From b6326365aa26a792639547c04a4bbf7a17df923e Mon Sep 17 00:00:00 2001 From: eks-bot <56046769+eks-bot@users.noreply.github.com> Date: Mon, 14 Jun 2021 16:33:20 -0700 Subject: [PATCH] appmesh-controller: v1.4.0 (#544) Co-authored-by: eks-bot --- stable/appmesh-controller/Chart.yaml | 4 +- stable/appmesh-controller/README.md | 48 +- stable/appmesh-controller/ci/values.yaml | 4 +- stable/appmesh-controller/crds/crds.yaml | 519 ++++++++++++++++++- stable/appmesh-controller/templates/pdb.yaml | 18 + stable/appmesh-controller/test.yaml | 8 +- stable/appmesh-controller/values.yaml | 8 +- 7 files changed, 581 insertions(+), 28 deletions(-) create mode 100644 stable/appmesh-controller/templates/pdb.yaml diff --git a/stable/appmesh-controller/Chart.yaml b/stable/appmesh-controller/Chart.yaml index 8ca35f46d..52c3746fd 100644 --- a/stable/appmesh-controller/Chart.yaml +++ b/stable/appmesh-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: appmesh-controller description: App Mesh controller Helm chart for Kubernetes -version: 1.3.2 -appVersion: 1.3.0 +version: 1.4.0 +appVersion: 1.4.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/appmesh-controller/README.md b/stable/appmesh-controller/README.md index 554cae784..b3f77954a 100644 --- a/stable/appmesh-controller/README.md +++ b/stable/appmesh-controller/README.md @@ -31,8 +31,7 @@ Create namespace kubectl create ns appmesh-system ``` -The controller runs on the worker nodes, so it needs access to the AWS App Mesh / Cloud Map resources via IAM permissions. The -IAM permissions can either be setup via IAM roles for service account or can be attached directly to the worker node IAM roles. +The controller runs on the worker nodes, so it needs access to the AWS App Mesh / Cloud Map resources via IAM permissions. The IAM permissions can either be setup via IAM roles for service account or can be attached directly to the worker node IAM roles. #### Setup IAM Role for Service Account @@ -89,18 +88,52 @@ helm upgrade -i appmesh-controller eks/appmesh-controller \ The [configuration](#configuration) section lists the parameters that can be configured during installation. -**Note:** When using IRSA, make sure the Envoy proxies have the following IAM policies attached for Envoy to authenticate with AWS App Mesh and fetch it's configuration +**Note** +Make sure that the Envoy proxies have the following IAM policies attached for the Envoy to authenticate with AWS App Mesh and fetch it's configuration - https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json -#### Setup IAM permissions manually on worker nodes -If not setting up IAM role for service account, apply the IAM policies to your worker nodes: +There are **2 ways** you can attach the above policy to the Envoy Pod +#### With IRSA +Download the Envoy IAM polocy +``` +curl -o envoy-iam-policy.json https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json +``` + +Create an IAM policy called AWSAppMeshEnvoyIAMPolicy +``` +aws iam create-policy \ + --policy-name AWSAppMeshEnvoyIAMPolicy \ + --policy-document file://envoy-iam-policy.json +``` + +Take note of the policy ARN that is returned + +If your Mesh enabled applications are already using IRSA then you can attach the above policy to the role belonging to the existing IRSA or you can edit the Trust Relationship of the existing iam role which has this envoy policy so that some other service account in your mesh can also assume this role. + +If not then you can create a service account for your application namespace and use the ARN from the step above. Ensure that Application Namespace already exists + +``` +eksctl create iamserviceaccount --cluster $CLUSTER_NAME \ + --namespace \ + --name envoy-proxy \ + --attach-policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/AWSAppMeshEnvoyIAMPolicy \ + --override-existing-serviceaccounts \ + --approve +``` + +Reference this Service Account in your application pod spec. This should be the pod which would get injected with the Envoy. Refer below example: +``` +https://github.com/aws/aws-app-mesh-examples/blob/5a2d04227593d292d52e5e2ca638d808ebed5e70/walkthroughs/howto-k8s-fargate/v1beta2/manifest.yaml.template#L220 +``` + +#### Without IRSA +If not setting up IAM role for service account, apply the IAM policies manually to your worker nodes: Controller IAM policy - https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/controller-iam-policy.json Envoy IAM policy -- https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json - +- https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json Deploy appmesh-controller ```sh @@ -360,3 +393,4 @@ Parameter | Description | Default `accountId` | AWS Account ID for the Kubernetes cluster | None `env` | environment variables to be injected into the appmesh-controller pod | `{}` `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) +`podDisruptionBudget` | PodDisruptionBudget | `{}` \ No newline at end of file diff --git a/stable/appmesh-controller/ci/values.yaml b/stable/appmesh-controller/ci/values.yaml index d9c65c971..38fa52a19 100644 --- a/stable/appmesh-controller/ci/values.yaml +++ b/stable/appmesh-controller/ci/values.yaml @@ -4,6 +4,6 @@ accountId: 123456789 region: us-west-2 image: - repository: apuroop/appmesh-controller - tag: v1.3.0 + repository: chinmay5j/appmesh-controller + tag: v1.4.0 pullPolicy: IfNotPresent diff --git a/stable/appmesh-controller/crds/crds.yaml b/stable/appmesh-controller/crds/crds.yaml index 624ce9a6d..589915bcd 100644 --- a/stable/appmesh-controller/crds/crds.yaml +++ b/stable/appmesh-controller/crds/crds.yaml @@ -49,6 +49,18 @@ spec: action: description: An object that represents the action to take if a match is determined. properties: + rewrite: + properties: + hostname: + description: ENABLE or DISABLE default behavior for Hostname rewrite + properties: + defaultTargetHostname: + enum: + - ENABLED + - DISABLED + type: string + type: object + type: object target: description: An object that represents the target that traffic is routed to when a request matches the route. properties: @@ -80,8 +92,80 @@ spec: match: description: An object that represents the criteria for determining a request match. properties: + hostname: + description: The client specified Hostname to match on. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 253 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 253 + minLength: 1 + type: string + type: object + metadata: + description: An object that represents the data to match from the request. + items: + description: GRPCGatewayRouteMetadata refers to https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_GrpcRouteMetadata.html + properties: + invert: + description: Specify True to match anything except the match criteria. The default value is False. + type: boolean + match: + description: An object that represents the data to match from the request. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + prefix: + description: The value sent by the client must begin with the specified characters. + maxLength: 255 + minLength: 1 + type: string + range: + description: An object that represents the range of values to match on + properties: + end: + description: The end of the range. + format: int64 + type: integer + start: + description: The start of the range. + format: int64 + type: integer + required: + - end + - start + type: object + regex: + description: The value sent by the client must include the specified characters. + maxLength: 255 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object + name: + description: The name of the route. + maxLength: 50 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array serviceName: - description: The fully qualified domain name for the service to match from the request. + description: Either ServiceName or Hostname must be specified. Both are allowed as well The fully qualified domain name for the service to match from the request. type: string type: object required: @@ -94,6 +178,38 @@ spec: action: description: An object that represents the action to take if a match is determined. properties: + rewrite: + properties: + hostname: + description: ENABLE or DISABLE default behavior for Hostname rewrite + properties: + defaultTargetHostname: + enum: + - ENABLED + - DISABLED + type: string + type: object + path: + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + prefix: + properties: + defaultPrefix: + enum: + - ENABLED + - DISABLED + type: string + value: + description: When DefaultPrefix is specified, Value cannot be set + maxLength: 255 + minLength: 1 + type: string + type: object + type: object target: description: An object that represents the target that traffic is routed to when a request matches the route. properties: @@ -125,11 +241,126 @@ spec: match: description: An object that represents the criteria for determining a request match. properties: + headers: + description: An object that represents the client request headers to match on. + items: + description: HTTPGatewayRouteHeader refers to https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_HttpRouteHeader.html + properties: + invert: + description: Specify True to match anything except the match criteria. The default value is False. + type: boolean + match: + description: The HeaderMatchMethod object. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + prefix: + description: The value sent by the client must begin with the specified characters. + maxLength: 255 + minLength: 1 + type: string + range: + description: An object that represents the range of values to match on. + properties: + end: + description: The end of the range. + format: int64 + type: integer + start: + description: The start of the range. + format: int64 + type: integer + required: + - end + - start + type: object + regex: + description: The value sent by the client must include the specified characters. + maxLength: 255 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object + name: + description: A name for the HTTP header in the client request that will be matched on. + maxLength: 50 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array + hostname: + description: The client specified Hostname to match on. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 253 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 253 + minLength: 1 + type: string + type: object + method: + description: The client request method to match on. + enum: + - CONNECT + - DELETE + - GET + - HEAD + - OPTIONS + - PATCH + - POST + - PUT + - TRACE + type: string + path: + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + regex: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object prefix: - description: Specifies the path to match requests with + description: Either Prefix or Hostname must be specified. Both are allowed as well. Specifies the path to match requests with type: string - required: - - prefix + queryParameters: + items: + properties: + match: + description: The HeaderMatchMethod object. + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + name: + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array type: object required: - action @@ -141,6 +372,38 @@ spec: action: description: An object that represents the action to take if a match is determined. properties: + rewrite: + properties: + hostname: + description: ENABLE or DISABLE default behavior for Hostname rewrite + properties: + defaultTargetHostname: + enum: + - ENABLED + - DISABLED + type: string + type: object + path: + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + prefix: + properties: + defaultPrefix: + enum: + - ENABLED + - DISABLED + type: string + value: + description: When DefaultPrefix is specified, Value cannot be set + maxLength: 255 + minLength: 1 + type: string + type: object + type: object target: description: An object that represents the target that traffic is routed to when a request matches the route. properties: @@ -172,11 +435,126 @@ spec: match: description: An object that represents the criteria for determining a request match. properties: + headers: + description: An object that represents the client request headers to match on. + items: + description: HTTPGatewayRouteHeader refers to https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_HttpRouteHeader.html + properties: + invert: + description: Specify True to match anything except the match criteria. The default value is False. + type: boolean + match: + description: The HeaderMatchMethod object. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + prefix: + description: The value sent by the client must begin with the specified characters. + maxLength: 255 + minLength: 1 + type: string + range: + description: An object that represents the range of values to match on. + properties: + end: + description: The end of the range. + format: int64 + type: integer + start: + description: The start of the range. + format: int64 + type: integer + required: + - end + - start + type: object + regex: + description: The value sent by the client must include the specified characters. + maxLength: 255 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object + name: + description: A name for the HTTP header in the client request that will be matched on. + maxLength: 50 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array + hostname: + description: The client specified Hostname to match on. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 253 + minLength: 1 + type: string + suffix: + description: The value sent by the client must end with the specified characters. + maxLength: 253 + minLength: 1 + type: string + type: object + method: + description: The client request method to match on. + enum: + - CONNECT + - DELETE + - GET + - HEAD + - OPTIONS + - PATCH + - POST + - PUT + - TRACE + type: string + path: + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + regex: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object prefix: - description: Specifies the path to match requests with + description: Either Prefix or Hostname must be specified. Both are allowed as well. Specifies the path to match requests with type: string - required: - - prefix + queryParameters: + items: + properties: + match: + description: The HeaderMatchMethod object. + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + name: + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array type: object required: - action @@ -195,6 +573,12 @@ spec: - name - uid type: object + priority: + description: Priority for the gatewayroute. Default Priority is 1000 which is lowest priority + format: int64 + maximum: 1000 + minimum: 0 + type: integer virtualGatewayRef: description: "A reference to k8s VirtualGateway CR that this GatewayRoute belongs to. The admission controller populates it using VirtualGateway's selector, and prevents users from setting this field. \n Populated by the system. Read-only." properties: @@ -559,6 +943,36 @@ spec: type: object type: object type: object + gatewayRouteSelector: + description: GatewayRouteSelector selects GatewayRoutes using labels to designate GatewayRoute membership. If not specified it selects all GatewayRoutes in that namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object listeners: description: The listener that the virtual gateway is expected to receive inbound traffic from items: @@ -1779,6 +2193,12 @@ spec: hostname: description: Specifies the DNS service discovery hostname for the virtual node. type: string + responseType: + description: Choose between ENDPOINTS (strict DNS) and LOADBALANCER (logical DNS) mode in Envoy sidecar + enum: + - ENDPOINTS + - LOADBALANCER + type: string required: - hostname type: object @@ -2004,6 +2424,9 @@ spec: description: The start of the range. format: int64 type: integer + required: + - end + - start type: object regex: description: The value sent by the client must include the specified characters. @@ -2217,6 +2640,9 @@ spec: description: The start of the range. format: int64 type: integer + required: + - end + - start type: object regex: description: The value sent by the client must include the specified characters. @@ -2253,17 +2679,49 @@ spec: - PUT - TRACE type: string + path: + description: The client specified Path to match on. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + regex: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object prefix: - description: Specifies the path to match requests with + description: Specifies the prefix to match requests with type: string + queryParameters: + description: The client specified queryParameters to match on + items: + properties: + match: + description: The HeaderMatchMethod object. + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + name: + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array scheme: description: The client request scheme to match on enum: - http - https type: string - required: - - prefix type: object retryPolicy: description: An object that represents a retry policy. @@ -2434,6 +2892,9 @@ spec: description: The start of the range. format: int64 type: integer + required: + - end + - start type: object regex: description: The value sent by the client must include the specified characters. @@ -2470,17 +2931,49 @@ spec: - PUT - TRACE type: string + path: + description: The client specified Path to match on. + properties: + exact: + description: The value sent by the client must match the specified value exactly. + maxLength: 255 + minLength: 1 + type: string + regex: + description: The value sent by the client must end with the specified characters. + maxLength: 255 + minLength: 1 + type: string + type: object prefix: - description: Specifies the path to match requests with + description: Specifies the prefix to match requests with type: string + queryParameters: + description: The client specified queryParameters to match on + items: + properties: + match: + description: The HeaderMatchMethod object. + properties: + exact: + maxLength: 255 + minLength: 1 + type: string + type: object + name: + type: string + required: + - name + type: object + maxItems: 10 + minItems: 1 + type: array scheme: description: The client request scheme to match on enum: - http - https type: string - required: - - prefix type: object retryPolicy: description: An object that represents a retry policy. diff --git a/stable/appmesh-controller/templates/pdb.yaml b/stable/appmesh-controller/templates/pdb.yaml new file mode 100644 index 000000000..326d67ac6 --- /dev/null +++ b/stable/appmesh-controller/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget }} +{{- if gt (int .Values.replicaCount) 1 }} +kind: PodDisruptionBudget +apiVersion: policy/v1beta1 +metadata: + name: {{ template "appmesh-controller.fullname" . }}-pdb + namespace: {{ .Release.Namespace }} + labels: +{{ include "appmesh-controller.labels" . | indent 4 }} +spec: + selector: + matchLabels: + control-plane: {{ template "appmesh-controller.fullname" . }} + app.kubernetes.io/name: {{ include "appmesh-controller.fullname" . }} + app.kubernetes.io/part-of: appmesh +{{- toYaml .Values.podDisruptionBudget | nindent 2 }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/appmesh-controller/test.yaml b/stable/appmesh-controller/test.yaml index 1d04e8f93..d54bc4cf8 100644 --- a/stable/appmesh-controller/test.yaml +++ b/stable/appmesh-controller/test.yaml @@ -9,13 +9,13 @@ preview: false image: repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller - tag: v1.3.0 + tag: v1.4.0 pullPolicy: IfNotPresent sidecar: image: repository: 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy - tag: v1.16.1.0-prod + tag: v1.17.2.0-prod # sidecar.logLevel: Envoy log level can be info, warn, error or debug logLevel: info envoyAdminAccessPort: 9901 @@ -136,6 +136,10 @@ stats: # Enable cert-manager enableCertManager: false +# podDisruptionBudget for Appmesh controller +podDisruptionBudget: {} + # minAvailable: 1 + # Environment variables to set in appmesh-controller pod env: {} diff --git a/stable/appmesh-controller/values.yaml b/stable/appmesh-controller/values.yaml index 2f6c2e5c1..c57e68658 100644 --- a/stable/appmesh-controller/values.yaml +++ b/stable/appmesh-controller/values.yaml @@ -9,13 +9,13 @@ preview: false image: repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller - tag: v1.3.0 + tag: v1.4.0 pullPolicy: IfNotPresent sidecar: image: repository: 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy - tag: v1.16.1.0-prod + tag: v1.17.2.0-prod # sidecar.logLevel: Envoy log level can be info, warn, error or debug logLevel: info envoyAdminAccessPort: 9901 @@ -122,6 +122,10 @@ stats: # Enable cert-manager enableCertManager: false +# podDisruptionBudget for Appmesh controller +podDisruptionBudget: {} +# minAvailable: 1 + # Environment variables to set in appmesh-controller pod env: {}