diff --git a/README.md b/README.md index aea04063..9ba8f4ea 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,8 @@ When deploying the multicluster gateway controller using the make targets, the f * go >= 1.21 ### 1. Running the controller in the cluster: -1. Set up your DNS Provider by following these [steps](./docs/dnspolicy/dns-provider.md) +[//]: # (ToD mnairn) +[//]: # (1. Set up your DNS Provider by following these [steps](./docs/dnspolicy/dns-provider.md)) 1. Setup your local environment ```sh @@ -63,7 +64,9 @@ When deploying the multicluster gateway controller using the make targets, the f ``` ## 2. Running the controller locally: -1. Set up your DNS Provider by following these [steps](./docs/dnspolicy/dns-provider.md) + +[//]: # (ToD mnairn) +[//]: # (1. Set up your DNS Provider by following these [steps](./docs/dnspolicy/dns-provider.md)) 1. Setup your local environment diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index a97ebdf8..6ca936b9 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -20,7 +20,6 @@ import ( "flag" "os" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta2 "open-cluster-management.io/api/cluster/v1beta1" workv1 "open-cluster-management.io/api/work/v1" @@ -54,7 +53,6 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme.Scheme)) - utilruntime.Must(certmanv1.AddToScheme(scheme.Scheme)) utilruntime.Must(gatewayapiv1.AddToScheme(scheme.Scheme)) utilruntime.Must(clusterv1beta2.AddToScheme(scheme.Scheme)) utilruntime.Must(workv1.AddToScheme(scheme.Scheme)) diff --git a/config/samples/kuadrant.io_v1alpha1_tlspolicy.yaml b/config/samples/kuadrant.io_v1alpha1_tlspolicy.yaml deleted file mode 100644 index 1ad5b032..00000000 --- a/config/samples/kuadrant.io_v1alpha1_tlspolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kuadrant.io/v1alpha1 -kind: TLSPolicy -metadata: - labels: - app.kubernetes.io/name: tlspolicy - app.kubernetes.io/instance: tlspolicy-sample - app.kubernetes.io/part-of: tmp - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: tmp - name: tlspolicy-sample -spec: - targetRef: - name: prod-web - group: gateway.networking.k8s.io - kind: Gateway - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: glbc-ca diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 77be0875..7bc47462 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,4 +1,3 @@ ## Append samples you want in your CSV to this file as resources ## resources: # Used as examples in kuadrant-operator bundle -- kuadrant.io_v1alpha1_tlspolicy.yaml diff --git a/docs/dnspolicy/dns-health-checks.md b/docs/dnspolicy/dns-health-checks.md deleted file mode 100644 index da4b2eda..00000000 --- a/docs/dnspolicy/dns-health-checks.md +++ /dev/null @@ -1,129 +0,0 @@ -# DNS Health Checks -DNS Health Checks are a crucial tool for ensuring the availability and reliability of your multi-cluster applications. Kuadrant offers a powerful feature known as DNSPolicy, which allows you to configure and verify health checks for DNS endpoints. This guide provides a comprehensive overview of how to set up, utilize, and understand DNS health checks. - -## Video Overview - - -## What are DNS Health Checks? -DNS Health Checks are a way to assess the availability and health of DNS endpoints associated with your applications. These checks involve sending periodic requests to the specified endpoints to determine their responsiveness and health status. by configuring these checks via the [DNSPolicy](./dnspolicy.md), you can ensure that your applications are correctly registered, operational, and serving traffic as expected. - -## Configuration of Health Checks ->Note: By default, health checks occur at 60-second intervals. - -To configure a DNS health check, you need to specify the `healthCheck` section of the DNSPolicy. The key part of this configuration is the `healthCheck` section, which includes important properties such as: - -* `allowInsecureCertificates`: Added for development environments, allows health probes to not fail when finding an invalid (e.g. self-signed) certificate. -* `additionalHeadersRef`: This refers to a secret that holds extra headers for the probe to send, often containing important elements like authentication tokens. -* `endpoint`: This is the path where the health checks take place, usually represented as '/healthz' or something similar. -* `expectedResponses`: This setting lets you specify the expected HTTP response codes. If you don't set this, the default values assumed are 200 and 201. -* `failureThreshold`: It's the number of times the health check can fail for the endpoint before it's marked as unhealthy. -* `interval`: This property allows you to specify the time interval between consecutive health checks. The minimum allowed value is 5 seconds. -* `port`: Specific port for the connection to be checked. -* `protocol`: Type of protocol being used, like HTTP or HTTPS. **(Required)** - - -```bash -kubectl apply -f - < See [the Multicluster Gateways walkthrough](../how-to/multicluster-gateways-walkthrough.md) for step by step -instructions on deploying these with a simple application. - -## Steps - -The DNSPolicy will target the existing Multi Cluster Gateway, resulting in the -creation of DNS Records for each of the Gateway listeners backed by a managed zone, -ensuring traffic reaches the correct gateway instances and is balanced across them, as well as optional DNS health checks and load balancing. - -In order to enable basic DNS, create a minimal DNSPolicy resource - -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: DNSPolicy -metadata: - name: basic-dnspolicy - namespace: -spec: - targetRef: - name: - group: gateway.networking.k8s.io - kind: Gateway -``` - -Once created, the multi-cluster Gateway Controller will reconcile the DNS records. -By default it will setup a round robin / evenly weighted set of records to ensure a balance of traffic across each provisioned gateway instance. You can see the status by querying the DNSRecord resources. - -```sh -kubectl get dnsrecords -A -``` - -The DNS records will be propagated in a few minutes, and the application will -be available through the defined hosts. - -## Advanced DNS configuration - -The DNSPolicy supports other optional configuration options like geographic and -weighted load balancing and health checks. For more detailed information about these options, see [DNSPolicy](./dnspolicy.md) \ No newline at end of file diff --git a/docs/dnspolicy/dnspolicy.md b/docs/dnspolicy/dnspolicy.md deleted file mode 100644 index b2b86ccc..00000000 --- a/docs/dnspolicy/dnspolicy.md +++ /dev/null @@ -1,284 +0,0 @@ -# Kuadrant DNSPolicy - -The DNSPolicy is a [GatewayAPI](https://gateway-api.sigs.k8s.io/) policy that uses `Direct Policy Attachment` as defined in the [policy attachment mechanism](https://gateway-api.sigs.k8s.io/v1alpha2/references/policy-attachment/) standard. -This policy is used to provide dns management for gateway listeners by managing the lifecycle of dns records in external dns providers such as AWS Route53 and Google DNS. - -## Overview Video - - -## How it works - -A DNSPolicy and its targeted Gateway API networking resource contain all the statements to configure both the ingress gateway and the external DNS service. -The needed dns names are gathered from the listener definitions and the IPAdresses | CNAME hosts are gathered from the status block of the gateway resource. - -### The DNSPolicy custom resource - -#### Overview - -The `DNSPolicy` spec includes the following parts: - -* A reference to an existing Gateway API resource (`spec.targetRef`) -* DNS Routing Strategy (`spec.routingStrategy`) -* LoadBalancing specification (`spec.loadBalancing`) -* HealthCheck specification (`spec.healthCheck`) - -#### High-level example and field definition - -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: DNSPolicy -metadata: - name: my-dns-policy -spec: - # reference to an existing networking resource to attach the policy to - # it can only be a Gateway API Gateway resource - # it can only refer to objects in the same namespace as the DNSPolicy - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: mygateway - - # (optional) routing strategy to use when creating DNS records, defaults to `loadbalanced` - # determines what DNS records are created in the DNS provider - # check out Kuadrant RFC 0005 https://github.com/Kuadrant/architecture/blob/main/rfcs/0005-single-cluster-dnspolicy.md to learn more about the Routing Strategy field - # One-of: simple, loadbalanced. - routingStrategy: loadbalanced - - # (optional) loadbalancing specification - # use it for providing the specification of how dns will be configured in order to provide balancing of load across multiple clusters when using the `loadbalanced` routing strategy - # Primary use of this is for multi cluster deployments - # check out Kuadrant RFC 0003 https://github.com/Kuadrant/architecture/blob/main/rfcs/0003-dns-policy.md to learn more about the options that can be used in this field - loadBalancing: - # (optional) weighted specification - # use it to control the weight value applied to records - weighted: - # use it to change the weight of a record based on labels applied to the target meta resource i.e. Gateway in a single cluster context or ManagedCluster in multi cluster with OCM - custom: - - weight: 200 - selector: - matchLabels: - kuadrant.io/lb-attribute-custom-weight: AWS - # (optional) weight value that will be applied to weighted dns records by default. Integer greater than 0 and no larger than the maximum value accepted by the target dns provider, defaults to `120` - defaultWeight: 100 - # (optional) geo specification - # use it to control the geo value applied to records - geo: - # (optional) default geo to be applied to records - defaultGeo: IE - - # (optional) health check specification - # health check probes with the following specification will be created for each DNS target - # check out [DNS Health Checks](./dns-health-checks.md) to learn more about the HealthChecks that can be used in this field - healthCheck: - allowInsecureCertificates: true - endpoint: / - expectedResponses: - - 200 - - 201 - - 301 - failureThreshold: 5 - port: 443 - protocol: https -``` - -Check out the [API reference](../reference/dnspolicy.md) for a full specification of the DNSPolicy CRD. - -## Using the DNSPolicy - -### DNS Provider and ManagedZone Setup - -A DNSPolicy acts against a target Gateway by processing its listeners for hostnames that it can create dns records for. -In order for it to do this, it must know about dns providers, and what domains these dns providers are currently hosting. -This is done through the creation of ManagedZones and dns provider secrets containing the credentials for the dns provider account. - -If for example a Gateway is created with a listener with a hostname of `echo.apps.hcpapps.net`: -```yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: my-gw -spec: - listeners: - - allowedRoutes: - namespaces: - from: All - name: api - hostname: echo.apps.hcpapps.net - port: 80 - protocol: HTTP -``` - -In order for the DNSPolicy to act upon that listener, a ManagedZone must exist for that hostnames' domain. - -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: ManagedZone -metadata: - name: apps.hcpapps.net -spec: - domainName: apps.hcpapps.net - description: "apps.hcpapps.net managed domain" - dnsProviderSecretRef: - name: my-aws-credentials -``` - -The managed zone references a secret containing the external DNS provider services credentials. - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: my-aws-credentials - namespace: -data: - AWS_ACCESS_KEY_ID: - AWS_REGION: - AWS_SECRET_ACCESS_KEY: -type: kuadrant.io/aws -``` - -### Targeting a Gateway networking resource - -When a DNSPolicy targets a Gateway, the policy will be enforced on all gateway listeners that have a matching ManagedZone. - -Target a Gateway by setting the `spec.targetRef` field of the DNSPolicy as follows: - -```yaml -apiVersion: kuadrant.io/v1beta2 -kind: DNSPolicy -metadata: - name: -spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: -``` - -### DNSRecord Resource - -The DNSPolicy will create a DNSRecord resource for each listener hostname with a suitable ManagedZone configured. The DNSPolicy resource uses the status of the Gateway to determine what dns records need to be created based on the clusters it has been placed onto. - -Given the following multi cluster gateway status: -```yaml -status: - addresses: - - type: kuadrant.io/MultiClusterIPAddress - value: kind-mgc-workload-1/172.31.201.1 - - type: kuadrant.io/MultiClusterIPAddress - value: kind-mgc-workload-2/172.31.202.1 - listeners: - - attachedRoutes: 1 - conditions: [] - name: kind-mgc-workload-1.api - supportedKinds: [] - - attachedRoutes: 1 - conditions: [] - name: kind-mgc-workload-2.api - supportedKinds: [] -``` - -A DNSPolicy targeting this gateway would create an appropriate DNSRecord based on the routing strategy selected. - -#### loadbalanced -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: DNSRecord -metadata: - name: echo.apps.hcpapps.net - namespace: -spec: - endpoints: - - dnsName: 24osuu.lb-2903yb.echo.apps.hcpapps.net - recordTTL: 60 - recordType: A - targets: - - 172.31.202.1 - - dnsName: default.lb-2903yb.echo.apps.hcpapps.net - providerSpecific: - - name: weight - value: "120" - recordTTL: 60 - recordType: CNAME - setIdentifier: 24osuu.lb-2903yb.echo.apps.hcpapps.net - targets: - - 24osuu.lb-2903yb.echo.apps.hcpapps.net - - dnsName: default.lb-2903yb.echo.apps.hcpapps.net - providerSpecific: - - name: weight - value: "120" - recordTTL: 60 - recordType: CNAME - setIdentifier: lrnse3.lb-2903yb.echo.apps.hcpapps.net - targets: - - lrnse3.lb-2903yb.echo.apps.hcpapps.net - - dnsName: echo.apps.hcpapps.net - recordTTL: 300 - recordType: CNAME - targets: - - lb-2903yb.echo.apps.hcpapps.net - - dnsName: lb-2903yb.echo.apps.hcpapps.net - providerSpecific: - - name: geo-country-code - value: '*' - recordTTL: 300 - recordType: CNAME - setIdentifier: default - targets: - - default.lb-2903yb.echo.apps.hcpapps.net - - dnsName: lrnse3.lb-2903yb.echo.apps.hcpapps.net - recordTTL: 60 - recordType: A - targets: - - 172.31.201.1 - managedZone: - name: apps.hcpapps.net -``` - -After DNSRecord reconciliation the listener hostname should be resolvable through dns: - -```bash -dig echo.apps.hcpapps.net +short -lb-2903yb.echo.apps.hcpapps.net. -default.lb-2903yb.echo.apps.hcpapps.net. -lrnse3.lb-2903yb.echo.apps.hcpapps.net. -172.31.201.1 -``` - -#### simple -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: DNSRecord -metadata: - name: echo.apps.hcpapps.net - namespace: -spec: - endpoints: - - dnsName: echo.apps.hcpapps.net - recordTTL: 60 - recordType: A - targets: - - 172.31.201.1 - - 172.31.202.1 - managedZone: - name: apps.hcpapps.net -``` - -After DNSRecord reconciliation the listener hostname should be resolvable through dns: - -```bash -dig echo.apps.hcpapps.net +short -172.31.201.1 -``` - -More information about the dns record structure can be found in the [DNSRecord structure](../proposals/DNSRecordStructure.md) document. - -### Examples - -Check out the following user guides for examples of using the Kuadrant DNSPolicy: -* [Multicluster LoadBalanced DNSPolicy](../how-to/multicluster-loadbalanced-dnspolicy.md) - -### Known limitations - -* One Gateway can only be targeted by one DNSPolicy. -* DNSPolicies can only target Gateways defined within the same namespace of the DNSPolicy. diff --git a/docs/how-to/multicluster-loadbalanced-dnspolicy.md b/docs/how-to/multicluster-loadbalanced-dnspolicy.md index 25d52a46..60155604 100644 --- a/docs/how-to/multicluster-loadbalanced-dnspolicy.md +++ b/docs/how-to/multicluster-loadbalanced-dnspolicy.md @@ -111,7 +111,8 @@ The health check section is optional, the following fields are available: - `port`: The port to connect to - `protocol`: The protocol to use for this connection -For more information about DNS Health Checks, see [this guide](../dnspolicy/dns-health-checks.md). +[//]: # (ToDo mnairn) +[//]: # (For more information about DNS Health Checks, see [this guide](../dnspolicy/dns-health-checks.md).) #### Checking status of health checks To list all health checks: diff --git a/docs/installation/control-plane-installation.md b/docs/installation/control-plane-installation.md index 9651dd16..4733f13b 100644 --- a/docs/installation/control-plane-installation.md +++ b/docs/installation/control-plane-installation.md @@ -10,7 +10,9 @@ This guide will show you how to install and configure the Multi-Cluster Gateway - Any number of additional **spoke clusters** that have been configured as OCM [ManagedClusters](https://open-cluster-management.io/concepts/managedcluster/) - [Kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) (>= v1.14.0) - Either a pre-existing [cert-manager](https://cert-manager.io/)(>=v1.12.2) installation _or_ the [Kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/) and [Helm](https://helm.sh/docs/intro/quickstart/#install-helm) CLIs installed -- Amazon Web services (AWS) and or Google cloud provider (GCP) credentials. See the [DNS Provider](../dnspolicy/dns-provider.md) guide for obtaining these credentials. + +[//]: # (ToDo mnairn) +[//]: # (- Amazon Web services (AWS) and or Google cloud provider (GCP) credentials. See the [DNS Provider](../dnspolicy/dns-provider.md) guide for obtaining these credentials.) ## Configure OCM with RawFeedbackJsonString Feature Gate @@ -83,7 +85,8 @@ gatewayclass.gateway.networking.k8s.io/kuadrant-multi-cluster-gateway-instance-p ## Creating a ManagedZone -**Note:** :exclamation: To manage the creation of DNS records, MGC uses [ManagedZone](../managed-zone.md) resources. A `ManagedZone` can be configured to use DNS Zones on both AWS (Route53), and GCP (Cloud DNS). Commands to create each are provided below. +[//]: # (ToDo mnairn) +[//]: # (**Note:** :exclamation: To manage the creation of DNS records, MGC uses [ManagedZone](../managed-zone.md) resources. A `ManagedZone` can be configured to use DNS Zones on both AWS (Route53), and GCP (Cloud DNS). Commands to create each are provided below. ) First, depending on the provider you would like to use export the [environment variables detailed here](https://docs.kuadrant.io/getting-started/#config) in a terminal session. diff --git a/docs/managed-zone.md b/docs/managed-zone.md deleted file mode 100644 index ab7f297a..00000000 --- a/docs/managed-zone.md +++ /dev/null @@ -1,87 +0,0 @@ -# Creating and using a ManagedZone resource. - -## What is a ManagedZone -A ManagedZone is a reference to a [DNS zone](https://en.wikipedia.org/wiki/DNS_zone). -By creating a ManagedZone we are instructing the MGC about a domain or subdomain that can be used as a host by any gateways in the same namespace. -These gateways can use a subdomain of the ManagedZone. - -If a gateway attempts to a use a domain as a host, and there is no matching ManagedZone for that host, then that host on that gateway will fail to function. - -A gateway's host will be matched to any ManagedZone that the host is a subdomain of, i.e. `test.api.hcpapps.net` will be matched by any ManagedZone (in the same namespace) of: `test.api.hcpapps.net`, `api.hcpapps.net` or `hcpapps.net`. - -When MGC wants to create the DNS Records for a host, it will create them in the most exactly matching ManagedZone. -e.g. given the zones `hcpapps.net` and `api.hcpapps.net` the DNS Records for the host `test.api.hcpapps.net` will be created in the `api.hcpapps.net` zone. - -### Delegation -Delegation allows you to give control of a subdomain of a root domain to MGC while the root domain has it's DNS zone elsewhere. - -In the scenario where a root domain has a zone outside Route53, e.g. `external.com`, and a ManagedZone for `delegated.external.com` is required, the following steps can be taken: -- Create the ManagedZone for `delegated.external.com` and wait until the status is updated with an array of nameservers (e.g. `ns1.hcpapps.net`, `ns2.hcpapps.net`). -- Copy these nameservers to your root zone for `external.com`, you can create a NS record for each nameserver against the `delegated.external.com` record. - -For example: -``` -delegated.external.com. 3600 IN NS ns1.hcpapps.net. -delegated.external.com. 3600 IN NS ns2.hcpapps.net. -``` - -Now, when MGC creates a DNS record in it's Route53 zone for `delegated.external.com`, it will be resolved correctly. -### Creating a ManagedZone -To create a `ManagedZone`, you will first need to create a DNS provider Secret. To create one, see our [DNS Provider](dnspolicy/dns-provider.md) setup guide, and make note of your provider's secret name. - - -#### Example ManagedZone -To create a bew `ManagedZone` with AWS Route, with a DNS Provider secret named `my-aws-credentials`: - -```bash -kubectl apply -f - < | diff --git a/docs/reference/managedzone.md b/docs/reference/managedzone.md deleted file mode 100644 index b6e2a607..00000000 --- a/docs/reference/managedzone.md +++ /dev/null @@ -1,46 +0,0 @@ -# The ManagedZone Custom Resource Definition (CRD) - -- [ManagedZone](#ManagedZone) -- [ManagedZoneSpec](#managedzonespec) -- [ManagedZoneStatus](#managedzonestatus) - -## ManagedZone - -| **Field** | **Type** | **Required** | **Description** | -|-----------|-------------------------------------|:------------:|------------------------------------------------| -| `spec` | [ManagedZoneSpec](#managedzonespec) | Yes | The specification for ManagedZone custom resource | -| `status` | [ManagedZoneStatus](#managedzonestatus) | No | The status for the custom resource | - -## ManagedZoneSpec - -| **Field** | **Type** | **Required** | **Description** | -|------------------------|------------------------------------------------|:------------:|--------------------------------------------------------------------------| -| `id` | String | No | ID is the provider assigned id of this zone (i.e. route53.HostedZone.ID) | -| `domainName` | String | Yes | Domain name of this ManagedZone | -| `description` | String | No | Description for this ManagedZone | -| `parentManagedZone` | [ManagedZoneReference](#managedzonereference) | No | Reference to another managed zone that this managed zone belongs to | -| `dnsProviderSecretRef` | [SecretRef](#secretref) | No | Reference to a secret containing provider credentials | - -## ManagedZoneReference - -| **Field** | **Type** | **Required** | **Description** | -|--------------|----------|:------------:|-------------------------| -| `name` | String | Yes | Name of a managed zone | - -## SecretRef - -| **Field** | **Type** | **Required** | **Description** | -|--------------|----------|:------------:|-------------------------| -| `name` | String | Yes | Name of the secret | -| `namespace` | String | Yes | Namespace of the secret | - - -## ManagedZoneStatus - -| **Field** | **Type** | **Description** | -|----------------------|------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -| `observedGeneration` | String | Number of the last observed generation of the resource. Use it to check if the status info is up to date with latest resource spec | -| `conditions` | [][Kubernetes meta/v1.Condition](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Condition) | List of conditions that define that status of the resource | -| `id` | String | The ID assigned by this provider for this zone (i.e. route53.HostedZone.ID) | -| `recordCount` | Number | The number of records in the provider zone | -| `nameServers` | []String | The NameServers assigned by the provider for this zone (i.e. route53.DelegationSet.NameServers) | diff --git a/docs/reference/tlspolicy.md b/docs/reference/tlspolicy.md deleted file mode 100644 index f2ce4416..00000000 --- a/docs/reference/tlspolicy.md +++ /dev/null @@ -1,35 +0,0 @@ -# The TLSPolicy Custom Resource Definition (CRD) - -- [TLSPolicy](#TLSPolicy) -- [TLSPolicySpec](#tlspolicyspec) -- [TLSPolicyStatus](#tlspolicystatus) - -## TLSPolicy - -| **Field** | **Type** | **Required** | **Description** | -|-----------|-------------------------------------|:------------:|-------------------------------------------------| -| `spec` | [TLSPolicySpec](#tlspolicyspec) | Yes | The specification for TLSPolicy custom resource | -| `status` | [TLSPolicyStatus](#tlspolicystatus) | No | The status for the custom resource | - -## TLSPolicySpec - -| **Field** | **Type** | **Required** | **Description** | -|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|:------------:|--------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | [Gateway API PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/?h=policytargetreference#policy-targetref-api) | Yes | Reference to a Kuberentes resource that the policy attaches to | -| `issuerRef` | [CertManager meta/v1.ObjectReference](https://cert-manager.io/v1.13-docs/reference/api-docs/#meta.cert-manager.io/v1.ObjectReference) | Yes | IssuerRef is a reference to the issuer for the created certificate | -| `commonName` | String | No | CommonName is a common name to be used on the created certificate | -| `duration` | [Kubernetes meta/v1.Duration](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration) | No | The requested 'duration' (i.e. lifetime) of the created certificate. | -| `renewBefore` | [Kubernetes meta/v1.Duration](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration) | No | How long before the currently issued certificate's expiry cert-manager should renew the certificate. | -| `usages` | [][CertManager v1.KeyUsage](https://cert-manager.io/v1.13-docs/reference/api-docs/#cert-manager.io/v1.KeyUsage) | No | Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified | -| `revisionHistoryLimit` | Number | No | RevisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history | -| `privateKey` | [CertManager meta/v1.CertificatePrivateKey](https://cert-manager.io/v1.13-docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey) | No | Options to control private keys used for the Certificate | - - -**IssuerRef certmanmetav1.ObjectReference** - -## TLSPolicyStatus - -| **Field** | **Type** | **Description** | -|----------------------|-----------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| `observedGeneration` | String | Number of the last observed generation of the resource. Use it to check if the status info is up to date with latest resource spec. | -| `conditions` | [][Kubernetes meta/v1.Condition](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Condition) | List of conditions that define that status of the resource. | diff --git a/docs/tlspolicy/tls-policy.md b/docs/tlspolicy/tls-policy.md deleted file mode 100644 index d62f23c5..00000000 --- a/docs/tlspolicy/tls-policy.md +++ /dev/null @@ -1,179 +0,0 @@ -# TLS Policy - -The TLSPolicy is a [GatewayAPI](https://gateway-api.sigs.k8s.io/) policy that uses `Direct Policy Attachment` as defined in the [policy attachment mechanism](https://gateway-api.sigs.k8s.io/v1alpha2/references/policy-attachment/) standard. -This policy is used to provide tls for gateway listeners by managing the lifecycle of tls certificates using [`CertManager`](https://cert-manager.io), and is a policy implementation of [`securing gateway resources`](https://cert-manager.io/docs/usage/gateway/). - -## Terms - -- [`GatewayAPI`](https://gateway-api.sigs.k8s.io/): resources that model service networking in Kubernetes. -- [`Gateway`](https://gateway-api.sigs.k8s.io/api-types/gateway/): Kubernetes Gateway resource. -- [`CertManager`](https://cert-manager.io): X.509 certificate management for Kubernetes and OpenShift. -- [`TLSPolicy`](https://github.com/Kuadrant/multicluster-gateway-controller/blob/main/config/crd/bases/kuadrant.io_tlspolicies.yaml): Kuadrant policy for managing tls certificates with certificate manager. - - -## TLS Provider Setup - -A TLSPolicy acts against a target Gateway by processing its listeners for appropriately configured [tls sections](https://cert-manager.io/docs/usage/gateway/#generate-tls-certs-for-selected-tls-blocks). - -If for example a Gateway is created with a listener with a hostname of `echo.apps.hcpapps.net`: -```yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: prod-web - namespace: multi-cluster-gateways -spec: - gatewayClassName: kuadrant-multi-cluster-gateway-instance-per-cluster - listeners: - - allowedRoutes: - namespaces: - from: All - name: api - hostname: echo.apps.hcpapps.net - port: 443 - protocol: HTTPS - tls: - mode: Terminate - certificateRefs: - - name: apps-hcpapps-tls - kind: Secret -``` - -## TLSPolicy creation and attachment - -The TLSPolicy requires a reference to an existing [CertManager Issuer](https://cert-manager.io/docs/configuration/). -If we create a [self-signed cluster](https://cert-manager.io/docs/configuration/selfsigned/) issuer with the following: - -```yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: selfsigned-cluster-issuer -spec: - selfSigned: {} -``` - -We can then create and attach a TLSPolicy to start managing tls certificates for it: - -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: TLSPolicy -metadata: - name: prod-web - namespace: multi-cluster-gateways -spec: - targetRef: - name: prod-web - group: gateway.networking.k8s.io - kind: Gateway - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: selfsigned-cluster-issuer -``` - -### Target Reference -- `targetRef` field is taken from [policy attachment's target reference API](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). It can only target one resource at a time. Fields included inside: -- `Group` is the group of the target resource. Only valid option is `gateway.networking.k8s.io`. -- `Kind` is kind of the target resource. Only valid options are `Gateway`. -- `Name` is the name of the target resource. -- `Namespace` is the namespace of the referent. Currently only local objects can be referred so value is ignored. - -### Issuer Reference -- `issuerRef` field is required and is a reference to a [CertManager Issuer](https://cert-manager.io/docs/configuration/). Fields included inside: -- `Group` is the group of the target resource. Only valid option is `cert-manager.io`. -- `Kind` is kind of issuer. Only valid options are `Issuer` and `ClusterIssuer`. -- `Name` is the name of the target issuer. - -The example TLSPolicy shown above would create a [CertManager Certificate](https://cert-manager.io/docs/usage/certificate/) like the following: -```yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - gateway: prod-web - gateway-namespace: multi-cluster-gateways - kuadrant.io/tlspolicy: prod-web - kuadrant.io/tlspolicy-namespace: multi-cluster-gateways - name: apps-hcpapps-tls - namespace: multi-cluster-gateways -spec: - dnsNames: - - echo.apps.hcpapps.net - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: selfsigned-cluster-issuer - secretName: apps-hcpapps-tls - secretTemplate: - labels: - gateway: prod-web - gateway-namespace: multi-cluster-gateways - kuadrant.io/tlspolicy: prod-web - kuadrant.io/tlspolicy-namespace: multi-cluster-gateways - usages: - - digital signature - - key encipherment -``` - -And valid tls secrets generated and synced out to workload clusters: - -```bash -kubectl get secrets -A | grep apps-hcpapps-tls -kuadrant-multi-cluster-gateways apps-hcpapps-tls kubernetes.io/tls 3 6m42s -multi-cluster-gateways apps-hcpapps-tls kubernetes.io/tls 3 7m12s -``` - -## Let's Encrypt Issuer for Route53 hosted domain - -Any type of Issuer that is supported by CertManager can be referenced in the TLSPolicy. The following shows how you would create a TLSPolicy that uses [let's encypt](https://letsencrypt.org/) to create production certs for a domain hosted in AWS Route53. - -Create a secret containing AWS access key and secret: -```bash -kubectl create secret generic le-aws-credentials --from-literal=AWS_ACCESS_KEY_ID= --from-literal=AWS_SECRET_ACCESS_KEY= -n multi-cluster-gateways -``` - -Create a new Issuer: -```yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: le-production - namespace: multi-cluster-gateways -spec: - acme: - email: - preferredChain: "" - privateKeySecretRef: - name: le-production - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - dns01: - route53: - hostedZoneID: - region: us-east-1 - accessKeyIDSecretRef: - key: AWS_ACCESS_KEY_ID - name: le-aws-credentials - secretAccessKeySecretRef: - key: AWS_SECRET_ACCESS_KEY - name: le-aws-credentials -``` - -Create a TLSPolicy: -```yaml -apiVersion: kuadrant.io/v1alpha1 -kind: TLSPolicy -metadata: - name: prod-web - namespace: multi-cluster-gateways -spec: - targetRef: - name: prod-web - group: gateway.networking.k8s.io - kind: Gateway - issuerRef: - group: cert-manager.io - kind: Issuer - name: le-production -``` diff --git a/go.mod b/go.mod index 05e51515..dc98dd53 100644 --- a/go.mod +++ b/go.mod @@ -3,11 +3,11 @@ module github.com/Kuadrant/multicluster-gateway-controller go 1.21 require ( + github.com/cert-manager/cert-manager v1.12.1 github.com/go-logr/logr v1.3.0 github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e - github.com/jetstack/cert-manager v1.7.1 github.com/kuadrant/kuadrant-dns-operator v0.0.0-20240202223525-b889335b228f - github.com/kuadrant/kuadrant-operator v0.1.1-0.20231114121136-3136ed961c70 + github.com/kuadrant/kuadrant-operator v0.1.1-0.20240209142724-e9841f4646b5 github.com/onsi/ginkgo/v2 v2.13.2 github.com/onsi/gomega v1.30.0 github.com/operator-framework/api v0.17.5 @@ -59,6 +59,7 @@ require ( github.com/kuadrant/authorino-operator v0.9.0 // indirect github.com/kuadrant/limitador-operator v0.7.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect + github.com/martinlindhe/base36 v1.1.1 // indirect github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect @@ -66,10 +67,12 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.17.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -116,4 +119,4 @@ replace maistra.io/istio-operator => github.com/maistra/istio-operator v0.0.0-20 replace github.com/imdario/mergo => dario.cat/mergo v0.3.5 -replace github.com/kuadrant/kuadrant-operator => /home/mnairn/go/src/github.com/kuadrant/kuadrant-operator +//replace github.com/kuadrant/kuadrant-operator => /home/mnairn/go/src/github.com/kuadrant/kuadrant-operator diff --git a/go.sum b/go.sum index 1bc57ca1..7291f7d4 100644 --- a/go.sum +++ b/go.sum @@ -14,6 +14,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cert-manager/cert-manager v1.12.1 h1:QA8/diGdInzBRhqiyTITPC+wI9FaXbgOAAT3Dwe9KZE= +github.com/cert-manager/cert-manager v1.12.1/go.mod h1:ql0msU88JCcQSceN+PFjEY8U+AMe13y06vO2klJk8bs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -81,8 +83,6 @@ github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e/go.mod h1:A github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/jetstack/cert-manager v1.7.1 h1:qIIP0RN5FzBChJLJ3uGCGJmdAAonwDMdcsJExATa64I= -github.com/jetstack/cert-manager v1.7.1/go.mod h1:xj0TPp31HE0Jub5mNOnF3Fp3XvhIsiP+tsPZVOmU/Qs= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -103,10 +103,14 @@ github.com/kuadrant/authorino-operator v0.9.0 h1:EV7zrYBNcd53HPQMivvTwe/+DIATTK7 github.com/kuadrant/authorino-operator v0.9.0/go.mod h1:VkUqS4CHNiaHMrjSFQ5V71DN829kPnqT3FQxqlOntEI= github.com/kuadrant/kuadrant-dns-operator v0.0.0-20240202223525-b889335b228f h1:kRhKt1sW8ZqZlEasTGb1aX6xrEutBU1Ef+P4stf3bhY= github.com/kuadrant/kuadrant-dns-operator v0.0.0-20240202223525-b889335b228f/go.mod h1:OyP8aXe7uOCP8PKMhd6JXPSUyzcNkztriNDeyearp4M= +github.com/kuadrant/kuadrant-operator v0.1.1-0.20240209142724-e9841f4646b5 h1:rOrDnotBP/RaDSPH8LZFEVvPQJjCgzSKItNiSYbixls= +github.com/kuadrant/kuadrant-operator v0.1.1-0.20240209142724-e9841f4646b5/go.mod h1:+3rMBY0qtJw52Uu00lJS5EihXKjWKXKNUXW/qVzlEm0= github.com/kuadrant/limitador-operator v0.7.0 h1:pLIpM6vUxAY/Jn6ny61IGpqS7Oti786duBzJ67DJOuA= github.com/kuadrant/limitador-operator v0.7.0/go.mod h1:tg+G+3eTzUUfvUmdbiqH3FnScEPSWZ3DmorD1ZAx1bo= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/martinlindhe/base36 v1.1.1 h1:1F1MZ5MGghBXDZ2KJ3QfxmiydlWOGB8HCEtkap5NkVg= +github.com/martinlindhe/base36 v1.1.1/go.mod h1:vMS8PaZ5e/jV9LwFKlm0YLnXl/hpOihiBxKkIoc3g08= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= @@ -137,8 +141,9 @@ github.com/operator-framework/api v0.17.5/go.mod h1:l/cuwtPxkVUY7fzYgdust2m9tlmb github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= @@ -147,8 +152,8 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= diff --git a/hack/make/addon.make b/hack/make/addon.make index 5cff2471..966173d9 100644 --- a/hack/make/addon.make +++ b/hack/make/addon.make @@ -5,7 +5,7 @@ build-addon-manager: manifests generate fmt vet ## Build ocm binary. go build -o bin/addon-manager ./cmd/ocm/main.go .PHONY: run-addon-manager -run-addon-manager: manifests generate fmt vet install +run-addon-manager: manifests generate fmt vet go run ./cmd/ocm/main.go diff --git a/pkg/controllers/gateway/gateway_controller.go b/pkg/controllers/gateway/gateway_controller.go index df570c30..002a5216 100644 --- a/pkg/controllers/gateway/gateway_controller.go +++ b/pkg/controllers/gateway/gateway_controller.go @@ -48,6 +48,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" + "github.com/kuadrant/kuadrant-operator/pkg/multicluster" + "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/gracePeriod" "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/metadata" "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/slice" @@ -219,7 +221,7 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct } for _, address := range addresses { log.V(3).Info("checking address type for mapping", "address.Type", address.Type) - addressType, supported := AddressTypeToMultiCluster(address) + addressType, supported := multicluster.AddressTypeToMultiCluster(address) if !supported { continue // ignore address type gatewayapiv1.NamedAddressType. Unsupported for multi cluster gateway } @@ -276,7 +278,7 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct func (r *GatewayReconciler) reconcileClusterLabels(ctx context.Context, gateway *gatewayapiv1.Gateway, clusters []string) error { //Remove all existing clusters.kuadrant.io labels for key := range gateway.Labels { - if strings.HasPrefix(key, ClustersLabelPrefix) { + if strings.HasPrefix(key, multicluster.ClustersLabelPrefix) { delete(gateway.Labels, key) } } @@ -293,7 +295,7 @@ func (r *GatewayReconciler) reconcileClusterLabels(ctx context.Context, gateway if !found { continue } - gateway.Labels[ClustersLabelPrefix+cluster+"_"+attribute] = value + gateway.Labels[multicluster.ClustersLabelPrefix+cluster+"_"+attribute] = value } } return nil @@ -567,33 +569,3 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager, ctx context.Conte })). Complete(r) } - -//ToDo These need to be exposed by the kuadrant operator DNSPolicy APIs - -const ( - ClustersLabelPrefix = "clusters." + LabelPrefix - MultiClusterIPAddressType gatewayapiv1.AddressType = LabelPrefix + "MultiClusterIPAddress" - MultiClusterHostnameAddressType gatewayapiv1.AddressType = LabelPrefix + "MultiClusterHostnameAddress" -) - -// AddressTypeToMultiCluster returns a multi cluster version of the address type -// and a bool to indicate that provided address type was converted. If not - original type is returned -func AddressTypeToMultiCluster(address gatewayapiv1.GatewayAddress) (gatewayapiv1.AddressType, bool) { - if *address.Type == gatewayapiv1.IPAddressType { - return MultiClusterIPAddressType, true - } else if *address.Type == gatewayapiv1.HostnameAddressType { - return MultiClusterHostnameAddressType, true - } - return *address.Type, false -} - -// AddressTypeToSingleCluster converts provided multicluster address to single cluster version -// the bool indicates a successful conversion -func AddressTypeToSingleCluster(address gatewayapiv1.GatewayAddress) (gatewayapiv1.AddressType, bool) { - if *address.Type == MultiClusterIPAddressType { - return gatewayapiv1.IPAddressType, true - } else if *address.Type == MultiClusterHostnameAddressType { - return gatewayapiv1.HostnameAddressType, true - } - return *address.Type, false -} diff --git a/test/e2e/gateway_single_spoke_test.go b/test/e2e/gateway_single_spoke_test.go index 815369a2..e33293ef 100644 --- a/test/e2e/gateway_single_spoke_test.go +++ b/test/e2e/gateway_single_spoke_test.go @@ -11,8 +11,8 @@ import ( "strings" "time" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - certmanmetav1 "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + certmanmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/onsi/gomega/gstruct" diff --git a/test/gateway_integration/suite_test.go b/test/gateway_integration/suite_test.go index 764c42d1..24c98a18 100644 --- a/test/gateway_integration/suite_test.go +++ b/test/gateway_integration/suite_test.go @@ -39,7 +39,6 @@ import ( . "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" - //"github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" //+kubebuilder:scaffold:imports ) @@ -101,9 +100,6 @@ var _ = BeforeSuite(func() { err = gatewayapiv1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) - // err = certman.AddToScheme(scheme.Scheme) - // Expect(err).NotTo(HaveOccurred()) - err = ocmworkv1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) diff --git a/test/util/helper.go b/test/util/helper.go index 0dcb801a..98b0c97c 100644 --- a/test/util/helper.go +++ b/test/util/helper.go @@ -6,7 +6,7 @@ import ( "strings" "testing" - certman "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + certman "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -19,20 +19,14 @@ import ( ) const ( - Domain = "thecat.com" - ValidTestHostname = "boop." + Domain - ValidTestWildcard = "*." + Domain - FailFetchDANSSubdomain = "failfetch" - FailCreateDNSSubdomain = "failcreate" - FailEnsureCertHost = "failCreateCert" + "." + Domain - FailGetCertSecretName = "fail-fail" - FailEndpointsHostname = "failEndpoints" + "." + Domain - FailPlacementHostname = "failPlacement" + "." + Domain - Cluster = "test_cluster_one" - Namespace = "boop-namespace" - DummyCRName = "boop" - Placement = "placement" - TLSSecretName = "test-tls-cert" + Domain = "thecat.com" + ValidTestHostname = "boop." + Domain + FailPlacementHostname = "failPlacement" + "." + Domain + Cluster = "test_cluster_one" + Namespace = "boop-namespace" + DummyCRName = "boop" + Placement = "placement" + TLSSecretName = "test-tls-cert" ) func BuildValidTestRequest(name, ns string) ctrl.Request { @@ -87,28 +81,6 @@ func AssertNoErrorReconciliation() func(res ctrl.Result, err error, t *testing.T } } -func AssertErrorReconciliation(expectedError string) func(res ctrl.Result, err error, t *testing.T) { - return func(res ctrl.Result, err error, t *testing.T) { - if (expectedError == "") != (err == nil) { - t.Errorf("expected error %s but got %s", expectedError, err) - } - if err != nil && !strings.Contains(err.Error(), expectedError) { - t.Errorf("expected error to be %s but got %s", expectedError, err) - } - } -} - -func AssertError(expectedError string) func(t *testing.T, err error) { - return func(t *testing.T, err error) { - if (expectedError == "") != (err == nil) { - t.Errorf("expected error %s but got %s", expectedError, err) - } - if err != nil && !strings.Contains(err.Error(), expectedError) { - t.Errorf("expected error to be %s but got %s", expectedError, err) - } - } -} - func GetValidTestClient(initLists ...client.ObjectList) client.WithWatch { return fake.NewClientBuilder(). WithStatusSubresource(&gatewayapiv1.Gateway{}, &gatewayapiv1.GatewayClass{}). diff --git a/test/util/suite_config.go b/test/util/suite_config.go index 308fa123..bbf57c43 100644 --- a/test/util/suite_config.go +++ b/test/util/suite_config.go @@ -9,8 +9,8 @@ import ( "os" "strconv" + certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "github.com/goombaio/namegenerator" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" ocmclusterv1 "open-cluster-management.io/api/cluster/v1" ocmclusterv1beta1 "open-cluster-management.io/api/cluster/v1beta1" ocmclusterv1beta2 "open-cluster-management.io/api/cluster/v1beta2" diff --git a/test/util/test_dnspolicy_types.go b/test/util/test_dnspolicy_types.go deleted file mode 100644 index df0d0745..00000000 --- a/test/util/test_dnspolicy_types.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build unit || integration || e2e - -package testutil - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - - kuadrantdnsv1alpha1 "github.com/kuadrant/kuadrant-dns-operator/api/v1alpha1" - kuadrantv1alpha1 "github.com/kuadrant/kuadrant-operator/api/v1alpha1" -) - -// DNSPolicyBuilder wrapper for DNSPolicy builder helper -type DNSPolicyBuilder struct { - *kuadrantv1alpha1.DNSPolicy -} - -func NewDNSPolicyBuilder(name, ns string) *DNSPolicyBuilder { - return &DNSPolicyBuilder{ - &kuadrantv1alpha1.DNSPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: ns, - }, - Spec: kuadrantv1alpha1.DNSPolicySpec{}, - }, - } -} - -func (t *DNSPolicyBuilder) WithTargetRef(targetRef gatewayapiv1alpha2.PolicyTargetReference) *DNSPolicyBuilder { - t.Spec.TargetRef = targetRef - return t -} - -func (t *DNSPolicyBuilder) WithHealthCheck(healthCheck kuadrantv1alpha1.HealthCheckSpec) *DNSPolicyBuilder { - t.Spec.HealthCheck = &healthCheck - return t -} - -func (t *DNSPolicyBuilder) WithLoadBalancing(loadBalancing kuadrantv1alpha1.LoadBalancingSpec) *DNSPolicyBuilder { - t.Spec.LoadBalancing = &loadBalancing - return t -} - -func (t *DNSPolicyBuilder) WithRoutingStrategy(strategy kuadrantv1alpha1.RoutingStrategy) *DNSPolicyBuilder { - t.Spec.RoutingStrategy = strategy - return t -} - -//TargetRef - -func (t *DNSPolicyBuilder) WithTargetGateway(gwName string) *DNSPolicyBuilder { - typedNamespace := gatewayapiv1.Namespace(t.GetNamespace()) - return t.WithTargetRef(gatewayapiv1alpha2.PolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "Gateway", - Name: gatewayapiv1.ObjectName(gwName), - Namespace: &typedNamespace, - }) -} - -//HealthCheck - -func (t *DNSPolicyBuilder) WithHealthCheckFor(endpoint string, port *int, protocol kuadrantdnsv1alpha1.HealthProtocol, failureThreshold *int) *DNSPolicyBuilder { - return t.WithHealthCheck(kuadrantv1alpha1.HealthCheckSpec{ - Endpoint: endpoint, - Port: port, - Protocol: &protocol, - FailureThreshold: failureThreshold, - AdditionalHeadersRef: nil, - ExpectedResponses: nil, - AllowInsecureCertificates: false, - Interval: nil, - }) -} - -//LoadBalancing - -func (t *DNSPolicyBuilder) WithLoadBalancingWeighted(lbWeighted kuadrantv1alpha1.LoadBalancingWeighted) *DNSPolicyBuilder { - if t.Spec.LoadBalancing == nil { - t.Spec.LoadBalancing = &kuadrantv1alpha1.LoadBalancingSpec{} - } - t.Spec.LoadBalancing.Weighted = &lbWeighted - return t -} - -func (t *DNSPolicyBuilder) WithLoadBalancingGeo(lbGeo kuadrantv1alpha1.LoadBalancingGeo) *DNSPolicyBuilder { - if t.Spec.LoadBalancing == nil { - t.Spec.LoadBalancing = &kuadrantv1alpha1.LoadBalancingSpec{} - } - t.Spec.LoadBalancing.Geo = &lbGeo - return t -} - -func (t *DNSPolicyBuilder) WithLoadBalancingWeightedFor(defaultWeight kuadrantv1alpha1.Weight, custom []*kuadrantv1alpha1.CustomWeight) *DNSPolicyBuilder { - return t.WithLoadBalancingWeighted(kuadrantv1alpha1.LoadBalancingWeighted{ - DefaultWeight: defaultWeight, - Custom: custom, - }) -} - -func (t *DNSPolicyBuilder) WithLoadBalancingGeoFor(defaultGeo string) *DNSPolicyBuilder { - return t.WithLoadBalancingGeo(kuadrantv1alpha1.LoadBalancingGeo{ - DefaultGeo: defaultGeo, - }) -} - -// ManagedZoneBuilder wrapper for ManagedZone builder helper -type ManagedZoneBuilder struct { - *kuadrantdnsv1alpha1.ManagedZone -} - -func NewManagedZoneBuilder(name, ns, domainName string) *ManagedZoneBuilder { - return &ManagedZoneBuilder{ - &kuadrantdnsv1alpha1.ManagedZone{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: ns, - }, - Spec: kuadrantdnsv1alpha1.ManagedZoneSpec{ - ID: "1234", - DomainName: domainName, - Description: domainName, - SecretRef: kuadrantdnsv1alpha1.ProviderRef{ - Name: "secretname", - }, - }, - }, - } -} diff --git a/test/util/test_types.go b/test/util/test_types.go index 1b35e5a9..b021afbb 100644 --- a/test/util/test_types.go +++ b/test/util/test_types.go @@ -5,12 +5,9 @@ package testutil import ( "strings" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "sigs.k8s.io/controller-runtime/pkg/client" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -134,61 +131,3 @@ func AddListener(name string, hostname gatewayapiv1alpha2.Hostname, secretName g gw.Spec.Listeners = append(gw.Spec.Listeners, listener) } - -// -//// TLSPolicyBuilder wrapper for TLSPolicy builder helper -//type TLSPolicyBuilder struct { -// *v1alpha1.TLSPolicy -//} -// -//func NewTLSPolicyBuilder(policyName, ns string) *TLSPolicyBuilder { -// return &TLSPolicyBuilder{ -// &v1alpha1.TLSPolicy{ -// ObjectMeta: metav1.ObjectMeta{ -// Name: policyName, -// Namespace: ns, -// }, -// Spec: v1alpha1.TLSPolicySpec{}, -// }, -// } -//} -// -//func (t *TLSPolicyBuilder) Build() *v1alpha1.TLSPolicy { -// return t.TLSPolicy -//} -// -//func (t *TLSPolicyBuilder) WithTargetGateway(gwName string) *TLSPolicyBuilder { -// typedNamespace := gatewayapiv1.Namespace(t.GetNamespace()) -// t.Spec.TargetRef = gatewayapiv1alpha2.PolicyTargetReference{ -// Group: "gateway.networking.k8s.io", -// Kind: "Gateway", -// Name: gatewayapiv1.ObjectName(gwName), -// Namespace: &typedNamespace, -// } -// return t -//} -// -//func (t *TLSPolicyBuilder) WithIssuerRef(issuerRef certmanmetav1.ObjectReference) *TLSPolicyBuilder { -// t.Spec.IssuerRef = issuerRef -// return t -//} -// -//func (t *TLSPolicyBuilder) WithIssuer(name, kind, group string) *TLSPolicyBuilder { -// t.WithIssuerRef(certmanmetav1.ObjectReference{ -// Name: name, -// Kind: kind, -// Group: group, -// }) -// return t -//} - -var _ client.Object = &TestResource{} - -// TestResource dummy client.Object that can be used in place of a real k8s resource for testing -type TestResource struct { - metav1.TypeMeta - metav1.ObjectMeta -} - -func (*TestResource) GetObjectKind() schema.ObjectKind { return nil } -func (*TestResource) DeepCopyObject() runtime.Object { return nil }