From 2fdc26698adfbf4ea58a25d2de588e03d427b3c4 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Mon, 5 Feb 2024 11:31:44 +0100 Subject: [PATCH] Add openshift specific files. --- OWNERS | 17 +-- openshift/ci-operator/build-image/Dockerfile | 3 + .../knative-images/controller/Dockerfile | 8 ++ .../knative-images/webhook/Dockerfile | 8 ++ .../patches/002-add-maistra-annotation.patch | 111 ++++++++++++++++++ openshift/release/create-release-branch.sh | 42 +++++++ .../release/download_release_artifacts.sh | 57 +++++++++ .../extra/net-istio-netpolicies-mesh.yaml | 48 ++++++++ 8 files changed, 287 insertions(+), 7 deletions(-) create mode 100644 openshift/ci-operator/build-image/Dockerfile create mode 100644 openshift/ci-operator/knative-images/controller/Dockerfile create mode 100644 openshift/ci-operator/knative-images/webhook/Dockerfile create mode 100644 openshift/patches/002-add-maistra-annotation.patch create mode 100755 openshift/release/create-release-branch.sh create mode 100755 openshift/release/download_release_artifacts.sh create mode 100644 openshift/release/extra/net-istio-netpolicies-mesh.yaml diff --git a/OWNERS b/OWNERS index 7a1f5cda63..4da14b8af6 100644 --- a/OWNERS +++ b/OWNERS @@ -1,11 +1,14 @@ # The OWNERS file is used by prow to automatically merge approved PRs. approvers: -- technical-oversight-committee -- knative-release-leads -- serving-writers -- net-istio-approvers - +- alanfx +- mgencur +- ReToCode +- rhuss +- skonto reviewers: -- serving-reviewers -- net-istio-approvers +- alanfx +- mgencur +- ReToCode +- rhuss +- skonto diff --git a/openshift/ci-operator/build-image/Dockerfile b/openshift/ci-operator/build-image/Dockerfile new file mode 100644 index 0000000000..422affc281 --- /dev/null +++ b/openshift/ci-operator/build-image/Dockerfile @@ -0,0 +1,3 @@ +# Dockerfile to bootstrap build and test in openshift-ci + +FROM registry.ci.openshift.org/openshift/release:golang-1.21 diff --git a/openshift/ci-operator/knative-images/controller/Dockerfile b/openshift/ci-operator/knative-images/controller/Dockerfile new file mode 100644 index 0000000000..3fbb676456 --- /dev/null +++ b/openshift/ci-operator/knative-images/controller/Dockerfile @@ -0,0 +1,8 @@ +FROM registry.ci.openshift.org/openshift/release:golang-1.21 AS builder +WORKDIR /app/ +COPY . . +RUN go build -mod vendor -o /tmp/controller ./cmd/controller + +FROM openshift/origin-base +COPY --from=builder /tmp/controller /ko-app/controller +ENTRYPOINT ["/ko-app/controller"] diff --git a/openshift/ci-operator/knative-images/webhook/Dockerfile b/openshift/ci-operator/knative-images/webhook/Dockerfile new file mode 100644 index 0000000000..6e277b8d81 --- /dev/null +++ b/openshift/ci-operator/knative-images/webhook/Dockerfile @@ -0,0 +1,8 @@ +FROM registry.ci.openshift.org/openshift/release:golang-1.21 AS builder +WORKDIR /app/ +COPY . . +RUN go build -mod vendor -o /tmp/webhook ./cmd/webhook + +FROM openshift/origin-base +COPY --from=builder /tmp/webhook /ko-app/webhook +ENTRYPOINT ["/ko-app/webhook"] diff --git a/openshift/patches/002-add-maistra-annotation.patch b/openshift/patches/002-add-maistra-annotation.patch new file mode 100644 index 0000000000..0c77b70b2b --- /dev/null +++ b/openshift/patches/002-add-maistra-annotation.patch @@ -0,0 +1,111 @@ +diff --git a/pkg/reconciler/ingress/resources/gateway.go b/pkg/reconciler/ingress/resources/gateway.go +--- a/pkg/reconciler/ingress/resources/gateway.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) ++++ b/pkg/reconciler/ingress/resources/gateway.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) +@@ -42,9 +42,10 @@ + + // GatewayHTTPPort is the HTTP port the gateways listen on. + const ( +- GatewayHTTPPort = 80 +- dns1123LabelMaxLength = 63 // Public for testing only. +- dns1123LabelFmt = "[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?" ++ GatewayHTTPPort = 80 ++ dns1123LabelMaxLength = 63 // Public for testing only. ++ dns1123LabelFmt = "[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?" ++ MaistraManageRouteAnnotationKey = "maistra.io/manageRoute" + ) + + var httpServerPortName = "http-server" +@@ -199,6 +200,9 @@ + Name: WildcardGatewayName(secret.Name, gatewayService.Namespace, gatewayService.Name), + Namespace: secret.Namespace, + OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(secret, gvk)}, ++ Annotations: map[string]string{ ++ MaistraManageRouteAnnotationKey: "false", ++ }, + }, + Spec: istiov1beta1.Gateway{ + Selector: gatewayService.Spec.Selector, +@@ -254,6 +258,9 @@ + // We need this label to find out all of Gateways of a given Ingress. + networking.IngressLabelKey: ing.GetName(), + }, ++ Annotations: map[string]string{ ++ MaistraManageRouteAnnotationKey: "false", ++ }, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +diff --git a/pkg/reconciler/ingress/resources/gateway_test.go b/pkg/reconciler/ingress/resources/gateway_test.go +--- a/pkg/reconciler/ingress/resources/gateway_test.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) ++++ b/pkg/reconciler/ingress/resources/gateway_test.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) +@@ -593,6 +593,7 @@ + Name: WildcardGatewayName(wildcardSecret.Name, "istio-system", "istio-ingressgateway"), + Namespace: system.Namespace(), + OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(wildcardSecret, secretGVK)}, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -630,6 +631,7 @@ + Name: WildcardGatewayName(wildcardSecret.Name, system.Namespace(), "istio-ingressgateway"), + Namespace: system.Namespace(), + OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(wildcardSecret, secretGVK)}, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -743,6 +745,7 @@ + Labels: map[string]string{ + networking.IngressLabelKey: "ingress", + }, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -761,6 +764,7 @@ + Labels: map[string]string{ + networking.IngressLabelKey: "ingress", + }, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -824,6 +828,7 @@ + Labels: map[string]string{ + networking.IngressLabelKey: "ingress", + }, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -866,6 +871,7 @@ + Labels: map[string]string{ + networking.IngressLabelKey: "ingress", + }, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +@@ -908,6 +914,7 @@ + Labels: map[string]string{ + networking.IngressLabelKey: "ingress.com", + }, ++ Annotations: map[string]string{MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, +diff --git a/pkg/reconciler/ingress/ingress_test.go b/pkg/reconciler/ingress/ingress_test.go +--- a/pkg/reconciler/ingress/ingress_test.go (revision 9914eca315000a757b0f48df69f59cdbb8f7ea23) ++++ b/pkg/reconciler/ingress/ingress_test.go (revision 2b701027bfe7dca09d27c709b0cc5d66069a1f5b) +@@ -1323,8 +1323,9 @@ + func gateway(name, namespace string, servers []*istiov1beta1.Server, opts ...GatewayOpt) *v1beta1.Gateway { + gw := &v1beta1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ +- Name: name, +- Namespace: namespace, ++ Name: name, ++ Namespace: namespace, ++ Annotations: map[string]string{resources.MaistraManageRouteAnnotationKey: "false"}, + }, + Spec: istiov1beta1.Gateway{ + Servers: servers, diff --git a/openshift/release/create-release-branch.sh b/openshift/release/create-release-branch.sh new file mode 100755 index 0000000000..a92536ae65 --- /dev/null +++ b/openshift/release/create-release-branch.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Usage: create-release-branch.sh release-1.9 +# +# +# The repository assumes that you have the following branch names. +# +# $ git remote -v +# upstream git@github.com:knative-sandbox/net-istio.git (fetch) +# upstream git@github.com:knative-sandbox/net-istio.git (push) +# openshift git@github.com:openshift-knative/net-istio.git (fetch) +# openshift git@github.com:openshift-knative/net-istio.git (push) +# +set -e # Exit immediately on error. + +release=$1 + +# Set upstream release without "v" prefix. e.g. release-v1.11 => release-1.11 +upstream_release=release-"${release#"release-v"}" + +# Fetch the latest upstream and checkout the new branch. +git fetch upstream "${upstream_release}" +git checkout upstream/"${upstream_release}" + +# Copy the openshift extra files from the OPENSHIFT/main branch. +git fetch openshift main +git checkout openshift/main -- openshift OWNERS +git add openshift OWNERS +git commit -m "Add openshift specific files." + +openshift/release/download_release_artifacts.sh "${release}" +git add . +git commit -am ":fire: Generate artifacts." + +# TODO: currently this script is executed manually. So, do not push by the script automatically. +echo " +Now ready to create a new branch. Push it by: + + $ git checkout -b ${release} + $ git push openshift ${release} + +" diff --git a/openshift/release/download_release_artifacts.sh b/openshift/release/download_release_artifacts.sh new file mode 100755 index 0000000000..3cde7a013e --- /dev/null +++ b/openshift/release/download_release_artifacts.sh @@ -0,0 +1,57 @@ +#!/usr/bin/env bash + +# Usage example: ./download_release_artifacts.sh 1.8.0 + +set -Eeuo pipefail + +SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")" + +# TODO: automatically detects the version via branch name or something. +VERSION=$1 + +function resolve_resources(){ + local dir=$1 + local resolved_file_name=$2 + + # Exclude Istio resources that are deployed by users. + local exclude_option="-not -name 202-gateway.yaml \ + -not -name 203-local-gateway.yaml \ + -not -name 400-webhook-peer-authentication.yaml" + + echo "Writing resolved yaml to $resolved_file_name" + + > "$resolved_file_name" + + for yaml in `find $dir -type f $exclude_option -name "*.yaml" | sort`; do + resolve_file "$yaml" "$resolved_file_name" + done +} + +function resolve_file() { + local file=$1 + local to=$2 + + echo "---" >> "$to" + + echo $file + + sed -e "s+app.kubernetes.io/version: devel+app.kubernetes.io/version: \""$VERSION"\"+" \ + "$file" >> "$to" + +} + +readonly YAML_OUTPUT_DIR="openshift/release/artifacts/" +readonly NETWORK_POLICY_YAML=${YAML_OUTPUT_DIR}/net-istio-netpolicies-mesh.yaml +readonly NET_ISTIO_YAML=${YAML_OUTPUT_DIR}/net-istio-core.yaml +readonly patches_path="${SCRIPT_DIR}/../patches" + +# Clean up +rm -rf "$YAML_OUTPUT_DIR" +mkdir -p "$YAML_OUTPUT_DIR" +# clean up before applying patch and ignore error for new patch file. +git apply -R "${patches_path}"/* || true + +git apply "${patches_path}"/* + +resolve_resources "config/" "$NET_ISTIO_YAML" +resolve_resources "openshift/release/extra/" "$NETWORK_POLICY_YAML" diff --git a/openshift/release/extra/net-istio-netpolicies-mesh.yaml b/openshift/release/extra/net-istio-netpolicies-mesh.yaml new file mode 100644 index 0000000000..ceef9b420c --- /dev/null +++ b/openshift/release/extra/net-istio-netpolicies-mesh.yaml @@ -0,0 +1,48 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook + labels: + app: webhook + app.kubernetes.io/version: devel + networking.knative.dev/ingress-provider: istio +spec: + podSelector: + matchLabels: + app: webhook + ingress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: net-istio-webhook + labels: + app: net-istio-webhook + app.kubernetes.io/version: devel + networking.knative.dev/ingress-provider: istio +spec: + podSelector: + matchLabels: + app: net-istio-webhook + ingress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-openshift-monitoring-ns + namespace: knative-serving + labels: + app.kubernetes.io/version: devel + networking.knative.dev/ingress-provider: istio +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "openshift-monitoring" + podSelector: {} + policyTypes: + - Ingress +---