm/values.yaml b/charts/kubelb-ccm/values.yaml index daab091..1a06691 100644 --- a/charts/kubelb-ccm/values.yaml +++ b/charts/kubelb-ccm/values.yaml @@ -13,19 +13,22 @@ kubelb: # -- Name of the secret that contains kubeconfig for the loadbalancer cluster clusterSecretName: kubelb-cluster - # -- Enable the leader election. - enableLeaderElection: true - nodeAddressType: InternalIP + # Important configurations. + # Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP. + nodeAddressType: ExternalIP + # -- useLoadBalancerClass specifies whether to target services of type LoadBalancer with `kubelb` load balancer class or all services of type LoadBalancer. + useLoadBalancerClass: false + # -- disableGatewayAPI specifies whether to disable the Gateway API and Gateway Controllers. + disableGatewayAPI: false # -- Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way. enableSecretSynchronizer: false + + # -- Enable the leader election. + enableLeaderElection: true # -- useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources. useIngressClass: true # -- useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources. useGatewayClass: true - # -- useLoadBalancerClass specifies whether to target services of type LoadBalancer with `kubelb` load balancer class or all services of type LoadBalancer. - useLoadBalancerClass: false - # -- disableGatewayAPI specifies whether to disable the Gateway API and Gateway Controllers. - disableGatewayAPI: false # -- disableIngressController specifies whether to disable the Ingress Controller. disableIngressController: false # -- disableGatewayController specifies whether to disable the Gateway Controller. diff --git a/charts/kubelb-manager/README.md b/charts/kubelb-manager/README.md index 41c3dd4..02842df 100644 --- a/charts/kubelb-manager/README.md +++ b/charts/kubelb-manager/README.md @@ -35,7 +35,7 @@ helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --c | image.repository | string | `"quay.io/kubermatic/kubelb-manager"` | | | image.tag | string | `"v1.0.0"` | | | imagePullSecrets | list | `[]` | | -| kubelb.debug | bool | `false` | | +| kubelb.debug | bool | `true` | | | kubelb.enableLeaderElection | bool | `true` | | | kubelb.envoyProxy.affinity | object | `{}` | | | kubelb.envoyProxy.nodeSelector | object | `{}` | | diff --git a/charts/kubelb-manager/templates/deployment.yaml b/charts/kubelb-manager/templates/deployment.yaml index 62248f2..29a8336 100644 --- a/charts/kubelb-manager/templates/deployment.yaml +++ b/charts/kubelb-manager/templates/deployment.yaml @@ -31,18 +31,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - imagePullPolicy: {{ .Values.image.pullPolicy }} - name: kube-rbac-proxy - ports: - - protocol: TCP - containerPort: 8443 - name: https - - name: {{ .Chart.Name }} + - name: manager securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -55,10 +44,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - ports: - - name: http - containerPort: {{ .Values.service.port }} - protocol: TCP livenessProbe: httpGet: path: /healthz @@ -77,6 +62,17 @@ spec: volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: kube-rbac-proxy + ports: + - protocol: TCP + containerPort: 8443 + name: https {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/charts/kubelb-manager/values.yaml b/charts/kubelb-manager/values.yaml index 08607f6..b40edd0 100644 --- a/charts/kubelb-manager/values.yaml +++ b/charts/kubelb-manager/values.yaml @@ -8,7 +8,7 @@ imagePullSecrets: [] kubelb: enableLeaderElection: true - debug: false + debug: true # -- Set to true to skip the generation of the Config CR. Useful when the config CR needs to be managed manually. skipConfigGeneration: false envoyProxy: diff --git a/cmd/kubelb/main.go b/cmd/kubelb/main.go index 1d71aaa..d9eb143 100644 --- a/cmd/kubelb/main.go +++ b/cmd/kubelb/main.go @@ -73,7 +73,7 @@ func main() { flag.BoolVar(&opt.enableLeaderElection, "enable-leader-election", true, "Enable leader election for controller kubelb. Enabling this will ensure there is only one active controller kubelb.") flag.BoolVar(&opt.enableDebugMode, "debug", false, "Enables debug mode") - flag.StringVar(&opt.namespace, "namespace", "", "The namespace where the controller will run.") + flag.StringVar(&opt.namespace, "namespace", "kubelb", "The namespace where the controller will run.") flag.BoolVar(&opt.enableTenantMigrationController, "enable-tenant-migration", true, "Enables a controller that performs automated migration from namespaces to tenants") flag.BoolVar(&opt.disableGatewayAPI, "disable-gateway-api", false, "Disable the Gateway APIs and controllers.") diff --git a/config/ccm/rbac/role.yaml b/config/ccm/rbac/role.yaml index 23cf58e..311ab0b 100644 --- a/config/ccm/rbac/role.yaml +++ b/config/ccm/rbac/role.yaml @@ -50,7 +50,17 @@ rules: verbs: - get - list + - patch + - update - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update - apiGroups: - gateway.networking.k8s.io resources: @@ -58,7 +68,17 @@ rules: verbs: - get - list + - patch + - update - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update - apiGroups: - gateway.networking.k8s.io resources: @@ -66,7 +86,17 @@ rules: verbs: - get - list + - patch + - update - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update - apiGroups: - kubelb.k8c.io resources: @@ -106,4 +136,14 @@ rules: verbs: - get - list + - patch + - update - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update diff --git a/go.mod b/go.mod index 8a9c83e..ff92392 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( k8s.io/client-go v0.30.3 k8s.io/code-generator v0.30.3 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 - sigs.k8s.io/controller-runtime v0.18.4 + sigs.k8s.io/controller-runtime v0.18.5 sigs.k8s.io/gateway-api v1.1.0 sigs.k8s.io/yaml v1.4.0 ) @@ -35,7 +35,7 @@ require ( github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.12.1 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect @@ -64,27 +64,27 @@ require ( github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/mod v0.19.0 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect - golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.23.0 // indirect + golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect + golang.org/x/time v0.6.0 // indirect + golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.30.3 // indirect - k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 // indirect + k8s.io/gengo/v2 v2.0.0-20240812201722-3b05ca7b6e59 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e // indirect + k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index a80c131..6e8d082 100644 --- a/go.sum +++ b/go.sum @@ -18,8 +18,8 @@ github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtz github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= @@ -69,8 +69,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea h1:VcIYpAGBae3Z6BVncE0OnTE/ZjlDXqtYhOZky88neLM= github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -103,8 +103,8 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/ginkgo/v2 v2.20.0 h1:PE84V2mHqoT1sglvHc8ZdQtPcwmvvt29WLEEO3xmdZw= +github.com/onsi/ginkgo/v2 v2.20.0/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= @@ -142,28 +142,28 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= +golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -174,33 +174,33 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf h1:GillM0Ef0pkZPIB+5iO6SDK+4T9pf6TpaYR6ICD5rVE= -google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:OFMYQFHJ4TM3JRlWDZhJbZfra2uqc3WLBZiaaqP4DtU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf h1:liao9UHurZLtiEwBgT9LMOnKYsHze6eA6w1KQCMVN2Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 h1:+/tmTy5zAieooKIXfzDm9KiA3Bv6JBwriRN9LY+yayk= +google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988/go.mod h1:4+X6GvPs+25wZKbQq9qyAXrwIRExv7w0Ea6MgZLZiDM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 h1:V71AcdLZr2p8dC9dbOIMCpqi4EmRl8wUwnJzXXLmbmc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -239,16 +239,16 @@ k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/code-generator v0.30.3 h1:bmtnLJKagDS5f5uOEpLyJiDfIMKXGMKgOLBdde+w0Mc= k8s.io/code-generator v0.30.3/go.mod h1:PFgBiv+miFV7TZYp+RXgROkhA+sWYZ+mtpbMLofMke8= -k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 h1:NGrVE502P0s0/1hudf8zjgwki1X/TByhmAoILTarmzo= -k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= +k8s.io/gengo/v2 v2.0.0-20240812201722-3b05ca7b6e59 h1:PfhT3P5Y7psqhl0D77Rj2B7RH77eid/wBttxlMTxXag= +k8s.io/gengo/v2 v2.0.0-20240812201722-3b05ca7b6e59/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e h1:OnKkExfhk4yxMqvBSPzUfhv3zQ96FWJ+UOZzLrAFyAo= -k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e/go.mod h1:0CVn9SVo8PeW5/JgsBZZIFmmTk5noOM8WXf2e1tCihE= +k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f h1:bnWtxXWdAl5bVOCEPoNdvMkyj6cTW3zxHuwKIakuV9w= +k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f/go.mod h1:G0W3eI9gG219NHRq3h5uQaRBl4pj4ZpwzRP5ti8y770= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= -sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= +sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/hack/verify-licenses.sh b/hack/verify-licenses.sh index deac23f..d71426d 100755 --- a/hack/verify-licenses.sh +++ b/hack/verify-licenses.sh @@ -19,7 +19,7 @@ set -euo pipefail cd $(dirname $0)/.. source hack/lib.sh -CONTAINERIZE_IMAGE=quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-11 containerize ./hack/verify-licenses.sh +CONTAINERIZE_IMAGE=quay.io/kubermatic/build:go-1.22-node-20-kind-0.23-12 containerize ./hack/verify-licenses.sh go mod vendor diff --git a/internal/controllers/ccm/gateway_controller.go b/internal/controllers/ccm/gateway_controller.go index c1a3e33..9f29ab6 100644 --- a/internal/controllers/ccm/gateway_controller.go +++ b/internal/controllers/ccm/gateway_controller.go @@ -66,7 +66,8 @@ type GatewayReconciler struct { // +kubebuilder:rbac:groups="",resources=services/status,verbs=get // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("name", req.NamespacedName) diff --git a/internal/controllers/ccm/gateway_grpcroute_controller.go b/internal/controllers/ccm/gateway_grpcroute_controller.go index e3f609a..33b03c3 100644 --- a/internal/controllers/ccm/gateway_grpcroute_controller.go +++ b/internal/controllers/ccm/gateway_grpcroute_controller.go @@ -67,7 +67,8 @@ type GRPCRouteReconciler struct { // +kubebuilder:rbac:groups="",resources=services/status,verbs=get // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=grpcroutes,verbs=get;list;watch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=grpcroutes,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=grpcroutes/status,verbs=get;update;patch func (r *GRPCRouteReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("name", req.NamespacedName) diff --git a/internal/controllers/ccm/gateway_httproute_controller.go b/internal/controllers/ccm/gateway_httproute_controller.go index 5d3145e..58888c0 100644 --- a/internal/controllers/ccm/gateway_httproute_controller.go +++ b/internal/controllers/ccm/gateway_httproute_controller.go @@ -67,7 +67,8 @@ type HTTPRouteReconciler struct { // +kubebuilder:rbac:groups="",resources=services/status,verbs=get // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/status,verbs=get;update;patch func (r *HTTPRouteReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("name", req.NamespacedName) diff --git a/internal/controllers/ccm/ingress_controller.go b/internal/controllers/ccm/ingress_controller.go index b02baa9..11adf4a 100644 --- a/internal/controllers/ccm/ingress_controller.go +++ b/internal/controllers/ccm/ingress_controller.go @@ -69,7 +69,8 @@ type IngressReconciler struct { // +kubebuilder:rbac:groups="",resources=services/status,verbs=get // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=routes/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch +// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses/status,verbs=get;update;patch func (r *IngressReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("name", req.NamespacedName) diff --git a/internal/controllers/kubelb/resources/tenant/rbac.go b/internal/controllers/kubelb/resources/tenant/rbac.go index 256a70e..7e6073e 100644 --- a/internal/controllers/kubelb/resources/tenant/rbac.go +++ b/internal/controllers/kubelb/resources/tenant/rbac.go @@ -43,7 +43,7 @@ func RoleReconciler() reconciling.NamedRoleReconcilerFactory { r.Rules = []rbacv1.PolicyRule{ { APIGroups: []string{"kubelb.k8c.io"}, - Resources: []string{"loadbalancers,routes,addresses"}, + Resources: []string{"loadbalancers", "routes", "addresses", "syncsecrets"}, Verbs: []string{ "create", "update", @@ -56,7 +56,7 @@ func RoleReconciler() reconciling.NamedRoleReconcilerFactory { }, { APIGroups: []string{"kubelb.k8c.io"}, - Resources: []string{"loadbalancers/status,routes/status,addresses/status"}, + Resources: []string{"loadbalancers/status", "routes/status", "addresses/status", "syncsecrets/status"}, Verbs: []string{ "update", "get", diff --git a/internal/controllers/kubelb/resources/tenant/secret.go b/internal/controllers/kubelb/resources/tenant/secret.go index 3008519..d159566 100644 --- a/internal/controllers/kubelb/resources/tenant/secret.go +++ b/internal/controllers/kubelb/resources/tenant/secret.go @@ -45,7 +45,7 @@ func TenantKubeconfigSecretReconciler(data string) reconciling.NamedSecretReconc return func() (string, reconciling.SecretReconciler) { return KubeLBCCMKubeconfigSecretName, func(s *corev1.Secret) (*corev1.Secret, error) { s.Data = map[string][]byte{ - "kubeconfig": []byte(data), + "kubelb": []byte(data), } return s, nil } diff --git a/internal/controllers/kubelb/tenant_controller.go b/internal/controllers/kubelb/tenant_controller.go index 479f180..df92f99 100644 --- a/internal/controllers/kubelb/tenant_controller.go +++ b/internal/controllers/kubelb/tenant_controller.go @@ -20,8 +20,11 @@ import ( "bytes" "context" "encoding/base64" + "errors" "fmt" "html/template" + "net" + "strconv" "github.com/go-logr/logr" @@ -36,6 +39,8 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/client-go/tools/record" ctrl "sigs.k8s.io/controller-runtime" ctrlclient "sigs.k8s.io/controller-runtime/pkg/client" @@ -45,8 +50,11 @@ import ( ) const ( - TenantControllerName = "tenant-controller" - tenantNamespacePattern = "tenant-%s" + TenantControllerName = "tenant-controller" + tenantNamespacePattern = "tenant-%s" + configMapName = "cluster-info" + kubernetesEndpointsName = "kubernetes" + securePortName = "https" ) const kubeconfigTemplate = `apiVersion: v1 @@ -128,7 +136,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr return reconcile.Result{}, err } -func (r *TenantReconciler) reconcile(ctx context.Context, _ logr.Logger, tenant *kubelbv1alpha1.Tenant) error { +func (r *TenantReconciler) reconcile(ctx context.Context, log logr.Logger, tenant *kubelbv1alpha1.Tenant) error { ownerReference := metav1.OwnerReference{ APIVersion: tenant.APIVersion, Kind: tenant.Kind, @@ -182,7 +190,7 @@ func (r *TenantReconciler) reconcile(ctx context.Context, _ logr.Logger, tenant } // 4. Create secret with kubeconfig for the tenant. - tenantKubeconfig, err := r.generateKubeconfig(ctx, r.Client, namespace) + tenantKubeconfig, err := r.generateKubeconfig(ctx, r.Client, log, namespace) if err != nil { return fmt.Errorf("failed to generate kubeconfig: %w", err) } @@ -199,7 +207,7 @@ func (r *TenantReconciler) reconcile(ctx context.Context, _ logr.Logger, tenant return nil } -func (r *TenantReconciler) generateKubeconfig(ctx context.Context, client ctrlruntimeclient.Client, namespace string) (string, error) { +func (r *TenantReconciler) generateKubeconfig(ctx context.Context, client ctrlruntimeclient.Client, log logr.Logger, namespace string) (string, error) { secret := corev1.Secret{} err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: tenantresources.ServiceAccountTokenSecretName}, &secret) if err != nil { @@ -207,6 +215,17 @@ func (r *TenantReconciler) generateKubeconfig(ctx context.Context, client ctrlru } serverURL := r.Config.Host + conf, err := GetKubeconfig(ctx, client, log) + if err != nil || conf == nil { + return "", fmt.Errorf("failed to compute the server URL for kubeconfig: %w", err) + } + for key := range conf.Clusters { + if conf.Clusters[key].Server != "" { + serverURL = conf.Clusters[key].Server + break + } + } + ca := secret.Data[corev1.ServiceAccountRootCAKey] token := secret.Data[corev1.ServiceAccountTokenKey] @@ -242,6 +261,76 @@ func (r *TenantReconciler) generateKubeconfig(ctx context.Context, client ctrlru return buf.String(), nil } +func GetKubeconfig(ctx context.Context, client ctrlruntimeclient.Client, log logr.Logger) (*clientcmdapi.Config, error) { + cm, err := getKubeconfigFromConfigMap(ctx, client) + if err != nil { + log.V(3).Info(fmt.Sprintf("could not get cluster-info kubeconfig from configmap: %v", err)) + log.V(3).Info("falling back to retrieval via endpoint") + return buildKubeconfigFromEndpoint(ctx, client) + } + return cm, nil +} + +func getKubeconfigFromConfigMap(ctx context.Context, client ctrlruntimeclient.Client) (*clientcmdapi.Config, error) { + cm := &corev1.ConfigMap{} + if err := client.Get(ctx, types.NamespacedName{Name: configMapName, Namespace: metav1.NamespacePublic}, cm); err != nil { + return nil, err + } + + data, found := cm.Data["kubeconfig"] + if !found { + return nil, errors.New("no kubeconfig found in cluster-info configmap") + } + return clientcmd.Load([]byte(data)) +} + +func buildKubeconfigFromEndpoint(ctx context.Context, client ctrlruntimeclient.Client) (*clientcmdapi.Config, error) { + endpoint := &corev1.Endpoints{} + if err := client.Get(ctx, types.NamespacedName{Name: kubernetesEndpointsName, Namespace: metav1.NamespaceDefault}, endpoint); err != nil { + return nil, err + } + + if len(endpoint.Subsets) == 0 { + return nil, errors.New("no subsets in the kubernetes endpoints resource") + } + subset := endpoint.Subsets[0] + + if len(subset.Addresses) == 0 { + return nil, errors.New("no addresses in the first subset of the kubernetes endpoints resource") + } + address := subset.Addresses[0] + + ip := net.ParseIP(address.IP) + if ip == nil { + return nil, errors.New("could not parse ip from ") + } + + getSecurePort := func(_ corev1.EndpointSubset) *corev1.EndpointPort { + for _, p := range subset.Ports { + if p.Name == securePortName { + return &p + } + } + return nil + } + + port := getSecurePort(subset) + if port == nil { + return nil, errors.New("no secure port in the subset") + } + url := fmt.Sprintf("https://%s", net.JoinHostPort(ip.String(), strconv.Itoa(int(port.Port)))) + + return &clientcmdapi.Config{ + Kind: "Config", + APIVersion: "v1", + Clusters: map[string]*clientcmdapi.Cluster{ + "": { + Server: url, + }, + }, + }, nil +} + func (r *TenantReconciler) cleanup(ctx context.Context, tenant *kubelbv1alpha1.Tenant) (ctrl.Result, error) { namespace := fmt.Sprintf(tenantNamespacePattern, tenant.Name) for _, resource := range tenantresources.Deletion(namespace) { diff --git a/kubelb.dockerfile b/kubelb.dockerfile index cdcafdc..197daa5 100644 --- a/kubelb.dockerfile +++ b/kubelb.dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM docker.io/golang:1.22.5 as builder +FROM docker.io/golang:1.22.6 as builder WORKDIR /workspace # Copy the Go Modules manifests