forked from openshift-knative/net-istio
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
287 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,14 @@ | ||
| # The OWNERS file is used by prow to automatically merge approved PRs. | ||
|
|
||
| approvers: | ||
| - technical-oversight-committee | ||
| - knative-release-leads | ||
| - serving-writers | ||
| - net-istio-approvers | ||
|
|
||
| - alanfx | ||
| - mgencur | ||
| - ReToCode | ||
| - rhuss | ||
| - skonto | ||
| reviewers: | ||
| - serving-reviewers | ||
| - net-istio-approvers | ||
| - alanfx | ||
| - mgencur | ||
| - ReToCode | ||
| - rhuss | ||
| - skonto |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # Dockerfile to bootstrap build and test in openshift-ci | ||
|
|
||
| FROM registry.ci.openshift.org/openshift/release:golang-1.21 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| FROM registry.ci.openshift.org/openshift/release:golang-1.21 AS builder | ||
| WORKDIR /app/ | ||
| COPY . . | ||
| RUN go build -mod vendor -o /tmp/controller ./cmd/controller | ||
|
|
||
| FROM openshift/origin-base | ||
| COPY --from=builder /tmp/controller /ko-app/controller | ||
| ENTRYPOINT ["/ko-app/controller"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| FROM registry.ci.openshift.org/openshift/release:golang-1.21 AS builder | ||
| WORKDIR /app/ | ||
| COPY . . | ||
| RUN go build -mod vendor -o /tmp/webhook ./cmd/webhook | ||
|
|
||
| FROM openshift/origin-base | ||
| COPY --from=builder /tmp/webhook /ko-app/webhook | ||
| ENTRYPOINT ["/ko-app/webhook"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| diff --git a/pkg/reconciler/ingress/resources/gateway.go b/pkg/reconciler/ingress/resources/gateway.go | ||
| --- a/pkg/reconciler/ingress/resources/gateway.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) | ||
| +++ b/pkg/reconciler/ingress/resources/gateway.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) | ||
| @@ -42,9 +42,10 @@ | ||
|
|
||
| // GatewayHTTPPort is the HTTP port the gateways listen on. | ||
| const ( | ||
| - GatewayHTTPPort = 80 | ||
| - dns1123LabelMaxLength = 63 // Public for testing only. | ||
| - dns1123LabelFmt = "[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?" | ||
| + GatewayHTTPPort = 80 | ||
| + dns1123LabelMaxLength = 63 // Public for testing only. | ||
| + dns1123LabelFmt = "[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?" | ||
| + MaistraManageRouteAnnotationKey = "maistra.io/manageRoute" | ||
| ) | ||
|
|
||
| var httpServerPortName = "http-server" | ||
| @@ -199,6 +200,9 @@ | ||
| Name: WildcardGatewayName(secret.Name, gatewayService.Namespace, gatewayService.Name), | ||
| Namespace: secret.Namespace, | ||
| OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(secret, gvk)}, | ||
| + Annotations: map[string]string{ | ||
| + MaistraManageRouteAnnotationKey: "false", | ||
| + }, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: gatewayService.Spec.Selector, | ||
| @@ -254,6 +258,9 @@ | ||
| // We need this label to find out all of Gateways of a given Ingress. | ||
| networking.IngressLabelKey: ing.GetName(), | ||
| }, | ||
| + Annotations: map[string]string{ | ||
| + MaistraManageRouteAnnotationKey: "false", | ||
| + }, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| diff --git a/pkg/reconciler/ingress/resources/gateway_test.go b/pkg/reconciler/ingress/resources/gateway_test.go | ||
| --- a/pkg/reconciler/ingress/resources/gateway_test.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) | ||
| +++ b/pkg/reconciler/ingress/resources/gateway_test.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) | ||
| @@ -593,6 +593,7 @@ | ||
| Name: WildcardGatewayName(wildcardSecret.Name, "istio-system", "istio-ingressgateway"), | ||
| Namespace: system.Namespace(), | ||
| OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(wildcardSecret, secretGVK)}, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -630,6 +631,7 @@ | ||
| Name: WildcardGatewayName(wildcardSecret.Name, system.Namespace(), "istio-ingressgateway"), | ||
| Namespace: system.Namespace(), | ||
| OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(wildcardSecret, secretGVK)}, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -743,6 +745,7 @@ | ||
| Labels: map[string]string{ | ||
| networking.IngressLabelKey: "ingress", | ||
| }, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -761,6 +764,7 @@ | ||
| Labels: map[string]string{ | ||
| networking.IngressLabelKey: "ingress", | ||
| }, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -824,6 +828,7 @@ | ||
| Labels: map[string]string{ | ||
| networking.IngressLabelKey: "ingress", | ||
| }, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -866,6 +871,7 @@ | ||
| Labels: map[string]string{ | ||
| networking.IngressLabelKey: "ingress", | ||
| }, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| @@ -908,6 +914,7 @@ | ||
| Labels: map[string]string{ | ||
| networking.IngressLabelKey: "ingress.com", | ||
| }, | ||
| + Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Selector: selector, | ||
| diff --git a/pkg/reconciler/ingress/ingress_test.go b/pkg/reconciler/ingress/ingress_test.go | ||
| --- a/pkg/reconciler/ingress/ingress_test.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) | ||
| +++ b/pkg/reconciler/ingress/ingress_test.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) | ||
| @@ -1323,8 +1323,9 @@ | ||
| func gateway(name, namespace string, servers []*istiov1beta1.Server, opts ...GatewayOpt) *v1beta1.Gateway { | ||
| gw := &v1beta1.Gateway{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| - Name: name, | ||
| - Namespace: namespace, | ||
| + Name: name, | ||
| + Namespace: namespace, | ||
| + Annotations: map[string]string{resources.MaistraManageRouteAnnotationKey: "false"}, | ||
| }, | ||
| Spec: istiov1beta1.Gateway{ | ||
| Servers: servers, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| # Usage: create-release-branch.sh release-1.9 | ||
| # | ||
| # | ||
| # The repository assumes that you have the following branch names. | ||
| # | ||
| # $ git remote -v | ||
| # upstream git@github.com:knative-sandbox/net-istio.git (fetch) | ||
| # upstream git@github.com:knative-sandbox/net-istio.git (push) | ||
| # openshift git@github.com:openshift-knative/net-istio.git (fetch) | ||
| # openshift git@github.com:openshift-knative/net-istio.git (push) | ||
| # | ||
| set -e # Exit immediately on error. | ||
|
|
||
| release=$1 | ||
|
|
||
| # Set upstream release without "v" prefix. e.g. release-v1.11 => release-1.11 | ||
| upstream_release=release-"${release#"release-v"}" | ||
|
|
||
| # Fetch the latest upstream and checkout the new branch. | ||
| git fetch upstream "${upstream_release}" | ||
| git checkout upstream/"${upstream_release}" | ||
|
|
||
| # Copy the openshift extra files from the OPENSHIFT/main branch. | ||
| git fetch openshift main | ||
| git checkout openshift/main -- openshift OWNERS | ||
| git add openshift OWNERS | ||
| git commit -m "Add openshift specific files." | ||
|
|
||
| openshift/release/download_release_artifacts.sh "${release}" | ||
| git add . | ||
| git commit -am ":fire: Generate artifacts." | ||
|
|
||
| # TODO: currently this script is executed manually. So, do not push by the script automatically. | ||
| echo " | ||
| Now ready to create a new branch. Push it by: | ||
| $ git checkout -b ${release} | ||
| $ git push openshift ${release} | ||
| " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| # Usage example: ./download_release_artifacts.sh 1.8.0 | ||
|
|
||
| set -Eeuo pipefail | ||
|
|
||
| SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")" | ||
|
|
||
| # TODO: automatically detects the version via branch name or something. | ||
| VERSION=$1 | ||
|
|
||
| function resolve_resources(){ | ||
| local dir=$1 | ||
| local resolved_file_name=$2 | ||
|
|
||
| # Exclude Istio resources that are deployed by users. | ||
| local exclude_option="-not -name 202-gateway.yaml \ | ||
| -not -name 203-local-gateway.yaml \ | ||
| -not -name 400-webhook-peer-authentication.yaml" | ||
|
|
||
| echo "Writing resolved yaml to $resolved_file_name" | ||
|
|
||
| > "$resolved_file_name" | ||
|
|
||
| for yaml in `find $dir -type f $exclude_option -name "*.yaml" | sort`; do | ||
| resolve_file "$yaml" "$resolved_file_name" | ||
| done | ||
| } | ||
|
|
||
| function resolve_file() { | ||
| local file=$1 | ||
| local to=$2 | ||
|
|
||
| echo "---" >> "$to" | ||
|
|
||
| echo $file | ||
|
|
||
| sed -e "s+app.kubernetes.io/version: devel+app.kubernetes.io/version: \""$VERSION"\"+" \ | ||
| "$file" >> "$to" | ||
|
|
||
| } | ||
|
|
||
| readonly YAML_OUTPUT_DIR="openshift/release/artifacts/" | ||
| readonly NETWORK_POLICY_YAML=${YAML_OUTPUT_DIR}/net-istio-netpolicies-mesh.yaml | ||
| readonly NET_ISTIO_YAML=${YAML_OUTPUT_DIR}/net-istio-core.yaml | ||
| readonly patches_path="${SCRIPT_DIR}/../patches" | ||
|
|
||
| # Clean up | ||
| rm -rf "$YAML_OUTPUT_DIR" | ||
| mkdir -p "$YAML_OUTPUT_DIR" | ||
| # clean up before applying patch and ignore error for new patch file. | ||
| git apply -R "${patches_path}"/* || true | ||
|
|
||
| git apply "${patches_path}"/* | ||
|
|
||
| resolve_resources "config/" "$NET_ISTIO_YAML" | ||
| resolve_resources "openshift/release/extra/" "$NETWORK_POLICY_YAML" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: webhook | ||
| labels: | ||
| app: webhook | ||
| app.kubernetes.io/version: devel | ||
| networking.knative.dev/ingress-provider: istio | ||
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| app: webhook | ||
| ingress: | ||
| - {} | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: net-istio-webhook | ||
| labels: | ||
| app: net-istio-webhook | ||
| app.kubernetes.io/version: devel | ||
| networking.knative.dev/ingress-provider: istio | ||
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| app: net-istio-webhook | ||
| ingress: | ||
| - {} | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: allow-from-openshift-monitoring-ns | ||
| namespace: knative-serving | ||
| labels: | ||
| app.kubernetes.io/version: devel | ||
| networking.knative.dev/ingress-provider: istio | ||
| spec: | ||
| ingress: | ||
| - from: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: "openshift-monitoring" | ||
| podSelector: {} | ||
| policyTypes: | ||
| - Ingress | ||
| --- |