Merge pull request #58 from CAAPIM/config_updates

Config Automation Updates

.github/workflows/e2e.yaml

@@ -22,7 +22,7 @@ jobs:
         # All Kubernetes version in between expose the same APIs, hence the operator
         # should be compatible with them.
         kube-version:
-          - "1.29"
+          - "1.30"
         group:
           - e2e
     steps:
@@ -31,10 +31,10 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "~1.21.3"
+          go-version: "~1.22.0"
       - name: Setup kind
         env:
-          KIND_VERSION: "0.20.0"
+          KIND_VERSION: "0.24.0"
         run: go install sigs.k8s.io/kind@v${KIND_VERSION}
       - name: "install kuttl"
         run: ./hack/install-kuttl.sh

.github/workflows/integration_tests.yaml

@@ -22,21 +22,21 @@ jobs:
         # All Kubernetes version in between expose the same APIs, hence the operator
         # should be compatible with them.
         kube-version:
-          - "1.29"
+          - "1.30"
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "~1.21.3"
+          go-version: "~1.22.0"
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
       - name: Setup kind
         env:
-          KIND_VERSION: "0.20.0"
+          KIND_VERSION: "0.24.0"
         run: go install sigs.k8s.io/kind@v${KIND_VERSION}
       - name: "install kuttl"
         run: ./hack/install-kuttl.sh

.gitignore

@@ -30,6 +30,7 @@ operator.Dockerfile
 mysql-values.yaml
 example/tls.*
 portal-gateway.yaml
+demo-gateway.yaml
 redis-gateway.yaml
 deploy.sh
 .dockerconfigjson
@@ -39,3 +40,6 @@ license.xml
 testdata
 l7api.yaml
 l7portal.yaml
+oom-repo.yaml
+docker-secret.yaml
+tenant_info.json

Makefile

@@ -61,11 +61,11 @@ OPERATOR_SDK_VERSION ?= v1.33.0
 #IMG ?= docker.io/layer7api/layer7-operator:v$(VERSION)
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.29.0
+ENVTEST_K8S_VERSION = 1.30.0
 
 START_KIND_CLUSTER ?= true
 
-KUBE_VERSION ?= 1.29
+KUBE_VERSION ?= 1.30
 KIND_CONFIG ?= kind-$(KUBE_VERSION).yaml
 
 GATEWAY_IMG ?= docker.io/caapim/gateway:11.1.1

api/v1/gateway_types.go

@@ -107,6 +107,16 @@ type GatewayStatus struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=status
 	// +operator-sdk:csv:customresourcedefinitions:displayName="PortalSyncStatus"
 	PortalSyncStatus PortalSyncStatus `json:"PortalSyncStatus,omitempty"`
+	// LastAppliedClusterProperties
+	LastAppliedClusterProperties []string `json:"lastAppliedClusterProperties,omitempty"`
+	// LastAppliedClusterProperties
+	LastAppliedListenPorts []string `json:"lastAppliedListenPorts,omitempty"`
+	// LastAppliedExternalKeys
+	LastAppliedExternalKeys []string `json:"lastAppliedExternalKeys,omitempty"`
+	// LastAppliedExternalSecrets
+	LastAppliedExternalSecrets map[string][]string `json:"lastAppliedExternalSecrets,omitempty"`
+	// LastAppliedExternalCerts
+	LastAppliedExternalCerts map[string][]string `json:"lastAppliedExternalCerts,omitempty"`
 }
 
 // GatewayState tracks the status of Gateway Resources
@@ -173,12 +183,14 @@ type App struct {
 	// Labels for Operator managed resources
 	Labels map[string]string `json:"labels,omitempty"`
 	// PodLabels for the Gateway Deployment
-	PodLabels         map[string]string `json:"podLabels,omitempty"`
-	ClusterProperties ClusterProperties `json:"cwp,omitempty"`
-	Java              Java              `json:"java,omitempty"`
-	Management        Management        `json:"management,omitempty"`
-	Log               Log               `json:"log,omitempty"`
-	System            System            `json:"system,omitempty"`
+	PodLabels map[string]string `json:"podLabels,omitempty"`
+	// RestartOnConfigChange restarts the Gateway if the default configmaps are updated
+	RestartOnConfigChange bool              `json:"restartOnConfigChange,omitempty"`
+	ClusterProperties     ClusterProperties `json:"cwp,omitempty"`
+	Java                  Java              `json:"java,omitempty"`
+	Management            Management        `json:"management,omitempty"`
+	Log                   Log               `json:"log,omitempty"`
+	System                System            `json:"system,omitempty"`
 	// AutoMountServiceAccountToken optionally adds the Gateway Container's Kubernetes Service Account Token to Stored Passwords
 	AutoMountServiceAccountToken bool           `json:"autoMountServiceAccountToken,omitempty"`
 	UpdateStrategy               UpdateStrategy `json:"updateStrategy,omitempty"`
@@ -197,17 +209,17 @@ type App struct {
 	// This works inconjunction with repository references and only supports dynamic repository references.
 	SingletonExtraction bool `json:"singletonExtraction,omitempty"`
 	// RepositorySyncIntervalSeconds is the period of time between attempts to apply repository references to gateways.
-	RepositorySyncIntervalSeconds int `json:"repositorySyncIntervalSeconds,omitempty"`
+	//RepositorySyncIntervalSeconds int `json:"repositorySyncIntervalSeconds,omitempty"`
 	// ExternalSecretsSyncIntervalSeconds is the period of time between attempts to apply external secrets to gateways.
-	ExternalSecretsSyncIntervalSeconds int `json:"externalSecretsSyncIntervalSeconds,omitempty"`
+	//ExternalSecretsSyncIntervalSeconds int `json:"externalSecretsSyncIntervalSeconds,omitempty"`
 	// ExternalKeysSyncIntervalSeconds is the period of time between attempts to apply external keys to gateways.
-	ExternalKeysSyncIntervalSeconds int                   `json:"externalKeysSyncIntervalSeconds,omitempty"`
-	RepositoryReferences            []RepositoryReference `json:"repositoryReferences,omitempty"`
-	Ingress                         Ingress               `json:"ingress,omitempty"`
-	Sidecars                        []corev1.Container    `json:"sidecars,omitempty"`
-	InitContainers                  []corev1.Container    `json:"initContainers,omitempty"`
-	Resources                       PodResources          `json:"resources,omitempty"`
-	Autoscaling                     Autoscaling           `json:"autoscaling,omitempty"`
+	//ExternalKeysSyncIntervalSeconds int                   `json:"externalKeysSyncIntervalSeconds,omitempty"`
+	RepositoryReferences []RepositoryReference `json:"repositoryReferences,omitempty"`
+	Ingress              Ingress               `json:"ingress,omitempty"`
+	Sidecars             []corev1.Container    `json:"sidecars,omitempty"`
+	InitContainers       []corev1.Container    `json:"initContainers,omitempty"`
+	Resources            PodResources          `json:"resources,omitempty"`
+	Autoscaling          Autoscaling           `json:"autoscaling,omitempty"`
 	// ServiceAccount to use for the Gateway Deployment
 	ServiceAccount            ServiceAccount                    `json:"serviceAccount,omitempty"`
 	Hazelcast                 Hazelcast                         `json:"hazelcast,omitempty"`
@@ -222,6 +234,7 @@ type App struct {
 	NodeSelector              map[string]string                 `json:"nodeSelector,omitempty"`
 	ExternalSecrets           []ExternalSecret                  `json:"externalSecrets,omitempty"`
 	ExternalKeys              []ExternalKey                     `json:"externalKeys,omitempty"`
+	ExternalCerts             []ExternalCert                    `json:"externalCerts,omitempty"`
 	LivenessProbe             corev1.Probe                      `json:"livenessProbe,omitempty"`
 	ReadinessProbe            corev1.Probe                      `json:"readinessProbe,omitempty"`
 	CustomConfig              CustomConfig                      `json:"customConfig,omitempty"`
@@ -748,6 +761,40 @@ type ExternalSecret struct {
 	VariableReferencable bool `json:"variableReferencable,omitempty"`
 }
 
+type TrustedFor string
+
+const (
+	TrustedForSsl                  TrustedFor = "SSL"
+	TrustedForSigningServerCerts   TrustedFor = "SIGNING_SERVER_CERTS"
+	TrustedForSigningClientCerts   TrustedFor = "SIGNING_CLIENT_CERTS"
+	TrustedForSamlIssuer           TrustedFor = "SAML_ISSUER"
+	TrustedForSamlAsstestingEntity TrustedFor = "SAML_ATTESTING_ENTITY"
+)
+
+type RevocationCheckPolicyType string
+
+const (
+	RevocationCheckPolicyTypeNone      RevocationCheckPolicyType = "NONE"
+	RevocationCheckPolicyTypeDefault   RevocationCheckPolicyType = "USE_DEFAULT"
+	RevocationCheckPolicyTypeSpecified RevocationCheckPolicyType = "SPECIFIED"
+)
+
+// ExternalCert is a reference to an existing TLS or Opaque Secret in Kubernetes
+// The Layer7 Operator will attempt to convert this secret to a Graphman bundle that can be applied
+// dynamically keeping any referenced trusted certs up-to-date.
+// You can bring in external secrets using tools like cert-manager
+type ExternalCert struct {
+	// Enabled or disabled
+	Enabled bool `json:"enabled,omitempty"`
+	// Name of the Secret which already exists in Kubernetes
+	Name                      string                    `json:"name,omitempty"`
+	VerifyHostname            bool                      `json:"verifyHostname,omitempty"`
+	TrustedFor                []TrustedFor              `json:"trustedFor,omitempty"`
+	TrustAnchor               bool                      `json:"trustAnchor,omitempty"`
+	RevocationCheckPolicyType RevocationCheckPolicyType `json:"revocationCheckPolicyType,omitempty"`
+	RevocationCheckPolicyName string                    `json:"revocationCheckPolicyName,omitempty"`
+}
+
 // ExternalKey is a reference to an existing TLS Secret in Kubernetes
 // The Layer7 Operator will attempt to convert this secret to a Graphman bundle that can be applied
 // dynamically keeping any referenced keys up-to-date.
@@ -829,8 +876,8 @@ type ListenPort struct {
 	// Protocol
 	Protocol string `json:"protocol,omitempty"`
 	// Port
-	Port string `json:"port,omitempty"`
-	Tls  Tls    `json:"tls,omitempty"`
+	Port int `json:"port,omitempty"`
+	Tls  Tls `json:"tls,omitempty"`
 	// ManagementFeatures that should be available on this port
 	// - Published service message input
 	// - Administrative access

api/v1/repository_types.go

@@ -33,11 +33,11 @@ type RepositorySpec struct {
 	Enabled bool `json:"enabled,omitempty"`
 	// Endoint - Git repository endpoint
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Endpoint"
-	Endpoint string `json:"endpoint"`
-	// Type of Repository - Git or HTTP
+	Endpoint string `json:"endpoint,omitempty"`
+	// Type of Repository - Git, HTTP, Local
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Type"
 	Type string `json:"type,omitempty"`
-	// LocalReference lets the Repository controller use a local Kubernetes Configmap/Secret as a repository source
+	// LocalReference lets the Repository controller use a local Kubernetes Secret as a repository source
 	// This is not currently implemented
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="LocalReference"
 	LocalReference LocalReference `json:"localReference,omitempty"`
@@ -86,8 +86,7 @@ type RepositoryList struct {
 }
 
 type LocalReference struct {
-	SecretName    string `json:"secretName,omitempty"`
-	ConfigMapName string `json:"configMapName,omitempty"`
+	SecretName string `json:"secretName,omitempty"`
 }
 
 // RepositorySyncConfig

api/v1/repository_webhook.go

@@ -84,7 +84,9 @@ func validateRepository(r *Repository) (admission.Warnings, error) {
 		}
 
 		if r.Spec.Endpoint == "" {
-			return warnings, fmt.Errorf("please set a repository endpoint. name: %s ", r.Name)
+			if strings.ToLower(r.Spec.Type) != "local" {
+				return warnings, fmt.Errorf("please set a repository endpoint. name: %s ", r.Name)
+			}
 		}
 
 		switch strings.ToLower(r.Spec.Type) {
@@ -106,14 +108,20 @@ func validateRepository(r *Repository) (admission.Warnings, error) {
 					return warnings, fmt.Errorf("please set a valid auth type, valid options for HTTP refs are none and basic. name: %s ", r.Name)
 				}
 			}
+		case "local":
+			if r.Spec.LocalReference.SecretName == "" {
+				return warnings, fmt.Errorf("local repository type must reference an existing kubernetes secret. name: %s ", r.Name)
+			}
 		default:
 			return warnings, fmt.Errorf("please set a repository type, valid types are git and http. name: %s ", r.Name)
 		}
 
 		if r.Spec.Auth != (RepositoryAuth{}) {
 			switch strings.ToLower(string(r.Spec.Auth.Type)) {
 			case string(RepositoryAuthTypeNone):
-				warnings = append(warnings, "it is strongly recommend using authentication for your remote repository "+r.Name)
+				if strings.ToLower(r.Spec.Type) != "local" {
+					warnings = append(warnings, "it is strongly recommend using authentication for your remote repository "+r.Name)
+				}
 			case string(RepositoryAuthTypeBasic):
 				if r.Spec.Auth.ExistingSecretName == "" {
 					secret := r.Spec.Auth.Token

api/v1alpha1/l7api_types.go

@@ -21,9 +21,6 @@ import (
 )
 
 // L7ApiSpec defines the desired state of L7Api
-
-/// TODO: Include internal/templategen API definition
-
 type L7ApiSpec struct {
 	// ServiceUrl on the API Gateway
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="ServiceUrl"

bundle/manifests/layer7-operator.clusterserviceversion.yaml

@@ -96,15 +96,14 @@ metadata:
             "enabled": true,
             "endpoint": "dev-ssg.brcmlabs.com",
             "enrollmentBundle": "",
-            "mode": "auto",
             "portalTenant": "portal"
           }
         }
       ]
     capabilities: Basic Install
     certified: "false"
-    containerImage: docker.io/caapim/layer7-operator:v1.0.5
-    createdAt: "2024-05-21T06:50:18Z"
+    containerImage: docker.io/caapim/layer7-operator:v1.0.7
+    createdAt: "2024-08-09T20:09:41Z"
     operatorframework.io/suggested-namespace: layer7-operator-system
     operators.operatorframework.io/builder: operator-sdk-v1.34.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
@@ -638,6 +637,12 @@ spec:
                 - name: HTTP_PROXY
                 - name: HTTPS_PROXY
                 - name: NO_PROXY
+                - name: ENABLE_OTEL
+                  value: "false"
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: localhost:4317
+                - name: OTEL_METRIC_PREFIX
+                  value: layer7_
                 image: docker.io/caapim/layer7-operator:v1.0.7
                 imagePullPolicy: IfNotPresent
                 livenessProbe: