diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml index 98428b309afb..6a4326f31bb6 100644 --- a/.github/workflows/_build_publish.yaml +++ b/.github/workflows/_build_publish.yaml @@ -54,7 +54,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -105,7 +105,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -128,7 +128,7 @@ jobs: make test/container-structure/${{ matrix.image }} - name: scan amd64 image id: scan_image-amd64 - uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 with: asset_prefix: image_${{ matrix.image }}-amd64 image: ./build/docker/${{ matrix.image }}-amd64.tar @@ -137,7 +137,7 @@ jobs: - name: scan arm64 image id: scan_image-arm64 if: ${{ fromJSON(inputs.FULL_MATRIX) }} - uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 with: asset_prefix: image_${{ matrix.image }}-arm64 image: ./build/docker/${{ matrix.image }}-arm64.tar @@ -186,7 +186,7 @@ jobs: - name: sign image if: ${{ fromJSON(inputs.ALLOW_PUSH) }} id: sign - uses: Kong/public-shared-actions/security-actions/sign-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2 + uses: Kong/public-shared-actions/security-actions/sign-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 with: image_digest: ${{ steps.image_digest.outputs.digest }} tags: ${{ steps.image_meta.outputs.image }} @@ -227,7 +227,7 @@ jobs: go-version-file: go.mod cache-dependency-path: | go.sum - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/.github/workflows/_e2e.yaml b/.github/workflows/_e2e.yaml index 82a4e16c65f0..e8113a945065 100644 --- a/.github/workflows/_e2e.yaml +++ b/.github/workflows/_e2e.yaml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml index 8b109fab3f5d..4ba0d3656bda 100644 --- a/.github/workflows/_test.yaml +++ b/.github/workflows/_test.yaml @@ -26,7 +26,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -51,7 +51,7 @@ jobs: "test_e2e": { "target": [""], "k8sVersion": ["kindIpv6", "${{ env.K8S_MIN_VERSION }}", "${{ env.K8S_MAX_VERSION }}"], - "arch": ["amd64"], + "arch": ["arm64"], "parallelism": [4], "cniNetworkPlugin": ["flannel"], "sidecarContainers": [""] @@ -70,8 +70,8 @@ jobs: ], "include":[ {"sidecarContainers": "sidecarContainers", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "kubernetes", "arch": "amd64"}, - {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "arm64"}, - {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "arm64"}, + {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "amd64"}, + {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "amd64"}, {"k8sVersion": "kind", "target": "universal", "arch": "arm64"}, {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "gatewayapi", "arch": "amd64"}, {"cniNetworkPlugin": "calico", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "multizone", "arch": "amd64"} diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index e9963e6ec89d..d4b9883336eb 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -13,6 +13,9 @@ permissions: env: KUMA_DIR: "." CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools" +concurrency: + group: ${{github.workflow}}-${{ github.event_name == 'push' && github.sha || github.event.pull_request.number }} + cancel-in-progress: ${{ github.event_name == 'push' && false || true }} jobs: check: permissions: @@ -48,11 +51,11 @@ jobs: with: go-version-file: go.mod cache: false - - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: args: --fix=false --verbose version: v1.60.3 - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -66,7 +69,7 @@ jobs: - run: | make check - id: sca-project - uses: Kong/public-shared-actions/security-actions/sca@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2 + uses: Kong/public-shared-actions/security-actions/sca@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 with: dir: . config: .syft.yaml diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 2f7e6995507a..8a9971af8e8b 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -43,7 +43,7 @@ jobs: run: | tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL" - name: Add checklist comment - if: github.event.action == 'opened' && github.event.pull_request.author != 'dependabot' + if: false # disable as it doesn't work github.event.action == 'opened' && github.event.pull_request.author != 'dependabot' env: GITHUB_TOKEN: ${{ github.token }} CHECKLIST_MESSAGE: | diff --git a/.github/workflows/ci-stability.yaml b/.github/workflows/ci-stability.yaml index b1996e6136d4..c5345bbd42d3 100644 --- a/.github/workflows/ci-stability.yaml +++ b/.github/workflows/ci-stability.yaml @@ -2,9 +2,16 @@ name: Check CI stability for PRs with "ci/verify-stability" or "ci/verify-stabil on: schedule: - - cron: "0 */2 19-23 * * 1-5" # From 7 PM to 11 PM Monday to Friday - - cron: "0 */2 0-7 * * 2-6" # From 12 AM to 7 AM Tuesday to Saturday - - cron: "0 */2 * * 6,0" # Every 2 hours on Saturday and Sunday + # Monday to Friday: Every 2 hours from 7 PM to 7 AM + - cron: "0 19 * * 1-5" + - cron: "0 21 * * 1-5" + - cron: "0 23 * * 1-5" + - cron: "0 1 * * 2-6" + - cron: "0 3 * * 2-6" + - cron: "0 5 * * 2-6" + - cron: "0 7 * * 2-6" + # Saturday and Sunday: Every 2 hours all day + - cron: "0 */2 * * 6,0" workflow_dispatch: # Allows manual trigger from GitHub Actions UI env: GH_USER: "github-actions[bot]" @@ -17,22 +24,21 @@ jobs: uses: actions/checkout@v3 with: fetch-depth: 0 - - name: Get open pull requests - uses: octokit/request-action@v2.x - id: get_prs - with: - route: GET /repos/${{ github.repository }}/pulls + - name: Get open pull requests and save to file + run: | + gh pr list --json number,labels > open_prs.json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Process PRs id: process_prs run: | - pr_numbers_with_verify_stability=$(echo '${{ steps.get_prs.outputs.data }}' | jq -r '.[] | select(.labels[].name == "ci/verify-stability") | .number') - pr_numbers_with_verify_stability_merge_master=$(echo '${{ steps.get_prs.outputs.data }}' | jq -r '.[] | select(.labels[].name == "ci/verify-stability-merge-master") | .number') + cat open_prs.json + pr_numbers_with_verify_stability=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability") | .number' open_prs.json) + pr_numbers_with_verify_stability_merge_master=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability-merge-master") | .number' open_prs.json) echo "PRs with 'ci/verify-stability' label: $pr_numbers_with_verify_stability" echo "PRs with 'ci/verify-stability-merge-master' label: $pr_numbers_with_verify_stability_merge_master" - echo "::set-output name=pr_numbers_with_verify_stability::$pr_numbers_with_verify_stability" - echo "::set-output name=pr_numbers_with_verify_stability_merge_master::$pr_numbers_with_verify_stability_merge_master" + echo "pr_numbers_with_verify_stability=$pr_numbers_with_verify_stability" >> $GITHUB_OUTPUT + echo "pr_numbers_with_verify_stability_merge_master=$pr_numbers_with_verify_stability_merge_master" >> $GITHUB_OUTPUT env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Merge master branch (if applicable) and push a single commit diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index e7f65a3c131a..808fe4a5e3dc 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -24,13 +24,13 @@ jobs: with: go-version-file: go.mod - name: Initialize CodeQL - uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 + uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: config-file: ./.github/codeql/codeql-config.yml languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 + uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 + uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 5f3409fb1537..b468a2e138d9 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/.github/workflows/pr-comments.yaml b/.github/workflows/pr-comments.yaml index 1089d168eb04..0a6073143414 100644 --- a/.github/workflows/pr-comments.yaml +++ b/.github/workflows/pr-comments.yaml @@ -47,7 +47,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d986be05add2..148ac9aa60fd 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -57,6 +57,6 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: sarif_file: results.sarif diff --git a/.github/workflows/transparentproxy-tests.yaml b/.github/workflows/transparentproxy-tests.yaml index 4524cbb3c126..ad4977fc2948 100644 --- a/.github/workflows/transparentproxy-tests.yaml +++ b/.github/workflows/transparentproxy-tests.yaml @@ -19,7 +19,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d563e17db10..05af6b0bda67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,60 @@ # Changelog +## 2.8.4 +> Released on 2024/10/07 + +* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11574](https://github.com/kumahq/kuma/pull/11574) @kumahq +* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11630](https://github.com/kumahq/kuma/pull/11630) @Icarus9913 +* chore(deps): security update [#11330](https://github.com/kumahq/kuma/pull/11330) @kumahq +* chore(deps): upgrade envoy to 1.30.6 [#11487](https://github.com/kumahq/kuma/pull/11487) @lukidzi +* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11551](https://github.com/kumahq/kuma/pull/11551) @kumahq +* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11671](https://github.com/kumahq/kuma/pull/11671) @kumahq +* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11616](https://github.com/kumahq/kuma/pull/11616) @kumahq +* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11606](https://github.com/kumahq/kuma/pull/11606) @kumahq +* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11609](https://github.com/kumahq/kuma/pull/11609) @kumahq + + +## 2.7.8 +> Released on 2024/10/07 + +* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11575](https://github.com/kumahq/kuma/pull/11575) @kumahq +* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11629](https://github.com/kumahq/kuma/pull/11629) @Icarus9913 +* chore(deps): security update [#11329](https://github.com/kumahq/kuma/pull/11329) @kumahq +* chore(deps): upgrade envoy to 1.29.9 [#11486](https://github.com/kumahq/kuma/pull/11486) @lukidzi +* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11552](https://github.com/kumahq/kuma/pull/11552) @kumahq +* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11670](https://github.com/kumahq/kuma/pull/11670) @kumahq +* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11618](https://github.com/kumahq/kuma/pull/11618) @kumahq +* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11605](https://github.com/kumahq/kuma/pull/11605) @kumahq +* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11612](https://github.com/kumahq/kuma/pull/11612) @kumahq + + +## 2.6.12 +> Released on 2024/10/06 + +* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11576](https://github.com/kumahq/kuma/pull/11576) @kumahq +* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11628](https://github.com/kumahq/kuma/pull/11628) @Icarus9913 +* chore(deps): security update [#11333](https://github.com/kumahq/kuma/pull/11333) @kumahq +* chore(deps): upgrade envoy to 1.28.7 [#11485](https://github.com/kumahq/kuma/pull/11485) @lukidzi +* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11553](https://github.com/kumahq/kuma/pull/11553) @kumahq +* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11669](https://github.com/kumahq/kuma/pull/11669) @kumahq +* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11619](https://github.com/kumahq/kuma/pull/11619) @kumahq +* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11607](https://github.com/kumahq/kuma/pull/11607) @kumahq +* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11611](https://github.com/kumahq/kuma/pull/11611) @kumahq + + +## 2.5.11 +> Released on 2024/10/06 + +* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11573](https://github.com/kumahq/kuma/pull/11573) @kumahq +* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11627](https://github.com/kumahq/kuma/pull/11627) @Icarus9913 +* chore(deps): security update [#11332](https://github.com/kumahq/kuma/pull/11332) @kumahq +* chore(deps): upgrade envoy to 1.28.7 [#11484](https://github.com/kumahq/kuma/pull/11484) @lukidzi +* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11668](https://github.com/kumahq/kuma/pull/11668) @kumahq +* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11617](https://github.com/kumahq/kuma/pull/11617) @kumahq +* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11608](https://github.com/kumahq/kuma/pull/11608) @kumahq + + ## 2.8.3 > Released on 2024/08/30 diff --git a/UPGRADE.md b/UPGRADE.md index 8a46c4672c5f..0ba4145cef77 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -233,6 +233,12 @@ The values `yes` and `no` are deprecated for specifying boolean values in switch Please use `true` and `false` as replacements; some boolean switches also support `enabled` and `disabled`. [Check the documentation](https://kuma.io/docs/latest/reference/kubernetes-annotations/) for the specific annotation to confirm the correct replacements. +#### Deprecation of `kuma.io/mesh` annotation + +It was previously possible to create a resource in a `Mesh` by providing the `Mesh` name as an annotation, but this support has been deprecated and will be removed in the future. + +Please use the `kuma.io/mesh` label instead. + ## Upgrade to `2.8.x` ### MeshFaultInjection responseBandwidth.limit diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go index a7c20cf9258b..16b4240a6b26 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy.go +++ b/app/kumactl/cmd/install/install_transparent_proxy.go @@ -239,7 +239,15 @@ runuser -u kuma-dp -- \ cmd.Flags().Var(&cfg.Redirect.DNS.Port, "redirect-dns-port", "the port where the DNS agent is listening") cmd.Flags().StringVar(&cfg.Redirect.DNS.UpstreamTargetChain, "redirect-dns-upstream-target-chain", cfg.Redirect.DNS.UpstreamTargetChain, "(optional) the iptables chain where the upstream DNS requests should be directed to. It is only applied for IP V4. Use with care.") cmd.Flags().BoolVar(&cfg.StoreFirewalld, "store-firewalld", cfg.StoreFirewalld, "store the iptables changes with firewalld") - cmd.Flags().BoolVar(&cfg.Redirect.DNS.SkipConntrackZoneSplit, "skip-dns-conntrack-zone-split", cfg.Redirect.DNS.SkipConntrackZoneSplit, "skip applying conntrack zone splitting iptables rules") + cmd.Flags().BoolVar( + &cfg.Redirect.DNS.SkipConntrackZoneSplit, + "skip-dns-conntrack-zone-split", + cfg.Redirect.DNS.SkipConntrackZoneSplit, + fmt.Sprintf( + "Disables the conntrack zone splitting feature, which is used to avoid DNS resolution errors when applications make numerous DNS UDP requests. Normally, we separate conntrack zones to ensure proper handling of DNS traffic: Zone 2 handles DNS packets between the application and the local proxy, while Zone 1 manages packets between the proxy and upstream DNS resolvers. Disabling this feature should only be done if necessary, for example, in environments where custom iptables rules are already manipulating DNS traffic (e.g., inside Docker containers in custom networks when redirecting all DNS traffic [%s is enabled])", + flagRedirectAllDNSTraffic, + ), + ) cmd.Flags().BoolVar(&cfg.DropInvalidPackets, "drop-invalid-packets", cfg.DropInvalidPackets, "This flag enables dropping of packets in invalid states, improving application stability by preventing them from reaching the backend. This is particularly beneficial during high-throughput requests where out-of-order packets might bypass DNAT. Note: Enabling this flag may introduce slight performance overhead. Weigh the trade-off between connection stability and performance before enabling it.") // ebpf diff --git a/app/kumactl/cmd/install/install_transparent_proxy_test.go b/app/kumactl/cmd/install/install_transparent_proxy_test.go index 6321bc8a369e..c76dedd3cbcc 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy_test.go +++ b/app/kumactl/cmd/install/install_transparent_proxy_test.go @@ -91,10 +91,10 @@ var _ = Context("kumactl install transparent proxy", func() { skip: func(stdout, stderr string) bool { return !strings.Contains( stderr, - "conntrack zone splitting is disabled. Functionality requires the 'conntrack' iptables module", + "conntrack zone splitting is disabled. This requires the 'conntrack' iptables module", ) }, - errorMatcher: ContainSubstring("conntrack zone splitting is disabled. Functionality requires the 'conntrack' iptables module"), + errorMatcher: ContainSubstring("conntrack zone splitting is disabled. This requires the 'conntrack' iptables module"), goldenFile: "install-transparent-proxy.dns.no-conntrack.golden.txt", }), Entry("should generate defaults with user id and DNS redirected", testCase{ @@ -106,7 +106,7 @@ var _ = Context("kumactl install transparent proxy", func() { skip: func(stdout, stderr string) bool { return strings.Contains( stderr, - "conntrack zone splitting is disabled. Functionality requires the 'conntrack' iptables module", + "conntrack zone splitting is disabled. This requires the 'conntrack' iptables module", ) }, goldenFile: "install-transparent-proxy.dns.golden.txt", diff --git a/app/kumactl/cmd/install/testdata/install-observability.defaults.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.defaults.golden.yaml index 946fd18ac8e8..6a6a8f274210 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.defaults.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.defaults.golden.yaml @@ -6,7 +6,6 @@ metadata: name: mesh-observability labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: default --- apiVersion: v1 diff --git a/app/kumactl/cmd/install/testdata/install-observability.no-grafana.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.no-grafana.golden.yaml index 7c0b805637d4..2e4d88ad6bbf 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.no-grafana.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.no-grafana.golden.yaml @@ -6,7 +6,6 @@ metadata: name: mesh-observability labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: default --- apiVersion: v1 diff --git a/app/kumactl/cmd/install/testdata/install-observability.no-jaeger.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.no-jaeger.golden.yaml index 8c15de1113de..05b306f6fbf6 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.no-jaeger.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.no-jaeger.golden.yaml @@ -6,7 +6,6 @@ metadata: name: mesh-observability labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: default --- apiVersion: v1 diff --git a/app/kumactl/cmd/install/testdata/install-observability.no-loki.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.no-loki.golden.yaml index 7207f54c11ab..e712aaac6951 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.no-loki.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.no-loki.golden.yaml @@ -6,7 +6,6 @@ metadata: name: mesh-observability labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: default --- apiVersion: v1 diff --git a/app/kumactl/cmd/install/testdata/install-observability.no-prometheus.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.no-prometheus.golden.yaml index 538a9b731017..14998194fbcb 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.no-prometheus.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.no-prometheus.golden.yaml @@ -6,7 +6,6 @@ metadata: name: mesh-observability labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: default --- apiVersion: v1 diff --git a/app/kumactl/cmd/install/testdata/install-observability.overrides.golden.yaml b/app/kumactl/cmd/install/testdata/install-observability.overrides.golden.yaml index 791807676aec..9e3916293e59 100644 --- a/app/kumactl/cmd/install/testdata/install-observability.overrides.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-observability.overrides.golden.yaml @@ -6,7 +6,6 @@ metadata: name: kuma labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: mesh-1 --- apiVersion: v1 diff --git a/app/kumactl/data/install/k8s-deprecated/metrics/namespace.yaml b/app/kumactl/data/install/k8s-deprecated/metrics/namespace.yaml index eab084d78f5a..10b24597a106 100644 --- a/app/kumactl/data/install/k8s-deprecated/metrics/namespace.yaml +++ b/app/kumactl/data/install/k8s-deprecated/metrics/namespace.yaml @@ -6,5 +6,4 @@ metadata: name: {{ .Namespace }} labels: kuma.io/sidecar-injection: enabled - annotations: kuma.io/mesh: {{ .Mesh }} diff --git a/app/kumactl/data/install/k8s/metrics/namespace.yaml b/app/kumactl/data/install/k8s/metrics/namespace.yaml index c8f22e869093..9ea7b01ac935 100644 --- a/app/kumactl/data/install/k8s/metrics/namespace.yaml +++ b/app/kumactl/data/install/k8s/metrics/namespace.yaml @@ -5,5 +5,4 @@ metadata: name: {{ .Namespace }} labels: kuma.io/sidecar-injection: disabled - annotations: kuma.io/mesh: {{ .Mesh }} diff --git a/go.mod b/go.mod index cda7382f6f96..288f97108d81 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/google/go-cmp v0.6.0 github.com/google/uuid v1.6.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 - github.com/gruntwork-io/terratest v0.47.1 + github.com/gruntwork-io/terratest v0.47.2 github.com/hoisie/mustache v0.0.0-20160804235033-6375acf62c69 github.com/jackc/pgx/v5 v5.7.1 github.com/josephburnett/jd/v2 v2.0.0-20230813234251-7b2e87c80934 @@ -42,13 +42,13 @@ require ( github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.20.4 github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.59.1 + github.com/prometheus/common v0.60.0 github.com/sethvargo/go-retry v0.3.0 github.com/shopspring/decimal v1.4.0 github.com/slok/go-http-metrics v0.13.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 - github.com/spiffe/go-spiffe/v2 v2.3.0 + github.com/spiffe/go-spiffe/v2 v2.4.0 github.com/testcontainers/testcontainers-go v0.33.0 github.com/tonglil/opentelemetry-go-datadog-propagator v0.1.3 github.com/vishvananda/netlink v1.3.0 @@ -66,14 +66,14 @@ require ( go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/net v0.29.0 - golang.org/x/sys v0.25.0 - golang.org/x/text v0.18.0 + golang.org/x/net v0.30.0 + golang.org/x/sys v0.26.0 + golang.org/x/text v0.19.0 gonum.org/v1/gonum v0.15.1 google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 - google.golang.org/grpc v1.67.0 - google.golang.org/protobuf v1.34.2 + google.golang.org/grpc v1.67.1 + google.golang.org/protobuf v1.35.1 gopkg.in/natefinch/lumberjack.v2 v2.2.1 helm.sh/helm/v3 v3.16.1 k8s.io/api v0.31.1 @@ -87,7 +87,7 @@ require ( sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/controller-tools v0.16.3 // When updating this also update version in: test/framework/k8s.go - sigs.k8s.io/gateway-api v1.1.0 + sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/yaml v1.4.0 ) @@ -213,11 +213,11 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect go.uber.org/atomic v1.10.0 // indirect - golang.org/x/crypto v0.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.24.0 // indirect + golang.org/x/term v0.25.0 // indirect golang.org/x/time v0.6.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 340860105d82..38f4720ce260 100644 --- a/go.sum +++ b/go.sum @@ -178,8 +178,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjw github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= -github.com/gruntwork-io/terratest v0.47.1 h1:qOaxnL7Su5+KpDHYUN/ek1jn8ImvCKtOkaY4OSMS4tI= -github.com/gruntwork-io/terratest v0.47.1/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= +github.com/gruntwork-io/terratest v0.47.2 h1:t6iWwsqJH7Gx0RwXleU/vjc+2c0JXRMdj3DxYXTBssQ= +github.com/gruntwork-io/terratest v0.47.2/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -342,8 +342,8 @@ github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zI github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= -github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= @@ -375,8 +375,8 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= -github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= +github.com/spiffe/go-spiffe/v2 v2.4.0 h1:j/FynG7hi2azrBG5cvjRcnQ4sux/VNj8FAVc99Fl66c= +github.com/spiffe/go-spiffe/v2 v2.4.0/go.mod h1:m5qJ1hGzjxjtrkGHZupoXHo/FDWwCB1MdSyBzfHugx0= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -466,8 +466,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -478,10 +478,10 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= -golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= -golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -504,14 +504,14 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -532,10 +532,10 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1: google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -579,8 +579,8 @@ sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.16.3 h1:z48C5/d4jCVQQvtiSBL5MYyZ3EO2eFIOXrIKMgHVhFY= sigs.k8s.io/controller-tools v0.16.3/go.mod h1:AEj6k+w1kYpLZv2einOH3mj52ips4W/6FUjnB5tkJGs= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= +sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/mk/dependencies/deps.lock b/mk/dependencies/deps.lock index 8bdde8be787f..031e9e4979e4 100644 --- a/mk/dependencies/deps.lock +++ b/mk/dependencies/deps.lock @@ -1 +1 @@ -fac2c19fe796298c648b82b21d3e90c0099fe72a +67e5a6e147d569852851535e91196922ade8162d diff --git a/mk/dependencies/go-deps.sh b/mk/dependencies/go-deps.sh index a1917ef53aab..ac242bc73c1b 100755 --- a/mk/dependencies/go-deps.sh +++ b/mk/dependencies/go-deps.sh @@ -12,6 +12,7 @@ GINKGO=github.com/onsi/ginkgo/v2/ginkgo@$(go list -f '{{.Version}}' -m github.co CONTROLLER_GEN=sigs.k8s.io/controller-tools/cmd/controller-gen@$(go list -f '{{.Version}}' -m sigs.k8s.io/controller-tools) echo '' > mk/dependencies/go-deps.versions +PIDS=() for i in \ google.golang.org/protobuf/cmd/protoc-gen-go@v1.28.1 \ google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1.0 \ @@ -27,8 +28,12 @@ for i in \ echo "install go dep: ${i}" echo "${i}" >> mk/dependencies/go-deps.versions GOBIN=${OUTPUT_BIN_DIR} go install "${i}" & + PIDS+=($!) +done + +for PID in "${PIDS[@]}"; do + wait "${PID}" done -wait set +x # Get the protos from some go dependencies diff --git a/pkg/core/resources/apis/meshservice/generate/generator.go b/pkg/core/resources/apis/meshservice/generate/generator.go index ab7bfbdd081e..5bdf18bc568a 100644 --- a/pkg/core/resources/apis/meshservice/generate/generator.go +++ b/pkg/core/resources/apis/meshservice/generate/generator.go @@ -23,7 +23,7 @@ import ( "github.com/kumahq/kuma/pkg/core/user" core_metrics "github.com/kumahq/kuma/pkg/metrics" "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/metadata" - "github.com/kumahq/kuma/pkg/xds/cache/mesh" + mesh_cache "github.com/kumahq/kuma/pkg/xds/cache/mesh" xds_context "github.com/kumahq/kuma/pkg/xds/context" ) @@ -39,7 +39,7 @@ type Generator struct { deletionGracePeriod time.Duration metric prometheus.Summary resManager manager.ResourceManager - meshCache *mesh.Cache + meshCache *mesh_cache.Cache } var _ component.Component = &Generator{} @@ -50,7 +50,7 @@ func New( deletionGracePeriod time.Duration, metrics core_metrics.Metrics, resManager manager.ResourceManager, - meshCache *mesh.Cache, + meshCache *mesh_cache.Cache, ) (*Generator, error) { metric := prometheus.NewSummary(prometheus.SummaryOpts{ Name: "component_meshservice_generator", @@ -290,6 +290,18 @@ func (g *Generator) Start(stop <-chan struct{}) error { dataplanes := meshCtx.Resources.Dataplanes() meshServices := meshCtx.Resources.MeshServices() g.generate(ctx, mesh, dataplanes.Items, meshServices.Items) + } else { + for _, meshService := range meshCtx.Resources.MeshServices().Items { + if managedBy, ok := meshService.GetMeta().GetLabels()[mesh_proto.ManagedByLabel]; !ok || managedBy != managedByValue { + continue + } + log := g.logger.WithValues("mesh", mesh, "MeshService", meshService.GetMeta().GetName()) + if err := g.resManager.Delete(ctx, meshservice_api.NewMeshServiceResource(), store.DeleteBy(model.MetaToResourceKey(meshService.GetMeta()))); err != nil { + log.Error(err, "couldn't delete MeshService") + continue + } + log.Info("deleted MeshService") + } } } g.metric.Observe(float64(time.Since(start).Milliseconds())) diff --git a/pkg/plugins/runtime/k8s/controllers/configmap_controller.go b/pkg/plugins/runtime/k8s/controllers/configmap_controller.go index 4831f092b55c..652c5c325c43 100644 --- a/pkg/plugins/runtime/k8s/controllers/configmap_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/configmap_controller.go @@ -121,7 +121,7 @@ func ServiceToConfigMapsMapper(client kube_client.Reader, l logr.Logger, systemN meshSet := map[string]struct{}{} for i := range pods.Items { - meshSet[k8s_util.MeshOfByAnnotation(&pods.Items[i], &ns)] = struct{}{} + meshSet[k8s_util.MeshOfByLabelOrAnnotation(l, &pods.Items[i], &ns)] = struct{}{} } var req []kube_reconile.Request for mesh := range meshSet { diff --git a/pkg/plugins/runtime/k8s/controllers/configmap_controller_test.go b/pkg/plugins/runtime/k8s/controllers/configmap_controller_test.go index 4d98210184b0..318440ad2462 100644 --- a/pkg/plugins/runtime/k8s/controllers/configmap_controller_test.go +++ b/pkg/plugins/runtime/k8s/controllers/configmap_controller_test.go @@ -115,7 +115,7 @@ var _ = Describe("ServiceToConfigMapMapper", func() { defaultNs, []kube_core.Pod{ podFn("pod1", map[string]string{"app": "app2"}, nil), - podFn("pod2", map[string]string{"app": "app2"}, map[string]string{metadata.KumaMeshAnnotation: "mesh2"}), + podFn("pod2", map[string]string{"app": "app2", metadata.KumaMeshLabel: "mesh2"}, map[string]string{}), }, []string{}, ), @@ -124,7 +124,7 @@ var _ = Describe("ServiceToConfigMapMapper", func() { defaultNs, []kube_core.Pod{ podFn("pod1", map[string]string{"app": "app1"}, nil), - podFn("pod2", map[string]string{"app": "app2"}, map[string]string{metadata.KumaMeshAnnotation: "mesh2"}), + podFn("pod2", map[string]string{"app": "app2", metadata.KumaMeshLabel: "mesh2"}, map[string]string{}), }, []string{"kuma-default-dns-vips"}, ), @@ -132,8 +132,8 @@ var _ = Describe("ServiceToConfigMapMapper", func() { serviceFn(map[string]string{"app": "app1"}), defaultNs, []kube_core.Pod{ - podFn("pod1", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshAnnotation: "mesh1"}), - podFn("pod2", map[string]string{"app": "app2"}, map[string]string{metadata.KumaMeshAnnotation: "mesh2"}), + podFn("pod1", map[string]string{"app": "app1", metadata.KumaMeshLabel: "mesh1"}, map[string]string{}), + podFn("pod2", map[string]string{"app": "app2", metadata.KumaMeshLabel: "mesh2"}, map[string]string{}), }, []string{"kuma-mesh1-dns-vips"}, ), @@ -141,8 +141,8 @@ var _ = Describe("ServiceToConfigMapMapper", func() { serviceFn(map[string]string{"app": "app1"}), defaultNs, []kube_core.Pod{ - podFn("pod1", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshAnnotation: "mesh1"}), - podFn("pod2", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshAnnotation: "mesh2"}), + podFn("pod1", map[string]string{"app": "app1", metadata.KumaMeshLabel: "mesh1"}, map[string]string{}), + podFn("pod2", map[string]string{"app": "app1", metadata.KumaMeshLabel: "mesh2"}, map[string]string{}), }, []string{"kuma-mesh1-dns-vips", "kuma-mesh2-dns-vips"}, ), @@ -151,7 +151,7 @@ var _ = Describe("ServiceToConfigMapMapper", func() { kube_core.Namespace{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - metadata.KumaMeshAnnotation: "mesh1", + metadata.KumaMeshLabel: "mesh1", }, }, }, @@ -166,15 +166,45 @@ var _ = Describe("ServiceToConfigMapMapper", func() { kube_core.Namespace{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - metadata.KumaMeshAnnotation: "mesh1", + metadata.KumaMeshLabel: "mesh1", }, }, }, []kube_core.Pod{ - podFn("pod1", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshAnnotation: "mesh2"}), + podFn("pod1", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshLabel: "mesh2"}), podFn("pod2", map[string]string{"app": "app1"}, nil), }, []string{"kuma-mesh1-dns-vips", "kuma-mesh2-dns-vips"}, ), + Entry("namespace label pod has label", + serviceFn(map[string]string{"app": "app1"}), + kube_core.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + metadata.KumaMeshLabel: "mesh1", + }, + }, + }, + []kube_core.Pod{ + podFn("pod1", map[string]string{"app": "app1", metadata.KumaMeshLabel: "mesh1"}, map[string]string{}), + podFn("pod2", map[string]string{"app": "app1"}, nil), + }, + []string{"kuma-mesh1-dns-vips"}, + ), + Entry("namespace label pod has annotation", + serviceFn(map[string]string{"app": "app1"}), + kube_core.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + metadata.KumaMeshLabel: "mesh1", + }, + }, + }, + []kube_core.Pod{ + podFn("pod1", map[string]string{"app": "app1"}, map[string]string{metadata.KumaMeshAnnotation: "mesh1"}), // nolint:staticcheck + podFn("pod2", map[string]string{"app": "app1"}, nil), + }, + []string{"kuma-mesh1-dns-vips"}, + ), ) }) diff --git a/pkg/plugins/runtime/k8s/controllers/gateway_converter.go b/pkg/plugins/runtime/k8s/controllers/gateway_converter.go index 7fc0c1443da6..312d11349868 100644 --- a/pkg/plugins/runtime/k8s/controllers/gateway_converter.go +++ b/pkg/plugins/runtime/k8s/controllers/gateway_converter.go @@ -25,7 +25,7 @@ func (r *PodReconciler) createorUpdateBuiltinGatewayDataplane(ctx context.Contex Namespace: pod.Namespace, Name: pod.Name, }, - Mesh: k8s_util.MeshOfByAnnotation(pod, ns), + Mesh: k8s_util.MeshOfByLabelOrAnnotation(r.Log, pod, ns), } tagsAnnotation, ok := pod.Annotations[metadata.KumaTagsAnnotation] diff --git a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go index 7d9e94ef61d4..d8a790f29546 100644 --- a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go @@ -309,7 +309,6 @@ func (r *GatewayInstanceReconciler) createOrUpdateDeployment( podAnnotations := map[string]string{ metadata.KumaGatewayAnnotation: metadata.AnnotationBuiltin, metadata.KumaTagsAnnotation: string(jsonTags), - metadata.KumaMeshAnnotation: mesh, } if obj != nil { @@ -324,6 +323,7 @@ func (r *GatewayInstanceReconciler) createOrUpdateDeployment( podLabels := k8sSelector(gatewayInstance.Name) podLabels[metadata.KumaSidecarInjectionAnnotation] = metadata.AnnotationDisabled + podLabels[metadata.KumaMeshLabel] = mesh for k, v := range gatewayInstance.Spec.PodTemplate.Metadata.Labels { podLabels[k] = v diff --git a/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go b/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go index 49aace756f05..77502a1d30b9 100644 --- a/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go @@ -82,7 +82,7 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req kube_ctrl.Request return kube_ctrl.Result{}, errors.Wrap(err, "unable to get Namespace of MeshGateway") } - mesh := k8s_util.MeshOfByAnnotation(gateway, &ns) + mesh := k8s_util.MeshOfByLabelOrAnnotation(r.Log, gateway, &ns) gatewaySpec, listenerConditions, err := r.gapiToKumaGateway(ctx, mesh, gateway, config) if err != nil { return kube_ctrl.Result{}, errors.Wrap(err, "error generating MeshGateway.kuma.io") @@ -146,7 +146,7 @@ func (r *GatewayReconciler) createOrUpdateInstance(ctx context.Context, mesh str if instance.Labels == nil { instance.Labels = map[string]string{} } - instance.Labels[metadata.KumaMeshAnnotation] = mesh + instance.Labels[metadata.KumaMeshLabel] = mesh instance.Spec = mesh_k8s.MeshGatewayInstanceSpec{ Tags: config.Tags, diff --git a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go index 63883f55bc03..898274a4dca9 100644 --- a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go +++ b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go @@ -193,7 +193,7 @@ func InboundTagsForService(zone string, pod *kube_core.Pod, svc *kube_core.Servi tags[key] = value } if len(ignoredLabels) > 0 { - logger.Info("ignoring internal labels when converting labels to tags", "label", strings.Join(ignoredLabels, ",")) + logger.V(1).Info("ignoring internal labels when converting labels to tags", "label", strings.Join(ignoredLabels, ",")) } tags[mesh_proto.KubeNamespaceTag] = pod.Namespace diff --git a/pkg/plugins/runtime/k8s/controllers/meshservice_controller.go b/pkg/plugins/runtime/k8s/controllers/meshservice_controller.go index 4bb36ee3ff5e..f3614b691884 100644 --- a/pkg/plugins/runtime/k8s/controllers/meshservice_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/meshservice_controller.go @@ -113,7 +113,10 @@ func (r *MeshServiceReconciler) Reconcile(ctx context.Context, req kube_ctrl.Req } if mesh.Spec.MeshServicesMode() == mesh_proto.Mesh_MeshServices_Disabled { - log.V(1).Info("MeshServices not enabled on Mesh, ignoring") + log.V(1).Info("MeshServices not enabled on Mesh, deleting existing") + if err := r.deleteIfExist(ctx, req.NamespacedName); err != nil { + return kube_ctrl.Result{}, err + } return kube_ctrl.Result{}, nil } diff --git a/pkg/plugins/runtime/k8s/controllers/pod_controller.go b/pkg/plugins/runtime/k8s/controllers/pod_controller.go index ba22616aeec9..d033deccf9ca 100644 --- a/pkg/plugins/runtime/k8s/controllers/pod_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/pod_controller.go @@ -293,7 +293,7 @@ func (r *PodReconciler) findOtherDataplanes(ctx context.Context, pod *kube_core. } // only consider Dataplanes in the same Mesh as Pod - mesh := util_k8s.MeshOfByAnnotation(pod, ns) + mesh := util_k8s.MeshOfByLabelOrAnnotation(converterLog, pod, ns) otherDataplanes := make([]*mesh_k8s.Dataplane, 0) for i := range allDataplanes.Items { dataplane := allDataplanes.Items[i] diff --git a/pkg/plugins/runtime/k8s/controllers/pod_converter.go b/pkg/plugins/runtime/k8s/controllers/pod_converter.go index 87e1feb93c31..c8a9ab967929 100644 --- a/pkg/plugins/runtime/k8s/controllers/pod_converter.go +++ b/pkg/plugins/runtime/k8s/controllers/pod_converter.go @@ -46,7 +46,7 @@ func (p *PodConverter) PodToDataplane( ) error { logger := converterLog.WithValues("Dataplane.name", dataplane.Name, "Pod.name", pod.Name) previousMesh := dataplane.Mesh - dataplane.Mesh = util_k8s.MeshOfByAnnotation(pod, ns) + dataplane.Mesh = util_k8s.MeshOfByLabelOrAnnotation(logger, pod, ns) dataplaneProto, err := p.dataplaneFor(ctx, pod, services, others) if err != nil { return err diff --git a/pkg/plugins/runtime/k8s/metadata/annotations.go b/pkg/plugins/runtime/k8s/metadata/annotations.go index ea15d7583810..959b6ef74609 100644 --- a/pkg/plugins/runtime/k8s/metadata/annotations.go +++ b/pkg/plugins/runtime/k8s/metadata/annotations.go @@ -11,6 +11,8 @@ import ( // Annotations that can be used by the end users. const ( + // Deprecated: use KumaMeshLabel as a label from pkg/plugins/runtime/k8s/metadata/labels.go instead of this annotation. + // // KumaMeshAnnotation defines a Pod annotation that // associates a given Pod with a particular Mesh. // Annotation value must be the name of a Mesh resource. diff --git a/pkg/plugins/runtime/k8s/util/util.go b/pkg/plugins/runtime/k8s/util/util.go index 2abe57ad1255..26636ddb7723 100644 --- a/pkg/plugins/runtime/k8s/util/util.go +++ b/pkg/plugins/runtime/k8s/util/util.go @@ -7,7 +7,6 @@ import ( "github.com/go-logr/logr" "golang.org/x/exp/maps" kube_core "k8s.io/api/core/v1" - kube_meta "k8s.io/apimachinery/pkg/apis/meta/v1" kube_labels "k8s.io/apimachinery/pkg/labels" kube_types "k8s.io/apimachinery/pkg/types" kube_intstr "k8s.io/apimachinery/pkg/util/intstr" @@ -137,19 +136,6 @@ func CopyStringMap(in map[string]string) map[string]string { return out } -// MeshOfByAnnotation returns the mesh of the given object according to its own annotations -// or those of its namespace. -func MeshOfByAnnotation(obj kube_meta.Object, namespace *kube_core.Namespace) string { - if mesh, exists := metadata.Annotations(obj.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { - return mesh - } - if mesh, exists := metadata.Annotations(namespace.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { - return mesh - } - - return model.DefaultMesh -} - // MeshOfByLabelOrAnnotation returns the mesh of the given object according to its own // annotations or labels or the annotations of its namespace. It treats the annotation // directly on the object as deprecated. @@ -157,18 +143,18 @@ func MeshOfByLabelOrAnnotation(log logr.Logger, obj kube_client.Object, namespac if mesh, exists := metadata.Annotations(obj.GetLabels()).GetString(metadata.KumaMeshLabel); exists && mesh != "" { return mesh } - if mesh, exists := metadata.Annotations(obj.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { - log.Info("WARNING: The kuma.io/mesh annotation is deprecated for this object kind. Use label instead", "name", obj.GetName(), "namespace", obj.GetNamespace(), "kind", obj.GetObjectKind().GroupVersionKind().Kind) + if mesh, exists := metadata.Annotations(obj.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { // nolint:staticcheck + log.Info("WARNING: The kuma.io/mesh annotation is no longer supported. Use label instead", "name", obj.GetName(), "namespace", obj.GetNamespace(), "kind", obj.GetObjectKind().GroupVersionKind().Kind) return mesh } // Label wasn't found on the object, let's look on the namespace instead - if mesh, exists := metadata.Annotations(namespace.GetLabels()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { + if mesh, exists := metadata.Annotations(namespace.GetLabels()).GetString(metadata.KumaMeshLabel); exists && mesh != "" { return mesh } - if mesh, exists := metadata.Annotations(namespace.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { - log.Info("WARNING: The kuma.io/mesh annotation is deprecated for this object kind. Use label instead", "name", obj.GetName(), "namespace", obj.GetNamespace(), "kind", obj.GetObjectKind().GroupVersionKind().Kind) + if mesh, exists := metadata.Annotations(namespace.GetAnnotations()).GetString(metadata.KumaMeshAnnotation); exists && mesh != "" { // nolint:staticcheck + log.Info("WARNING: The kuma.io/mesh annotation is no longer supported. Use label instead", "name", obj.GetName(), "namespace", obj.GetNamespace(), "kind", obj.GetObjectKind().GroupVersionKind().Kind) return mesh } diff --git a/pkg/plugins/runtime/k8s/util/util_test.go b/pkg/plugins/runtime/k8s/util/util_test.go index 7d06b7e411bf..795434fcf03a 100644 --- a/pkg/plugins/runtime/k8s/util/util_test.go +++ b/pkg/plugins/runtime/k8s/util/util_test.go @@ -232,7 +232,7 @@ var _ = Describe("Util", func() { } // then - Expect(util.MeshOfByAnnotation(pod, ns)).To(Equal(given.expected)) + Expect(util.MeshOfByLabelOrAnnotation(logr.Discard(), pod, ns)).To(Equal(given.expected)) }, Entry("Pod without annotations", testCase{ podAnnotations: nil, diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go index 519c7728c573..109b8f1bf666 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go @@ -159,7 +159,6 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error tproxyCfg, i.cfg, pod.Annotations, - meshName, i.defaultAdminPort, ); err != nil { return errors.Wrap(err, "could not generate annotations for pod") @@ -169,6 +168,11 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error pod.Annotations[key] = value } + if pod.Labels == nil { + pod.Labels = map[string]string{} + } + pod.Labels[metadata.KumaMeshLabel] = meshName + switch { case !tproxyCfg.CNIMode: initContainer := i.NewInitContainer([]string{"--config", tproxyCfgYAML}) @@ -189,7 +193,7 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error pod.Annotations[metadata.KumaTrafficTransparentProxyConfig] = tproxyCfgYAML } } else { // this is legacy and deprecated - will be removed soon - if annotations, err = i.NewAnnotations(pod, meshName, logger); err != nil { + if annotations, err = i.NewAnnotations(pod, logger); err != nil { return errors.Wrap(err, "could not generate annotations for pod") } @@ -197,6 +201,11 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error pod.Annotations[key] = value } + if pod.Labels == nil { + pod.Labels = map[string]string{} + } + pod.Labels[metadata.KumaMeshLabel] = meshName + podRedirect, err := tproxy_k8s.NewPodRedirectFromAnnotations(pod.Annotations) if err != nil { return err @@ -662,12 +671,11 @@ func (i *KumaInjector) NewValidationContainer(ipFamilyMode, inboundRedirectPort } // Deprecated -func (i *KumaInjector) NewAnnotations(pod *kube_core.Pod, mesh string, logger logr.Logger) (map[string]string, error) { +func (i *KumaInjector) NewAnnotations(pod *kube_core.Pod, logger logr.Logger) (map[string]string, error) { portOutbound := i.cfg.SidecarContainer.RedirectPortOutbound portInbound := i.cfg.SidecarContainer.RedirectPortInbound result := map[string]string{ - metadata.KumaMeshAnnotation: mesh, // either user-defined value or default metadata.KumaSidecarInjectedAnnotation: metadata.AnnotationTrue, metadata.KumaTransparentProxyingAnnotation: metadata.AnnotationEnabled, metadata.KumaSidecarUID: fmt.Sprintf("%d", i.cfg.SidecarContainer.UID), diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go index cde543abf9f9..051c0b06cf38 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go @@ -35,7 +35,7 @@ func (i *KumaInjector) preCheck(ctx context.Context, pod *kube_core.Pod, logger return "", nil } - meshName := k8s_util.MeshOfByAnnotation(pod, ns) + meshName := k8s_util.MeshOfByLabelOrAnnotation(logger, pod, ns) logger = logger.WithValues("mesh", meshName) // Check mesh exists if err := i.client.Get(ctx, kube_types.NamespacedName{Name: meshName}, &mesh_k8s.Mesh{}); err != nil { diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml index d2a5f3462001..b624fced9864 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml index bb12fd07a435..621037a3c5ef 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml index c1d88ebe3aeb..e51fceac69b7 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: coredns kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: generateName: coredns-fb8b8dccf- labels: k8s-app: kube-dns + kuma.io/mesh: default pod-template-hash: fb8b8dccf ownerReferences: - apiVersion: apps/v1 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml index 510b90ee87fc..9bc0e0057c72 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml @@ -16,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: demo run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml index fb533588084f..240797efe626 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml index 2237d5617acf..c9b792234d23 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml @@ -6,7 +6,6 @@ metadata: kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" kuma.io/gateway: enabled - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml index d2a5f3462001..b624fced9864 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml index 30e947e326d3..a822cab0ab2b 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,6 +18,7 @@ metadata: prometheus.io/scrape: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml index 39649042c781..aed55447287f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: prometheus.metrics.kuma.io/port: "5678" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml index d56d796dddb6..23223f2d1984 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default kuma.io/sidecar-injection: enabled run: busybox name: busybox diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml index e1e8f786e102..dab7f4b8637d 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: mesh-name-from-ns kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: mesh-name-from-ns run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml index ee4752df9807..673cdc97366e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml @@ -16,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: mesh-name-from-pod run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml index 399a8666bf77..498f4f65957a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml index f464bda030d7..f0d40029ff2e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "19000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml index e3d738d0d72f..567d7652da08 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml index b3fc1728b42f..0ed2283bc9d2 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: "1236" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml index ac978cc5498b..c1ed639e1a06 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: 4321,7654 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml index fc28477bb642..1f7762e45da4 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: "" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml index b185b6fe8672..5d411e45ff1d 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml index a59848cdd02b..bd70de7a3db7 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml index 22fae558546b..32e70cef1d59 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml index 7b4cac0919af..8133c5316350 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -18,6 +17,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml index d5cb86a9b391..3369b00ff095 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -21,6 +20,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml index d7bddaa0a8d4..3274ec49a4c7 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-proxy-concurrency: "99" @@ -22,6 +21,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml index 8b343d45c1c3..85e10ae7c3e6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -21,6 +20,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml index 3e8305a43da3..c40c76737a1e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/service-account-token-volume: token kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml index fd211a309929..30f8e3d36ae9 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml index 8267b1dc4c89..3dace8160b70 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml @@ -7,7 +7,6 @@ metadata: kuma.io/container-patches: container-patch-1 kuma.io/envoy-admin-port: "9901" kuma.io/envoy-log-level: trace - kuma.io/mesh: default kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -19,6 +18,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml index dc5223fbbf29..d0e7447d1192 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml @@ -8,7 +8,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,6 +18,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml index a8fa11eb4f1b..f6816c1c8506 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -22,6 +21,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml index 5a36c7618080..eb02926c7e5a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml index a1bb48a44792..34b8e2779f46 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml @@ -6,7 +6,6 @@ metadata: kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" kuma.io/init-first: "true" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.33.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.33.golden.yaml index 7bf8b8cc8530..54fa45145591 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.33.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.33.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.34.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.34.golden.yaml index 4f2c669e1612..8f54852c90dc 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.34.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.34.golden.yaml @@ -7,7 +7,6 @@ metadata: kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" kuma.io/init-first: "true" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.35.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.35.golden.yaml index d773b940f040..2eb110945451 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.35.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.35.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: init kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.36.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.36.golden.yaml index 917f963a598b..c623d5cb4b21 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.36.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.36.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/drop-invalid-packets: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.37.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.37.golden.yaml index fdb3e9b48899..ebce8b54d644 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.37.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.37.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/iptables-logs: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.38.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.38.golden.yaml index c06a85d33b6e..48fe7e44be29 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.38.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.38.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/exclude-outbound-ips: 10.0.0.1,172.16.0.0/16,fe80::1,fe80::/10 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.39.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.39.golden.yaml index 4d2292fe502d..98027ea1f190 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.39.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.39.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/exclude-inbound-ips: 192.168.0.1,172.32.16.8/16,a81b:a033:6399:73c7:72b6:aa8c:6f22:7098,fe80::/10 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.40.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.40.golden.yaml index 0a93135adbd1..a42e2cf1d38b 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.40.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.40.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml index ad3e94e3464f..67d3308acd4f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml index fe010977f89a..636270448fff 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml index e675c4e8a221..e9fdcb18c4a0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: coredns kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: generateName: coredns-fb8b8dccf- labels: k8s-app: kube-dns + kuma.io/mesh: default pod-template-hash: fb8b8dccf ownerReferences: - apiVersion: apps/v1 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml index 4390eb14404a..4241bd77caae 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml @@ -16,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: demo run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml index 982080d2d535..c00f00fc8c7c 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml index 9a941ad5452f..14a672208903 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml @@ -6,7 +6,6 @@ metadata: kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" kuma.io/gateway: enabled - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml index ad3e94e3464f..67d3308acd4f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml index fb0be23ba4d9..0503bd214c65 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,6 +18,7 @@ metadata: prometheus.io/scrape: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml index 0965346dfc3d..f883c8dacda6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: prometheus.metrics.kuma.io/port: "5678" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml index 2b9bb422f893..641e5ad41de6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default kuma.io/sidecar-injection: enabled run: busybox name: busybox diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml index e8e06d65a99e..4e256fb13aad 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: mesh-name-from-ns kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: mesh-name-from-ns run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml index c4d46617cced..ea28b9106a9f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml @@ -16,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: mesh-name-from-pod run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml index bf6c34299b40..d69ca2e0bf63 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml index 70ad85899693..94c5250426da 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "19000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml index ad24eb156a94..4ad7f762be50 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml index c026c970e003..b8c79f878de9 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: "1236" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml index 6e94a86f3533..672f542d390a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: 4321,7654 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml index 6a6ab9e8fd7b..012dcd9b580e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: traffic.kuma.io/exclude-outbound-ports: "" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml index 1c9f47351951..e3d47dfd84a3 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml index 3526389bcce2..df15557369f8 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml index 8059a6569584..95a85f529992 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml index 47982db4dba4..876dd53acf00 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -18,6 +17,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml index e830f26a4a5d..2435f91fa576 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -21,6 +20,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml index e69478001217..14a29e2ca43e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-proxy-concurrency: "99" @@ -22,6 +21,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml index 375fc5c4dab3..3da9d91d7b99 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml @@ -9,7 +9,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -21,6 +20,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml index 19e7b74b9ea5..2658316ff0b0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/service-account-token-volume: token kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml index d7774312c8b8..eb95a45603fd 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml index c4b5b01eecb8..808290d268fb 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml @@ -7,7 +7,6 @@ metadata: kuma.io/container-patches: container-patch-1 kuma.io/envoy-admin-port: "9901" kuma.io/envoy-log-level: trace - kuma.io/mesh: default kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" @@ -19,6 +18,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml index 80ada2bb8471..0ac63fbe6dea 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml @@ -8,7 +8,6 @@ metadata: kuma.io/builtin-dns-logging: "false" kuma.io/builtin-dns-port: "25053" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,6 +18,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml index f049258d6c46..ea27d889dd1b 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -22,6 +21,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml index df8c1a870e43..e8e0a38289f5 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml index 0f8b99ec8576..81aa1029d7dd 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml @@ -6,7 +6,6 @@ metadata: kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" kuma.io/init-first: "true" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.33.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.33.golden.yaml index f11390a19e01..2a4d06f2d863 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.33.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.33.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.34.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.34.golden.yaml index aea729666e79..796b6b302b10 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.34.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.34.golden.yaml @@ -7,7 +7,6 @@ metadata: kuma.io/application-probe-proxy-port: "0" kuma.io/envoy-admin-port: "9901" kuma.io/init-first: "true" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -18,6 +17,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.35.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.35.golden.yaml index ca7ce8757a0d..eb5f42205c35 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.35.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.35.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: init kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.36.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.36.golden.yaml index 3dbf01e1f127..d63fbb372e12 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.36.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.36.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/drop-invalid-packets: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.37.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.37.golden.yaml index 95d9be116c1b..aecbdd094716 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.37.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.37.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/iptables-logs: "true" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.38.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.38.golden.yaml index 480c6790e1a0..0f94fbae913d 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.38.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.38.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/exclude-outbound-ips: 10.0.0.1,172.16.0.0/16,fe80::1,fe80::/10 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.39.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.39.golden.yaml index bdb9d9ba1964..59ddc1f63f55 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.39.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.39.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -17,6 +16,7 @@ metadata: traffic.kuma.io/exclude-inbound-ips: 192.168.0.1,172.32.16.8/16,a81b:a033:6399:73c7:72b6:aa8c:6f22:7098,fe80::/10 creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.40.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.40.golden.yaml index a676d7b526e1..625963e52a4a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.40.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.40.golden.yaml @@ -5,7 +5,6 @@ metadata: kubectl.kubernetes.io/default-container: busybox kuma.io/application-probe-proxy-port: "9000" kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -16,6 +15,7 @@ metadata: kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: + kuma.io/mesh: default run: busybox name: busybox spec: diff --git a/pkg/test/resources/builders/mesh_builder.go b/pkg/test/resources/builders/mesh_builder.go index 82f41d89f0a5..f2d732d226a0 100644 --- a/pkg/test/resources/builders/mesh_builder.go +++ b/pkg/test/resources/builders/mesh_builder.go @@ -9,6 +9,7 @@ import ( mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" core_mesh "github.com/kumahq/kuma/pkg/core/resources/apis/mesh" core_model "github.com/kumahq/kuma/pkg/core/resources/model" + "github.com/kumahq/kuma/pkg/core/resources/model/rest" "github.com/kumahq/kuma/pkg/core/resources/store" mesh_k8s "github.com/kumahq/kuma/pkg/plugins/resources/k8s/native/api/v1alpha1" test_model "github.com/kumahq/kuma/pkg/test/resources/model" @@ -164,3 +165,12 @@ func (m *MeshBuilder) KubeYaml() string { } return string(res) } + +func (m *MeshBuilder) UniYaml() string { + mesh := m.Build() + res, err := yaml.Marshal(rest.From.Resource(mesh)) + if err != nil { + panic(err) + } + return string(res) +} diff --git a/pkg/transparentproxy/config/config.go b/pkg/transparentproxy/config/config.go index c854ec4eedab..9ae84f2761e8 100644 --- a/pkg/transparentproxy/config/config.go +++ b/pkg/transparentproxy/config/config.go @@ -217,14 +217,11 @@ type DNS struct { type InitializedDNS struct { DNS - Servers []string + Servers []net.IP ConntrackZoneSplit bool Enabled bool } -// Initialize initializes the ServersIPv4 and ServersIPv6 fields by parsing -// the nameservers from the file specified in the ResolvConfigPath field of -// the input DNS struct func (c DNS) Initialize( l Logger, executables InitializedExecutablesIPvX, @@ -232,37 +229,37 @@ func (c DNS) Initialize( ) (InitializedDNS, error) { initialized := InitializedDNS{DNS: c, Enabled: c.Enabled} - // We don't have to continue initialization if the DNS traffic shouldn't be - // redirected + // DNS redirection is disabled, no further initialization is needed if !c.Enabled { return initialized, nil } - if !c.SkipConntrackZoneSplit { - initialized.ConntrackZoneSplit = executables.Functionality.ConntrackZoneSplit() - if !initialized.ConntrackZoneSplit { - l.Warn("conntrack zone splitting is disabled. Functionality requires the 'conntrack' iptables module") - } + switch { + case !c.SkipConntrackZoneSplit && !executables.Functionality.ConntrackZoneSplit(): + l.Warn("conntrack zone splitting is disabled. This requires the 'conntrack' iptables module") + case !c.SkipConntrackZoneSplit && executables.Functionality.Chains.DockerOutput && c.CaptureAll: + l.Warn("conntrack zone splitting is unsupported when capturing all DNS traffic inside Docker containers with custom networks") + case !c.SkipConntrackZoneSplit: + initialized.ConntrackZoneSplit = true } - // We don't have to get DNS servers if we want to capture all DNS traffic + // No need to retrieve DNS servers if all DNS traffic is being captured if c.CaptureAll { return initialized, nil } + // Load DNS configuration from the resolv.conf file dnsConfig, err := dns.ClientConfigFromFile(c.ResolvConfigPath) if err != nil { return initialized, errors.Wrapf(err, "unable to read file %s", c.ResolvConfigPath) } - // Loop through each DNS server address parsed from the resolv.conf file + // Iterate over each DNS server address from the resolv.conf file for _, address := range dnsConfig.Servers { - parsed := net.ParseIP(address) - // Check if the address matches the expected IP version. - // - If config is not for IPv6 and the address is IPv4, add to the list. - // - If config is for IPv6 and the address is IPv6, add to the list. - if !ipv6 && parsed.To4() != nil || ipv6 && parsed.To4() == nil { - initialized.Servers = append(initialized.Servers, address) + ip := net.ParseIP(address) + // Add the IP if it matches the expected IP version (IPv4 or IPv6) + if (!ipv6 && ip.To4() != nil) || (ipv6 && ip.To4() == nil) { + initialized.Servers = append(initialized.Servers, ip) } } @@ -271,7 +268,7 @@ func (c DNS) Initialize( initialized.ConntrackZoneSplit = false l.Warnf( - "couldn't find any %s servers in %s file. Capturing %[1]s DNS traffic will be disabled", + "no %s DNS servers found in %s. DNS traffic capture for %[1]s will be disabled", consts.IPTypeMap[ipv6], c.ResolvConfigPath, ) @@ -769,11 +766,11 @@ type InitializedConfigIPvX struct { // LocalhostCIDR is a string representing the CIDR notation of the localhost // address for the given IP version (IPv4 or IPv6). This is used to // construct rules related to the loopback interface - LocalhostCIDR string + LocalhostCIDR net.IPNet // InboundPassthroughCIDR is a string representing the CIDR notation of the // address used for inbound passthrough traffic. This is used to construct // rules allowing specific traffic to bypass normal proxying - InboundPassthroughCIDR string + InboundPassthroughCIDR net.IPNet // Comments holds the processed configuration for iptables rule comments, // indicating whether comments are enabled and the prefix to use for comment // text. This helps in identifying and organizing iptables rules created by @@ -825,8 +822,8 @@ func (c Config) Initialize(ctx context.Context) (InitializedConfig, error) { maxTry: c.Retry.MaxRetries + 1, } - loggerIPv4 := l.WithPrefix(consts.IptablesCommandByFamily[false]) - loggerIPv6 := l.WithPrefix(consts.IptablesCommandByFamily[true]) + loggerIPv4 := l.WithPrefix(consts.IptablesCommandByFamily[consts.IPv4]) + loggerIPv6 := l.WithPrefix(consts.IptablesCommandByFamily[consts.IPv6]) loopbackInterfaceName, err := getLoopbackInterfaceName() if err != nil { @@ -851,8 +848,8 @@ func (c Config) Initialize(ctx context.Context) (InitializedConfig, error) { Logger: loggerIPv4, Executables: executablesIPv4, LoopbackInterfaceName: loopbackInterfaceName, - LocalhostCIDR: consts.LocalhostCIDRIPv4, - InboundPassthroughCIDR: consts.InboundPassthroughSourceAddressCIDRIPv4, + LocalhostCIDR: consts.LocalhostAddress[consts.IPv4], + InboundPassthroughCIDR: consts.InboundPassthroughSourceAddress[consts.IPv4], Comments: c.Comments.Initialize(executablesIPv4), DropInvalidPackets: c.DropInvalidPackets && executablesIPv4.Functionality.Tables.Mangle, KumaDPUser: kumaDPUser, @@ -898,8 +895,8 @@ func (c Config) Initialize(ctx context.Context) (InitializedConfig, error) { Logger: loggerIPv6, Executables: executablesIPv6, LoopbackInterfaceName: loopbackInterfaceName, - LocalhostCIDR: consts.LocalhostCIDRIPv6, - InboundPassthroughCIDR: consts.InboundPassthroughSourceAddressCIDRIPv6, + LocalhostCIDR: consts.LocalhostAddress[consts.IPv6], + InboundPassthroughCIDR: consts.InboundPassthroughSourceAddress[consts.IPv6], Comments: c.Comments.Initialize(executablesIPv6), DropInvalidPackets: c.DropInvalidPackets && executablesIPv6.Functionality.Tables.Mangle, KumaDPUser: kumaDPUser, diff --git a/pkg/transparentproxy/consts/consts.go b/pkg/transparentproxy/consts/consts.go index d7e2d5778bbd..453ef326585b 100644 --- a/pkg/transparentproxy/consts/consts.go +++ b/pkg/transparentproxy/consts/consts.go @@ -1,12 +1,18 @@ package consts import ( + "net" "regexp" "strings" k8s_version "k8s.io/apimachinery/pkg/util/version" ) +const ( + IPv4 = false + IPv6 = true +) + const ( Iptables = "iptables" IptablesSave = "iptables-save" @@ -20,16 +26,16 @@ const ( // (true) usage to the corresponding iptables command name. This allows for code // to be written generically without duplicating logic for both IPv4 and IPv6 var IptablesCommandByFamily = map[bool]string{ - false: Iptables, - true: Ip6tables, + IPv4: Iptables, + IPv6: Ip6tables, } // IPTypeMap is a map that translates a boolean value to a string representing // the type of IP address (IPv4 or IPv6). The key is a boolean where 'false' // corresponds to "IPv4" and 'true' corresponds to "IPv6" var IPTypeMap = map[bool]string{ - false: "IPv4", - true: "IPv6", + IPv4: "IPv4", + IPv6: "IPv6", } // Default ports used for iptables redirection @@ -40,19 +46,21 @@ const ( ) const ( - DNSPort uint16 = 53 - LocalhostIPv4 = "127.0.0.1" - LocalhostCIDRIPv4 = "127.0.0.1/32" - LocalhostIPv6 = "[::1]" - LocalhostCIDRIPv6 = "::1/128" - // InboundPassthroughSourceAddressCIDRIPv4 - // TODO (bartsmykla): add some description - InboundPassthroughSourceAddressCIDRIPv4 = "127.0.0.6/32" - InboundPassthroughSourceAddressCIDRIPv6 = "::6/128" - OutputLogPrefix = "OUTPUT:" - PreroutingLogPrefix = "PREROUTING:" + DNSPort uint16 = 53 + OutputLogPrefix = "OUTPUT:" + PreroutingLogPrefix = "PREROUTING:" ) +var InboundPassthroughSourceAddress = map[bool]net.IPNet{ + IPv4: {IP: net.ParseIP("127.0.0.6"), Mask: net.CIDRMask(32, 32)}, + IPv6: {IP: net.ParseIP("::6"), Mask: net.CIDRMask(128, 128)}, +} + +var LocalhostAddress = map[bool]net.IPNet{ + IPv4: {IP: net.ParseIP("127.0.0.1"), Mask: net.CIDRMask(32, 32)}, + IPv6: {IP: net.ParseIP("::1"), Mask: net.CIDRMask(128, 128)}, +} + type ProtocolL4 string const ( diff --git a/pkg/transparentproxy/iptables/builder/builder_table_nat.go b/pkg/transparentproxy/iptables/builder/builder_table_nat.go index c9e4524a95c9..115ecd138658 100644 --- a/pkg/transparentproxy/iptables/builder/builder_table_nat.go +++ b/pkg/transparentproxy/iptables/builder/builder_table_nat.go @@ -40,7 +40,7 @@ func buildMeshInbound(cfg config.InitializedTrafficFlow) *Chain { meshInbound.AddRules( rules. NewAppendRule( - Source(Address(exclusion.Address)), + Source(exclusion.Address), Jump(Return()), ). WithComment("skip further processing for configured IP address"), @@ -139,11 +139,11 @@ func buildMeshOutbound(cfg config.InitializedConfigIPvX) *Chain { AddRules( rules. NewAppendRule( - Source(Address(cfg.InboundPassthroughCIDR)), + Source(cfg.InboundPassthroughCIDR), OutInterface(cfg.LoopbackInterfaceName), Jump(Return()), ). - WithCommentf("prevent traffic loops by ensuring traffic from the sidecar proxy (using %s) to loopback interface is not redirected again", cfg.InboundPassthroughCIDR), + WithCommentf("prevent traffic loops by ensuring traffic from the sidecar proxy (using %s) to loopback interface is not redirected again", cfg.InboundPassthroughCIDR.String()), rules. NewAppendRule( Protocol(Tcp(NotDestinationPortIfBool(cfg.Redirect.DNS.Enabled, consts.DNSPort))), @@ -152,7 +152,7 @@ func buildMeshOutbound(cfg config.InitializedConfigIPvX) *Chain { Match(Owner(Uid(cfg.KumaDPUser))), Jump(ToUserDefinedChain(cfg.Redirect.Inbound.RedirectChainName)), ). - WithCommentf("redirect outbound TCP traffic (except to DNS port %d) destined for loopback interface, but not targeting address %s, and owned by UID %s (kuma-dp user) to %s chain for proper handling", consts.DNSPort, cfg.LocalhostCIDR, cfg.KumaDPUser, cfg.Redirect.Inbound.RedirectChainName), + WithCommentf("redirect outbound TCP traffic (except to DNS port %d) destined for loopback interface, but not targeting address %s, and owned by UID %s (kuma-dp user) to %s chain for proper handling", consts.DNSPort, cfg.LocalhostCIDR.String(), cfg.KumaDPUser, cfg.Redirect.Inbound.RedirectChainName), rules. NewAppendRule( Protocol(Tcp(NotDestinationPortIfBool(cfg.Redirect.DNS.Enabled, consts.DNSPort))), @@ -200,7 +200,7 @@ func buildMeshOutbound(cfg config.InitializedConfigIPvX) *Chain { Destination(cfg.LocalhostCIDR), Jump(Return()), ). - WithCommentf("return traffic destined for localhost (%s) to avoid redirection", cfg.LocalhostCIDR), + WithCommentf("return traffic destined for localhost (%s) to avoid redirection", cfg.LocalhostCIDR.String()), ) for _, port := range cfg.Redirect.Outbound.IncludePorts { diff --git a/pkg/transparentproxy/iptables/builder/builder_table_raw.go b/pkg/transparentproxy/iptables/builder/builder_table_raw.go index 108e61a1a159..ef35b8b000f1 100644 --- a/pkg/transparentproxy/iptables/builder/builder_table_raw.go +++ b/pkg/transparentproxy/iptables/builder/builder_table_raw.go @@ -60,16 +60,36 @@ func buildRawTable(cfg config.InitializedConfigIPvX) *tables.RawTable { Protocol(Udp(DestinationPort(consts.DNSPort))), Jump(Ct(Zone("2"))), ). - WithCommentf("assign connection tracking zone 2 to DNS requests destined for %s", ip), + WithCommentf("assign connection tracking zone 2 to DNS requests destined for %s", ip.String()), ) + + // IsLoopback checks if the address is local (e.g., 127.0.0.1 or 127.0.0.11, which is common + // in Docker containers within custom networks). This rule addresses an issue where the + // transparent proxy is installed in a Docker container that's part of a custom network. + // In such cases, Docker NATs the destination port to a random one. This rule is applied + // only when the source is a local address and the destination is localhost to prevent + // unexpected behavior in untested scenarios + if ip.IsLoopback() { + raw.Output().AddRules( + rules. + NewAppendRule( + Source(ip), + Destination(cfg.LocalhostCIDR), + Protocol(Udp()), + Jump(Ct(Zone("1"))), + ). + WithComment("assign conntrack zone 1 to DNS responses from the local DNS server to localhost, needed when the DNS query port is altered by a DNAT iptables rule, such as with Docker containers in a custom network"), + ) + } + raw.Prerouting().AddRules( rules. NewAppendRule( - Destination(ip), + Source(ip), Protocol(Udp(SourcePort(consts.DNSPort))), Jump(Ct(Zone("1"))), ). - WithCommentf("assign connection tracking zone 1 to DNS responses from %s", ip), + WithCommentf("assign connection tracking zone 1 to DNS responses from %s", ip.String()), ) } } diff --git a/pkg/transparentproxy/iptables/parameters/destination.go b/pkg/transparentproxy/iptables/parameters/destination.go deleted file mode 100644 index 76941a65e7e8..000000000000 --- a/pkg/transparentproxy/iptables/parameters/destination.go +++ /dev/null @@ -1,41 +0,0 @@ -package parameters - -var _ ParameterBuilder = &DestinationParameter{} - -type DestinationParameter struct { - address string -} - -func (p *DestinationParameter) Build(bool) []string { - return []string{p.address} -} - -func (p *DestinationParameter) Negate() ParameterBuilder { - return p -} - -func destination(address string, negative bool) *Parameter { - return &Parameter{ - long: "--destination", - short: "-d", - parameters: []ParameterBuilder{&DestinationParameter{address: address}}, - negate: negateSelf, - negative: negative, - } -} - -// Destination will generate arguments for the "-d, --destination address[/mask]" flag -// See the description of the -s (source) flag for a detailed description of the syntax -// -// ref. iptables(8) > PARAMETERS -func Destination(address string) *Parameter { - if address == "" { - return nil - } - - return destination(address, false) -} - -func NotDestination(address string) *Parameter { - return destination(address, true) -} diff --git a/pkg/transparentproxy/iptables/parameters/match.go b/pkg/transparentproxy/iptables/parameters/match.go index 36f0514fcd67..229b2cbc26b9 100644 --- a/pkg/transparentproxy/iptables/parameters/match.go +++ b/pkg/transparentproxy/iptables/parameters/match.go @@ -44,9 +44,9 @@ func Multiport() *MatchParameter { // // ref. iptables-extensions(8) > comment func Comment(comments ...string) *MatchParameter { - comment := fmt.Sprintf("%q", strings.Join(comments, "/")) - if len(comment) > 256 { - comment = comment[:256] + comment := strings.Join(comments, "/") + if len(comment) > 254 { + comment = comment[:254] } return &MatchParameter{ @@ -54,7 +54,7 @@ func Comment(comments ...string) *MatchParameter { parameters: []ParameterBuilder{ &SimpleParameter{ long: "--comment", - value: comment, + value: fmt.Sprintf("%q", comment), }, }, } diff --git a/pkg/transparentproxy/iptables/parameters/source.go b/pkg/transparentproxy/iptables/parameters/source.go deleted file mode 100644 index efc041e50b11..000000000000 --- a/pkg/transparentproxy/iptables/parameters/source.go +++ /dev/null @@ -1,45 +0,0 @@ -package parameters - -var _ ParameterBuilder = &SourceParameter{} - -type SourceParameter struct { - address string -} - -func (p *SourceParameter) Build(bool) []string { - return []string{p.address} -} - -func (p *SourceParameter) Negate() ParameterBuilder { - return p -} - -func Address(address string) *SourceParameter { - if address == "" { - return nil - } - - return &SourceParameter{address: address} -} - -// Source will generate arguments for the "-s, --source address[/mask]" flag -// Address can be either a network name, a hostname, a network IP address (with /mask), -// or a plain IP address. Hostnames will be resolved once only, before the rule is submitted -// to the kernel. Please note that specifying any name to be resolved with a remote query such as -// DNS is a horrible idea. The mask can be either an ipv4 network mask (for iptables) or -// a plain number, specifying the number of 1's on the left side of the network mask. -// Thus, an iptables mask of 24 is equivalent to 255.255.255.0 -// -// ref. iptables(8) > PARAMETERS -func Source(parameter *SourceParameter) *Parameter { - if parameter == nil { - return nil - } - - return &Parameter{ - long: "--source", - short: "-s", - parameters: []ParameterBuilder{parameter}, - negate: negateSelf, - } -} diff --git a/pkg/transparentproxy/iptables/parameters/source_destination.go b/pkg/transparentproxy/iptables/parameters/source_destination.go new file mode 100644 index 000000000000..c9bb8d0d4cf7 --- /dev/null +++ b/pkg/transparentproxy/iptables/parameters/source_destination.go @@ -0,0 +1,90 @@ +package parameters + +import ( + "net" + "reflect" +) + +var _ ParameterBuilder = &EndpointParameter{} + +type EndpointParameter struct { + address string +} + +func (p *EndpointParameter) Build(bool) []string { + return []string{p.address} +} + +func (p *EndpointParameter) Negate() ParameterBuilder { + return p +} + +func endpoint[T ~string | net.IP | net.IPNet](long, short string, value T, negative bool) *Parameter { + var address string + if address = extractAddress(value); address == "" { + return nil + } + + return &Parameter{ + long: long, + short: short, + parameters: []ParameterBuilder{&EndpointParameter{address: address}}, + negate: negateSelf, + negative: negative, + } +} + +func extractAddress[T ~string | net.IP | net.IPNet](value T) string { + if reflect.ValueOf(&value).Elem().IsZero() { + return "" + } + + switch v := any(value).(type) { + case string: + return v + case net.IP: + return v.String() + case net.IPNet: + return v.String() + } + + // handle the remaining type set of ~string + if r := reflect.ValueOf(value); r.Kind() == reflect.String { + return r.String() + } + + return "" +} + +func source[T ~string | net.IP | net.IPNet](value T, negative bool) *Parameter { + return endpoint("--source", "-s", value, negative) +} + +func destination[T ~string | net.IP | net.IPNet](value T, negative bool) *Parameter { + return endpoint("--destination", "-d", value, negative) +} + +// Source will generate arguments for the "-s, --source address[/mask]" flag +// Address can be either a network name, a hostname, a network IP address (with /mask), +// or a plain IP address. Hostnames will be resolved once only, before the rule is submitted +// to the kernel. Please note that specifying any name to be resolved with a remote query such as +// DNS is a horrible idea. The mask can be either an ipv4 network mask (for iptables) or +// a plain number, specifying the number of 1's on the left side of the network mask. +// Thus, an iptables mask of 24 is equivalent to 255.255.255.0 +// +// ref. iptables(8) > PARAMETERS +func Source[T ~string | net.IP | net.IPNet](address T) *Parameter { + return source(address, false) +} + +// Destination will generate arguments for the "-d, --destination address[/mask]" flag +// See the description of the -s (source) flag for a detailed description of the syntax +// +// ref. iptables(8) > PARAMETERS +func Destination[T ~string | net.IP | net.IPNet](address T) *Parameter { + return destination(address, false) +} + +func NotDestination[T ~string | net.IP | net.IPNet](address T) *Parameter { + return destination(address, true) +} diff --git a/pkg/transparentproxy/iptables/parameters/destination_test.go b/pkg/transparentproxy/iptables/parameters/source_destination_test.go similarity index 65% rename from pkg/transparentproxy/iptables/parameters/destination_test.go rename to pkg/transparentproxy/iptables/parameters/source_destination_test.go index 6f00b016fed5..0774398cdebc 100644 --- a/pkg/transparentproxy/iptables/parameters/destination_test.go +++ b/pkg/transparentproxy/iptables/parameters/source_destination_test.go @@ -7,7 +7,7 @@ import ( . "github.com/kumahq/kuma/pkg/transparentproxy/iptables/parameters" ) -var _ = Describe("DestinationParameter", func() { +var _ = Describe("EndpointParameter", func() { Describe("Destination", func() { Describe("should build valid destination parameter with, provided address", func() { DescribeTable("when not negated", @@ -100,4 +100,58 @@ var _ = Describe("DestinationParameter", func() { Entry("IPv6 IP address with CIDR mask", "::1/128"), ) }) + + Describe("Source", func() { + DescribeTable("should build valid source parameter with the built, provided Source", + func(address string, verbose bool, want []string) { + // when + got := Source(address).Build(verbose) + + // then + Expect(got).To(Equal(want)) + }, + Entry("127.0.0.1/32", + "127.0.0.1/32", false, + []string{"-s", "127.0.0.1/32"}, + ), + Entry("127.0.0.1/32 - verbose", + "127.0.0.1/32", true, + []string{"--source", "127.0.0.1/32"}, + ), + Entry("254.254.254.254", + "254.254.254.254", false, + []string{"-s", "254.254.254.254"}, + ), + Entry("254.254.254.254 - verbose", + "254.254.254.254", true, + []string{"--source", "254.254.254.254"}, + ), + ) + + DescribeTable("should build valid source parameter with the built, provided address when negated", + func(address string, verbose bool, want []string) { + // when + got := Source(address).Negate().Build(verbose) + + // then + Expect(got).To(Equal(want)) + }, + Entry("127.0.0.1/32", + "127.0.0.1/32", false, + []string{"!", "-s", "127.0.0.1/32"}, + ), + Entry("127.0.0.1/32 - verbose", + "127.0.0.1/32", true, + []string{"!", "--source", "127.0.0.1/32"}, + ), + Entry("254.254.254.254", + "254.254.254.254", false, + []string{"!", "-s", "254.254.254.254"}, + ), + Entry("254.254.254.254 - verbose", + "254.254.254.254", true, + []string{"!", "--source", "254.254.254.254"}, + ), + ) + }) }) diff --git a/pkg/transparentproxy/iptables/parameters/source_test.go b/pkg/transparentproxy/iptables/parameters/source_test.go deleted file mode 100644 index 0e75677cc9ed..000000000000 --- a/pkg/transparentproxy/iptables/parameters/source_test.go +++ /dev/null @@ -1,150 +0,0 @@ -package parameters_test - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - . "github.com/kumahq/kuma/pkg/transparentproxy/iptables/parameters" -) - -var _ = Describe("SourceParameter", func() { - DescribeTable("Address", - func(address string, verbose bool, want []string) { - // when - got := Address(address).Build(verbose) - - // then - Expect(got).To(Equal(want)) - }, - Entry("CIDR IPv4 localhost", - "127.0.0.1/32", false, - []string{"127.0.0.1/32"}, - ), - Entry("CIDR IPv4 localhost - verbose", - "127.0.0.1/32", true, - []string{"127.0.0.1/32"}, - ), - Entry("IPv4 address (no CIDR) - localhost", - "127.0.0.1", false, - []string{"127.0.0.1"}, - ), - Entry("IPv4 address (no CIDR) - localhost - verbose", - "127.0.0.1", true, - []string{"127.0.0.1"}, - ), - Entry("CIDR IPv4 address", - "254.254.254.254/32", false, - []string{"254.254.254.254/32"}, - ), - Entry("CIDR IPv4 address - verbose", - "254.254.254.254/32", true, - []string{"254.254.254.254/32"}, - ), - Entry("IPv4 address (no CIDR)", - "254.254.254.254", false, - []string{"254.254.254.254"}, - ), - Entry("IPv4 address (no CIDR) - verbose", - "254.254.254.254", true, - []string{"254.254.254.254"}, - ), - ) - DescribeTable("negated Address should return the same values as not negated one, as it "+ - "shouldn't be possible to negate address (value shouldn't change)", - func(address string, verbose bool, want []string) { - // when - got := Address(address).Negate().Build(verbose) - - // then - Expect(got).To(Equal(want)) - }, - Entry("CIDR IPv4 localhost - negated", - "127.0.0.1/32", false, - []string{"127.0.0.1/32"}, - ), - Entry("CIDR IPv4 localhost - verbose - negated", - "127.0.0.1/32", true, - []string{"127.0.0.1/32"}, - ), - Entry("IPv4 address (no CIDR) - localhost - negated", - "127.0.0.1", false, - []string{"127.0.0.1"}, - ), - Entry("IPv4 address (no CIDR) - localhost - verbose - negated", - "127.0.0.1", true, - []string{"127.0.0.1"}, - ), - Entry("CIDR IPv4 address - negated", - "254.254.254.254/32", false, - []string{"254.254.254.254/32"}, - ), - Entry("CIDR IPv4 address - verbose - negated", - "254.254.254.254/32", true, - []string{"254.254.254.254/32"}, - ), - Entry("IPv4 address (no CIDR) - negated", - "254.254.254.254", false, - []string{"254.254.254.254"}, - ), - Entry("IPv4 address (no CIDR) - verbose - negated", - "254.254.254.254", true, - []string{"254.254.254.254"}, - ), - ) - - Describe("Source", func() { - DescribeTable("should build valid source parameter with the built, provided "+ - "*SourceParameter", - func(parameter *SourceParameter, verbose bool, want []string) { - // when - got := Source(parameter).Build(verbose) - - // then - Expect(got).To(Equal(want)) - }, - Entry("Address('127.0.0.1/32')", - Address("127.0.0.1/32"), false, - []string{"-s", "127.0.0.1/32"}, - ), - Entry("Address('127.0.0.1/32') - verbose", - Address("127.0.0.1/32"), true, - []string{"--source", "127.0.0.1/32"}, - ), - Entry("Address('254.254.254.254')", - Address("254.254.254.254"), false, - []string{"-s", "254.254.254.254"}, - ), - Entry("Address('254.254.254.254') - verbose", - Address("254.254.254.254"), true, - []string{"--source", "254.254.254.254"}, - ), - ) - - DescribeTable("should build valid source parameter with the built, provided "+ - "*SourceParameter when negated", - func(parameter *SourceParameter, verbose bool, want []string) { - // when - got := Source(parameter).Negate().Build(verbose) - - // then - Expect(got).To(Equal(want)) - }, - Entry("Address('127.0.0.1/32')", - Address("127.0.0.1/32"), false, - []string{"!", "-s", "127.0.0.1/32"}, - ), - Entry("Address('127.0.0.1/32') - verbose", - Address("127.0.0.1/32"), true, - []string{"!", "--source", "127.0.0.1/32"}, - ), - Entry("Address('254.254.254.254')", - Address("254.254.254.254"), false, - []string{"!", "-s", "254.254.254.254"}, - ), - Entry("Address('254.254.254.254') - verbose", - Address("254.254.254.254"), true, - []string{"!", "--source", "254.254.254.254"}, - ), - ) - }) -}) diff --git a/pkg/transparentproxy/kubernetes/kubernetes_config.go b/pkg/transparentproxy/kubernetes/kubernetes_config.go index 7a9620341a71..1c466291193d 100644 --- a/pkg/transparentproxy/kubernetes/kubernetes_config.go +++ b/pkg/transparentproxy/kubernetes/kubernetes_config.go @@ -484,13 +484,11 @@ func ConfigToAnnotations( cfg tproxy_config.Config, runtimeCfg k8s.Injector, annotations map[string]string, - mesh string, defaultAdminPort uint32, ) (map[string]string, error) { result := map[string]string{ k8s_metadata.KumaSidecarInjectedAnnotation: k8s_metadata.AnnotationTrue, k8s_metadata.KumaTransparentProxyingAnnotation: k8s_metadata.AnnotationEnabled, - k8s_metadata.KumaMeshAnnotation: mesh, // either user-defined value or default k8s_metadata.KumaSidecarUID: cfg.KumaDPUser, k8s_metadata.KumaTransparentProxyingOutboundPortAnnotation: cfg.Redirect.Outbound.Port.String(), k8s_metadata.KumaTransparentProxyingInboundPortAnnotation: cfg.Redirect.Inbound.Port.String(), diff --git a/test/blackbox_network_tests/dns_test.go b/test/blackbox_network_tests/dns_test.go index 89970283e2f6..bd7493899cca 100644 --- a/test/blackbox_network_tests/dns_test.go +++ b/test/blackbox_network_tests/dns_test.go @@ -61,7 +61,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, randomPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, randomPort) readyC, errC := udp.UnsafeStartUDPServer(ns, serverAddress, udp.ReplyWithReceivedMsg) Consistently(errC).ShouldNot(Receive()) @@ -138,8 +138,8 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - originalAddress := &net.UDPAddr{IP: net.ParseIP(consts.LocalhostIPv4), Port: int(consts.DNSPort)} - redirectedToAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, randomPort) + originalAddress := &net.UDPAddr{IP: consts.LocalhostAddress[consts.IPv4].IP, Port: int(consts.DNSPort)} + redirectedToAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, randomPort) redirectedC, redirectedErr := udp.UnsafeStartUDPServer(ns, redirectedToAddress, udp.ReplyWithReceivedMsg) Consistently(redirectedErr).ShouldNot(Receive()) @@ -229,8 +229,8 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - redirectedAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, randomPort) - originalAddress := &net.UDPAddr{IP: net.ParseIP(consts.LocalhostIPv6), Port: int(consts.DNSPort)} + redirectedAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, randomPort) + originalAddress := &net.UDPAddr{IP: consts.LocalhostAddress[consts.IPv6].IP, Port: int(consts.DNSPort)} redirectedC, redirectedErr := udp.UnsafeStartUDPServer(ns, redirectedAddress, udp.ReplyWithReceivedMsg) Consistently(redirectedErr).ShouldNot(Receive()) @@ -316,7 +316,7 @@ var _ = Describe("Outbound IPv4 DNS/TCP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, dnsPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, dnsPort) readyC, errC := tcp.UnsafeStartTCPServer( ns, @@ -405,7 +405,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, randomPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, randomPort) readyC, errC := udp.UnsafeStartUDPServer(ns, serverAddress, udp.ReplyWithReceivedMsg) Consistently(errC).ShouldNot(Receive()) @@ -481,7 +481,7 @@ var _ = Describe("Outbound IPv6 DNS/TCP traffic to port 53", func() { }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, dnsPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, dnsPort) readyC, errC := tcp.UnsafeStartTCPServer( ns, @@ -554,7 +554,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP conntrack zone splitting", func() { // given uid := uintptr(5678) s1Address := fmt.Sprintf("%s:%d", ns.Veth().PeerAddress(), consts.DNSPort) - s2Address := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, port) + s2Address := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, port) tproxyConfig, err := config.Config{ Redirect: config.Redirect{ DNS: config.DNS{ @@ -670,8 +670,8 @@ var _ = Describe("Outbound IPv6 DNS/UDP conntrack zone splitting", func() { func(port uint16) { // given uid := uintptr(5678) - s1Address := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, consts.DNSPort) - s2Address := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, port) + s1Address := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, consts.DNSPort) + s2Address := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, port) tproxyConfig, err := config.Config{ Redirect: config.Redirect{ DNS: config.DNS{ @@ -799,7 +799,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53 only for addresses in }.Initialize(context.Background()) Expect(err).NotTo(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, randomPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, randomPort) readyC, errC := udp.UnsafeStartUDPServer(ns, serverAddress, udp.ReplyWithReceivedMsg) Consistently(errC).ShouldNot(Receive()) @@ -877,7 +877,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53 only for addresses in }.Initialize(context.Background()) Expect(err).ToNot(HaveOccurred()) - serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostIPv6, randomPort) + serverAddress := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv6].IP, randomPort) readyC, errC := udp.UnsafeStartUDPServer(ns, serverAddress, udp.ReplyWithReceivedMsg) Consistently(errC).ShouldNot(Receive()) @@ -944,7 +944,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP conntrack zone splitting with specific I uid := uintptr(5678) dnsServers := getDnsServers("testdata/resolv4-conntrack.conf", 1, false) s1Address := fmt.Sprintf("%s:%d", dnsServers[0].IP.String(), consts.DNSPort) - s2Address := fmt.Sprintf("%s:%d", consts.LocalhostIPv4, port) + s2Address := fmt.Sprintf("%s:%d", consts.LocalhostAddress[consts.IPv4].IP, port) notRedirected := udp.GenRandomAddressIPv4(consts.DNSPort).AddrPort().String() tproxyConfig, err := config.Config{ Redirect: config.Redirect{ diff --git a/test/blackbox_network_tests/outbound_redirect_test.go b/test/blackbox_network_tests/outbound_redirect_test.go index bf5b7e11f790..3c08fd2616fd 100644 --- a/test/blackbox_network_tests/outbound_redirect_test.go +++ b/test/blackbox_network_tests/outbound_redirect_test.go @@ -758,7 +758,7 @@ var _ = Describe("Outbound IPv4 TCP traffic to any address:port", func() { // then Eventually(ns.UnsafeExec(func() { - Expect(tcp.DialIPWithPortAndGetReply(net.ParseIP(consts.LocalhostIPv4), randomPort)). + Expect(tcp.DialIPWithPortAndGetReply(consts.LocalhostAddress[consts.IPv4].IP, randomPort)). To(Equal("randomPort")) })).Should(BeClosed()) @@ -836,7 +836,7 @@ var _ = Describe("Outbound IPv6 TCP traffic to any address:port", func() { // then Eventually(ns.UnsafeExec(func() { - Expect(tcp.DialIPWithPortAndGetReply(net.ParseIP(consts.LocalhostIPv6), randomPort)). + Expect(tcp.DialIPWithPortAndGetReply(consts.LocalhostAddress[consts.IPv6].IP, randomPort)). To(Equal("randomPort")) })).Should(BeClosed()) diff --git a/test/e2e/reachableservices/auto_reachable_mesh_services_k8s.go b/test/e2e/reachableservices/auto_reachable_mesh_services_k8s.go index a88cd60e13d3..5fb25c610c47 100644 --- a/test/e2e/reachableservices/auto_reachable_mesh_services_k8s.go +++ b/test/e2e/reachableservices/auto_reachable_mesh_services_k8s.go @@ -45,12 +45,11 @@ spec: )). Install(NamespaceWithSidecarInjection(namespace)). Install( - YamlK8s( + Yaml( builders.Mesh(). WithName(meshName). WithBuiltinMTLSBackend("ca-1").WithEnabledMTLSBackend("ca-1"). - WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Exclusive). - KubeYaml(), + WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Exclusive), ), ). Install(testserver.Install(testserver.WithName("client-server"), testserver.WithMesh(meshName), testserver.WithNamespace(namespace))). diff --git a/test/e2e_env/kubernetes/appprobeproxy/probe_proxy.go b/test/e2e_env/kubernetes/appprobeproxy/probe_proxy.go index e5696d5e1709..75fb04da7348 100644 --- a/test/e2e_env/kubernetes/appprobeproxy/probe_proxy.go +++ b/test/e2e_env/kubernetes/appprobeproxy/probe_proxy.go @@ -173,7 +173,7 @@ func ApplicationProbeProxy() { By("patch the application pod and disabling application probe proxy using annotation") kubectlOptsApps := kubernetes.Cluster.GetKubectlOptions(namespace) nextTemplateHash := patchAndWait(kubernetes.Cluster.GetTesting(), Default, kubernetes.Cluster, kubectlOptsApps, httpAppName, - `[{"op":"add", "path":"/spec/template/metadata/annotations/kuma.io~1application-probe-proxy-port", "value":"0"}]`) + `[{"op": "add", "path": "/spec/template/metadata/annotations", "value": {}},{"op":"add", "path":"/spec/template/metadata/annotations/kuma.io~1application-probe-proxy-port", "value":"0"}]`) By("checking virtual probes annotations on the new pod") var nextRevPodName string diff --git a/test/e2e_env/kubernetes/gateway/cross-mesh.go b/test/e2e_env/kubernetes/gateway/cross-mesh.go index 21b806243449..5bf28e1e287a 100644 --- a/test/e2e_env/kubernetes/gateway/cross-mesh.go +++ b/test/e2e_env/kubernetes/gateway/cross-mesh.go @@ -204,7 +204,7 @@ kind: Gateway metadata: name: %s namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: gatewayClassName: kuma-cross-mesh @@ -220,7 +220,7 @@ kind: HTTPRoute metadata: name: %s namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: diff --git a/test/e2e_env/kubernetes/gateway/delegated.go b/test/e2e_env/kubernetes/gateway/delegated.go index 55278a9fa47d..747a2824b754 100644 --- a/test/e2e_env/kubernetes/gateway/delegated.go +++ b/test/e2e_env/kubernetes/gateway/delegated.go @@ -63,7 +63,7 @@ spec: mesh.WithEgressRoutingEnabled() } err := NewClusterSetup(). - Install(YamlK8s(mesh.KubeYaml())). + Install(Yaml(mesh)). Install(MeshTrafficPermissionAllowAllKubernetes(config.Mesh)). Install(NamespaceWithSidecarInjection(config.Namespace)). Install(Namespace(config.NamespaceOutsideMesh)). diff --git a/test/e2e_env/kubernetes/gateway/gatewayapi.go b/test/e2e_env/kubernetes/gateway/gatewayapi.go index a2bce81ca2fa..a3810dc448a2 100644 --- a/test/e2e_env/kubernetes/gateway/gatewayapi.go +++ b/test/e2e_env/kubernetes/gateway/gatewayapi.go @@ -119,7 +119,7 @@ kind: Gateway metadata: name: %s namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: gatewayClassName: ha-kuma @@ -168,7 +168,7 @@ kind: Gateway metadata: name: %s namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: gatewayClassName: kuma @@ -214,7 +214,7 @@ kind: HTTPRoute metadata: name: test-server-paths namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: @@ -269,7 +269,7 @@ kind: HTTPRoute metadata: name: test-server-1 namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: @@ -286,7 +286,7 @@ kind: HTTPRoute metadata: name: test-server-2 namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: @@ -332,7 +332,7 @@ kind: HTTPRoute metadata: name: external-service namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: @@ -388,7 +388,7 @@ kind: Gateway metadata: name: %s namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: gatewayClassName: kuma @@ -428,7 +428,7 @@ kind: HTTPRoute metadata: name: test-server-paths namespace: %s - annotations: + labels: kuma.io/mesh: %s spec: parentRefs: diff --git a/test/e2e_env/kubernetes/graceful/eviction.go b/test/e2e_env/kubernetes/graceful/eviction.go index 29575018fa52..7235042d1323 100644 --- a/test/e2e_env/kubernetes/graceful/eviction.go +++ b/test/e2e_env/kubernetes/graceful/eviction.go @@ -36,7 +36,7 @@ kind: Pod metadata: name: to-be-evicted namespace: eviction - annotations: + labels: kuma.io/mesh: eviction spec: volumes: diff --git a/test/e2e_env/kubernetes/graceful/graceful.go b/test/e2e_env/kubernetes/graceful/graceful.go index 1bf090952c4f..00b54174f2b6 100644 --- a/test/e2e_env/kubernetes/graceful/graceful.go +++ b/test/e2e_env/kubernetes/graceful/graceful.go @@ -41,7 +41,7 @@ kind: MeshGatewayInstance metadata: name: edge-gateway namespace: graceful - annotations: + labels: kuma.io/mesh: graceful spec: replicas: %d diff --git a/test/e2e_env/kubernetes/graceful/wait_for_envoy.go b/test/e2e_env/kubernetes/graceful/wait_for_envoy.go index bcc0f47d2119..0f1d42d588f1 100644 --- a/test/e2e_env/kubernetes/graceful/wait_for_envoy.go +++ b/test/e2e_env/kubernetes/graceful/wait_for_envoy.go @@ -49,8 +49,8 @@ metadata: namespace: %s labels: app: wait-for-envoy - annotations: kuma.io/mesh: %s + annotations: kuma.io/wait-for-dataplane-ready: "true" spec: restartPolicy: Never diff --git a/test/e2e_env/kubernetes/membership/membership.go b/test/e2e_env/kubernetes/membership/membership.go index 9615f817d90f..cd5b26b26faa 100644 --- a/test/e2e_env/kubernetes/membership/membership.go +++ b/test/e2e_env/kubernetes/membership/membership.go @@ -70,7 +70,7 @@ spec: testserver.WithMesh(mesh2), testserver.WithoutWaitingToBeReady(), )(kubernetes.Cluster) - Expect(err).ToNot(HaveOccurred()) + Expect(err).To(HaveOccurred()) // then the client is not allowed to do it // then it's not allowed diff --git a/test/e2e_env/kubernetes/meshcircuitbreaker/meshcircuitbreaker.go b/test/e2e_env/kubernetes/meshcircuitbreaker/meshcircuitbreaker.go index 29b26b155866..d45ef8df21ea 100644 --- a/test/e2e_env/kubernetes/meshcircuitbreaker/meshcircuitbreaker.go +++ b/test/e2e_env/kubernetes/meshcircuitbreaker/meshcircuitbreaker.go @@ -6,8 +6,10 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" "github.com/kumahq/kuma/pkg/plugins/policies/meshcircuitbreaker/api/v1alpha1" meshretry_api "github.com/kumahq/kuma/pkg/plugins/policies/meshretry/api/v1alpha1" + "github.com/kumahq/kuma/pkg/test/resources/builders" . "github.com/kumahq/kuma/test/framework" "github.com/kumahq/kuma/test/framework/client" "github.com/kumahq/kuma/test/framework/deployments/democlient" @@ -19,36 +21,18 @@ func MeshCircuitBreaker() { namespace := "meshcircuitbreaker-namespace" mesh := "meshcircuitbreaker" - kubeMeshServiceYAML := fmt.Sprintf(` -apiVersion: kuma.io/v1alpha1 -kind: MeshService -metadata: - name: test-server - namespace: %s - labels: - kuma.io/origin: zone - kuma.io/mesh: %s - kuma.io/managed-by: k8s-controller - k8s.kuma.io/is-headless-service: "false" -spec: - selector: - dataplaneTags: - app: test-server - k8s.kuma.io/namespace: %s - ports: - - port: 80 - name: main - targetPort: main - appProtocol: http -`, namespace, mesh, namespace) - BeforeAll(func() { err := NewClusterSetup(). - Install(MeshKubernetes(mesh)). + Install( + Yaml( + builders.Mesh(). + WithName(mesh). + WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Everywhere), + ), + ). Install(NamespaceWithSidecarInjection(namespace)). Install(democlient.Install(democlient.WithNamespace(namespace), democlient.WithMesh(mesh))). Install(testserver.Install(testserver.WithMesh(mesh), testserver.WithNamespace(namespace))). - Install(YamlK8s(kubeMeshServiceYAML)). Install(YamlK8s(fmt.Sprintf(` apiVersion: kuma.io/v1alpha1 kind: HostnameGenerator diff --git a/test/e2e_env/kubernetes/meshtimeout/meshtimeout.go b/test/e2e_env/kubernetes/meshtimeout/meshtimeout.go index f704e8c857a2..1e48199c3abe 100644 --- a/test/e2e_env/kubernetes/meshtimeout/meshtimeout.go +++ b/test/e2e_env/kubernetes/meshtimeout/meshtimeout.go @@ -27,11 +27,10 @@ func MeshTimeout() { BeforeAll(func() { err := NewClusterSetup(). - Install(YamlK8s(builders.Mesh(). + Install(Yaml(builders.Mesh(). WithName(mesh). WithoutInitialPolicies(). - WithMeshServicesEnabled(mode). - KubeYaml())). + WithMeshServicesEnabled(mode))). Install(NamespaceWithSidecarInjection(namespace)). Install(democlient.Install(democlient.WithNamespace(namespace), democlient.WithMesh(mesh))). Install(testserver.Install(testserver.WithMesh(mesh), testserver.WithNamespace(namespace))). diff --git a/test/e2e_env/multizone/meshservice/migration.go b/test/e2e_env/multizone/meshservice/migration.go new file mode 100644 index 000000000000..43e2d0914885 --- /dev/null +++ b/test/e2e_env/multizone/meshservice/migration.go @@ -0,0 +1,144 @@ +package meshservice + +import ( + "fmt" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/yaml" + + "github.com/kumahq/kuma/pkg/kds/hash" + . "github.com/kumahq/kuma/test/framework" + "github.com/kumahq/kuma/test/framework/deployments/testserver" + "github.com/kumahq/kuma/test/framework/envs/multizone" +) + +func Migration() { + namespace := "msmigration" + meshName := "msmigration" + + BeforeAll(func() { + err := NewClusterSetup(). + Install(MTLSMeshUniversal(meshName)). + Setup(multizone.Global) + Expect(err).ToNot(HaveOccurred()) + + err = NewClusterSetup(). + Install(NamespaceWithSidecarInjection(namespace)). + Install(testserver.Install( + testserver.WithName("demo-client"), + testserver.WithMesh(meshName), + testserver.WithNamespace(namespace), + )). + Install(testserver.Install( + testserver.WithName("test-server"), + testserver.WithNamespace(namespace), + testserver.WithMesh(meshName), + )). + Setup(multizone.KubeZone1) + Expect(err).ToNot(HaveOccurred()) + + err = NewClusterSetup(). + Install(TestServerUniversal("test-server", meshName)). + Setup(multizone.UniZone1) + Expect(err).ToNot(HaveOccurred()) + }) + + AfterEachFailure(func() { + DebugUniversal(multizone.Global, meshName) + DebugUniversal(multizone.UniZone1, meshName) + DebugKube(multizone.KubeZone1, meshName, namespace) + }) + + E2EAfterAll(func() { + Expect(multizone.KubeZone1.TriggerDeleteNamespace(namespace)).To(Succeed()) + Expect(multizone.UniZone1.DeleteMeshApps(meshName)).To(Succeed()) + Expect(multizone.Global.DeleteMesh(meshName)).To(Succeed()) + }) + + type meshServiceList struct { + Total int `json:"total"` + Items []struct { + Name string `json:"name"` + } `json:"items"` + } + + unmarshal := func(out string) *meshServiceList { + l := &meshServiceList{} + Expect(yaml.Unmarshal([]byte(out), l)).To(Succeed()) + return l + } + + hasMeshServices := func(names ...string) { + Eventually(func(g Gomega) { + // when + out, err := multizone.Global.GetKumactlOptions().RunKumactlAndGetOutput("get", "meshservices", "-m", meshName, "-o", "yaml") + // then + g.Expect(err).ToNot(HaveOccurred()) + response := unmarshal(out) + g.Expect(response.Total).To(Equal(len(names))) + var actualNames []string + for _, name := range response.Items { + actualNames = append(actualNames, name.Name) + } + g.Expect(actualNames).To(ConsistOf(names)) + }).Should(Succeed()) + } + + noMeshServices := func() { + // call hasMeshServices with no names + hasMeshServices() + } + + It("should automatically create MeshServices when the mode is 'Exclusive'", func() { + // given + noMeshServices() + + // when enable 'mode: Exclusive' + Expect(MTLSMeshWithMeshServicesUniversal(meshName, "Exclusive")(multizone.Global)).To(Succeed()) + + // then + hasMeshServices( + hash.HashedName(meshName, "demo-client", Kuma1, namespace), + hash.HashedName(meshName, "test-server", Kuma1, namespace), + hash.HashedName(meshName, "test-server", Kuma4), + ) + }) + + It("should be possible to manually create MeshService on Universal", func() { + // when + Expect(YamlUniversal(fmt.Sprintf(` +type: MeshService +name: manually-created-ms +mesh: %s +labels: + kuma.io/origin: zone +spec: + selector: + dataplaneTags: + kuma.io/service: manually-created-ms + ports: + - port: 80 + targetPort: 80 + appProtocol: http +`, meshName))(multizone.UniZone1)).To(Succeed()) + + // then + hasMeshServices( + hash.HashedName(meshName, "demo-client", Kuma1, namespace), + hash.HashedName(meshName, "test-server", Kuma1, namespace), + hash.HashedName(meshName, "test-server", Kuma4), + hash.HashedName(meshName, "manually-created-ms", Kuma4), + ) + }) + + It("should delete automatically created MeshServices when the mode is 'Disabled'", func() { + // when mode is 'Disabled' + Expect(MTLSMeshWithMeshServicesUniversal(meshName, "Disabled")(multizone.Global)).To(Succeed()) + + // then + hasMeshServices( + hash.HashedName(meshName, "manually-created-ms", Kuma4), + ) + }) +} diff --git a/test/e2e_env/multizone/meshtimeout/meshtimeout.go b/test/e2e_env/multizone/meshtimeout/meshtimeout.go index dd9f6d0b4029..5a67248f72f7 100644 --- a/test/e2e_env/multizone/meshtimeout/meshtimeout.go +++ b/test/e2e_env/multizone/meshtimeout/meshtimeout.go @@ -7,9 +7,11 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" meshhttproute_api "github.com/kumahq/kuma/pkg/plugins/policies/meshhttproute/api/v1alpha1" meshretry_api "github.com/kumahq/kuma/pkg/plugins/policies/meshretry/api/v1alpha1" meshtimeout_api "github.com/kumahq/kuma/pkg/plugins/policies/meshtimeout/api/v1alpha1" + "github.com/kumahq/kuma/pkg/test/resources/builders" . "github.com/kumahq/kuma/test/framework" framework_client "github.com/kumahq/kuma/test/framework/client" "github.com/kumahq/kuma/test/framework/deployments/testserver" @@ -23,7 +25,14 @@ func MeshTimeout() { BeforeAll(func() { // Global Expect(NewClusterSetup(). - Install(MTLSMeshUniversal(mesh)). + Install( + Yaml( + builders.Mesh(). + WithName(mesh). + WithBuiltinMTLSBackend("ca-1").WithEnabledMTLSBackend("ca-1"). + WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Everywhere), + ), + ). Install(MeshTrafficPermissionAllowAllUniversal(mesh)). Install(YamlUniversal(fmt.Sprintf(` type: MeshMultiZoneService @@ -59,29 +68,6 @@ spec: Setup(multizone.KubeZone1), ).To(Succeed()) - kubeServiceYAML := fmt.Sprintf(` -apiVersion: kuma.io/v1alpha1 -kind: MeshService -metadata: - name: test-server - namespace: %s - labels: - kuma.io/origin: zone - kuma.io/mesh: %s - kuma.io/managed-by: k8s-controller - k8s.kuma.io/is-headless-service: "false" -spec: - selector: - dataplaneTags: - app: test-server - k8s.kuma.io/namespace: %s - ports: - - port: 80 - name: main - targetPort: main - appProtocol: http -`, k8sZoneNamespace, mesh, k8sZoneNamespace) - Expect(NewClusterSetup(). Install(NamespaceWithSidecarInjection(k8sZoneNamespace)). Install(testserver.Install( @@ -90,7 +76,6 @@ spec: testserver.WithNamespace(k8sZoneNamespace), testserver.WithEchoArgs("echo", "--instance", "kube-test-server-2"), )). - Install(YamlK8s(kubeServiceYAML)). Setup(multizone.KubeZone2), ).To(Succeed()) diff --git a/test/e2e_env/multizone/multizone_suite_test.go b/test/e2e_env/multizone/multizone_suite_test.go index 5040a277d0e4..e727d4aa164c 100644 --- a/test/e2e_env/multizone/multizone_suite_test.go +++ b/test/e2e_env/multizone/multizone_suite_test.go @@ -77,6 +77,7 @@ var ( _ = Describe("Defaults", defaults.Defaults, Ordered) _ = Describe("MeshService Sync", meshservice.Sync, Ordered) _ = Describe("MeshService Connectivity", meshservice.Connectivity, Ordered) + _ = Describe("MeshService Migration", meshservice.Migration, Ordered) _ = Describe("Targeting real MeshService in policies", meshservice.MeshServiceTargeting, Ordered) _ = Describe("MeshMultiZoneService Connectivity", meshmultizoneservice.Connectivity, Ordered) _ = Describe("MeshMultiZoneService MeshLbStrategy", localityawarelb.MeshMzService, Ordered) diff --git a/test/e2e_env/multizone/reachablebackends/reachablebackends.go b/test/e2e_env/multizone/reachablebackends/reachablebackends.go index 15a87c106604..8f804a250a03 100644 --- a/test/e2e_env/multizone/reachablebackends/reachablebackends.go +++ b/test/e2e_env/multizone/reachablebackends/reachablebackends.go @@ -6,6 +6,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" + "github.com/kumahq/kuma/pkg/test/resources/builders" . "github.com/kumahq/kuma/test/framework" "github.com/kumahq/kuma/test/framework/client" "github.com/kumahq/kuma/test/framework/deployments/testserver" @@ -107,27 +109,19 @@ spec: k8s.kuma.io/namespace: %s `, meshName, namespace) - meshWithEgress := fmt.Sprintf(` -type: Mesh -name: "%s" -meshServices: - mode: Everywhere -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -networking: - outbound: - passthrough: false -routing: - zoneEgress: true -`, meshName) - BeforeAll(func() { // Global err := NewClusterSetup(). - Install(YamlUniversal(meshWithEgress)). + Install( + Yaml( + builders.Mesh(). + WithName(meshName). + WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Everywhere). + WithBuiltinMTLSBackend("ca-1").WithEnabledMTLSBackend("ca-1"). + WithEgressRoutingEnabled(). + WithoutPassthrough(), + ), + ). Install(MeshTrafficPermissionAllowAllUniversal(meshName)). Install(YamlUniversal(mmzs)). Install(YamlUniversal(mmzsNotAccessible)). @@ -185,50 +179,6 @@ routing: Expect(err).ToNot(HaveOccurred()) // Zone Kube2 - kubeServiceYAML := fmt.Sprintf(` -apiVersion: kuma.io/v1alpha1 -kind: MeshService -metadata: - name: other-zone-test-server - namespace: %s - labels: - kuma.io/origin: zone - kuma.io/mesh: %s - kuma.io/managed-by: k8s-controller - k8s.kuma.io/is-headless-service: "false" -spec: - selector: - dataplaneTags: - app: other-zone-test-server - k8s.kuma.io/namespace: %s - ports: - - port: 80 - name: main - targetPort: main - appProtocol: http -`, namespace, meshName, namespace) - kubeServiceNotAccessibleYAML := fmt.Sprintf(` -apiVersion: kuma.io/v1alpha1 -kind: MeshService -metadata: - name: other-zone-not-accessible - namespace: %s - labels: - kuma.io/origin: zone - kuma.io/mesh: %s - kuma.io/managed-by: k8s-controller - k8s.kuma.io/is-headless-service: "false" -spec: - selector: - dataplaneTags: - app: other-zone-not-accessible - k8s.kuma.io/namespace: %s - ports: - - port: 80 - name: main - targetPort: main - appProtocol: http -`, namespace, meshName, namespace) err = NewClusterSetup(). Install(NamespaceWithSidecarInjection(namespace)). Install(testserver.Install( @@ -243,8 +193,6 @@ spec: testserver.WithMesh(meshName), testserver.WithEchoArgs("echo", "--instance", "other-zone-not-accessible"), )). - Install(YamlK8s(kubeServiceYAML)). - Install(YamlK8s(kubeServiceNotAccessibleYAML)). Setup(multizone.KubeZone2) Expect(err).ToNot(HaveOccurred()) }) diff --git a/test/e2e_env/universal/universal_suite_test.go b/test/e2e_env/universal/universal_suite_test.go index d27bd4d7bf09..bc5f21e690a7 100644 --- a/test/e2e_env/universal/universal_suite_test.go +++ b/test/e2e_env/universal/universal_suite_test.go @@ -91,8 +91,7 @@ var ( _ = Describe("Reachable Services", reachableservices.ReachableServices, Ordered) _ = Describe("Apis", api.Api, Ordered) _ = Describe("Traffic Permission", trafficpermission.TrafficPermission, Ordered) - // FlakeAttempts to cover https://github.com/kumahq/kuma/issues/11546 - _ = Describe("Traffic Route", trafficroute.TrafficRoute, Ordered, FlakeAttempts(3)) + _ = Describe("Traffic Route", trafficroute.TrafficRoute, Ordered) _ = Describe("Zone Egress", zoneegress.ExternalServices, Ordered) _ = Describe("Virtual Outbound", virtualoutbound.VirtualOutbound, Ordered) _ = Describe("Transparent Proxy", transparentproxy.TransparentProxy, Ordered) diff --git a/test/framework/deployments/democlient/kubernetes.go b/test/framework/deployments/democlient/kubernetes.go index 8d4bce381da2..d148a82fb7e5 100644 --- a/test/framework/deployments/democlient/kubernetes.go +++ b/test/framework/deployments/democlient/kubernetes.go @@ -43,7 +43,7 @@ func (k *k8SDeployment) deployment() *appsv1.Deployment { func (k *k8SDeployment) podSpec() corev1.PodTemplateSpec { return corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{"app": k.Name()}, + Labels: map[string]string{"app": k.Name(), "kuma.io/mesh": k.opts.Mesh}, Annotations: k.getAnnotations(), }, Spec: corev1.PodSpec{ @@ -97,7 +97,6 @@ func (k *k8SDeployment) service() *corev1.Service { func (k *k8SDeployment) getAnnotations() map[string]string { annotations := make(map[string]string) - annotations["kuma.io/mesh"] = k.opts.Mesh for key, value := range k.opts.PodAnnotations { annotations[key] = value } diff --git a/test/framework/deployments/testserver/kubernetes.go b/test/framework/deployments/testserver/kubernetes.go index dca30f1bfa5a..ae514b14f03c 100644 --- a/test/framework/deployments/testserver/kubernetes.go +++ b/test/framework/deployments/testserver/kubernetes.go @@ -258,7 +258,6 @@ func (k *k8SDeployment) podSpec() corev1.PodTemplateSpec { func (k *k8SDeployment) getAnnotations() map[string]string { annotations := make(map[string]string) - annotations["kuma.io/mesh"] = k.opts.Mesh for key, value := range k.opts.PodAnnotations { annotations[key] = value } @@ -268,6 +267,7 @@ func (k *k8SDeployment) getAnnotations() map[string]string { func (k *k8SDeployment) getLabels() map[string]string { labels := make(map[string]string) labels["app"] = k.Name() + labels["kuma.io/mesh"] = k.opts.Mesh for key, value := range k.opts.PodLabels { labels[key] = value } diff --git a/test/framework/k8s.go b/test/framework/k8s.go index dffd1d22bab2..88c9caabd5cf 100644 --- a/test/framework/k8s.go +++ b/test/framework/k8s.go @@ -70,7 +70,7 @@ func GatewayAPICRDs(cluster Cluster) error { return k8s.RunKubectlE( cluster.GetTesting(), cluster.GetKubectlOptions(), - "apply", "-f", "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml") + "apply", "-f", "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml") } func UpdateKubeObject( diff --git a/test/framework/setup.go b/test/framework/setup.go index 4ed3b2702a71..ba76613af43c 100644 --- a/test/framework/setup.go +++ b/test/framework/setup.go @@ -506,6 +506,24 @@ func YamlUniversal(yaml string) InstallFunc { } } +type builder interface { + KubeYaml() string + UniYaml() string +} + +func Yaml(b builder) InstallFunc { + return func(cluster Cluster) error { + switch c := cluster.(type) { + case *K8sCluster: + return YamlK8s(b.KubeYaml())(c) + case *UniversalCluster: + return YamlUniversal(b.UniYaml())(c) + default: + return errors.New("unknown cluster type") + } + } +} + func ResourceUniversal(resource model.Resource) InstallFunc { return func(cluster Cluster) error { _, err := retry.DoWithRetryE(cluster.GetTesting(), "install resource", DefaultRetries, DefaultTimeout, @@ -712,8 +730,8 @@ func DemoClientJobK8s(namespace, mesh, destination string) InstallFunc { Spec: batchv1.JobSpec{ Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{"kuma.io/mesh": mesh}, - Labels: map[string]string{"app": name}, + Annotations: map[string]string{}, + Labels: map[string]string{"app": name, "kuma.io/mesh": mesh}, }, Spec: corev1.PodSpec{ Containers: []corev1.Container{ diff --git a/test/framework/universal_app.go b/test/framework/universal_app.go index 2cc3ff40875f..b2d651f731dc 100644 --- a/test/framework/universal_app.go +++ b/test/framework/universal_app.go @@ -487,8 +487,6 @@ func (s *UniversalApp) CreateDP( func (s *UniversalApp) setupTransparent(builtindns bool) { args := []string{ "/usr/bin/kumactl", "install", "transparent-proxy", - "--kuma-dp-user", "kuma-dp", - "--skip-dns-conntrack-zone-split", "--exclude-inbound-ports", "22", } diff --git a/test/framework/universal_cluster.go b/test/framework/universal_cluster.go index d388e29cf35c..1d6a2e837f9d 100644 --- a/test/framework/universal_cluster.go +++ b/test/framework/universal_cluster.go @@ -16,6 +16,7 @@ import ( "github.com/kumahq/kuma/pkg/config/core" core_mesh "github.com/kumahq/kuma/pkg/core/resources/apis/mesh" core_model "github.com/kumahq/kuma/pkg/core/resources/model" + "github.com/kumahq/kuma/pkg/util/pointer" "github.com/kumahq/kuma/pkg/util/template" "github.com/kumahq/kuma/test/framework/envoy_admin" "github.com/kumahq/kuma/test/framework/envoy_admin/tunnel" @@ -292,14 +293,14 @@ func (c *UniversalCluster) DeployApp(opt ...AppDeploymentOption) error { opts.apply(opt...) appname := opts.appname token := opts.token - transparent := opts.transparent != nil && *opts.transparent // default false + transparent := pointer.Deref(opts.transparent) args := opts.appArgs if opts.verbose == nil { opts.verbose = &c.verbose } - caps := []string{} + var caps []string if transparent { caps = append(caps, "NET_ADMIN", "NET_RAW") } @@ -342,7 +343,7 @@ func (c *UniversalCluster) DeployApp(opt ...AppDeploymentOption) error { } } - builtindns := opts.builtindns == nil || *opts.builtindns + builtindns := pointer.DerefOr(opts.builtindns, true) if transparent { app.setupTransparent(builtindns) } diff --git a/versions.yml b/versions.yml index 5ad7f224a22f..c1d1df50cd9d 100644 --- a/versions.yml +++ b/versions.yml @@ -71,26 +71,26 @@ endOfLifeDate: "2024-08-29" branch: release-2.4 - edition: kuma - version: 2.5.10 + version: 2.5.11 release: 2.5.x releaseDate: "2023-11-15" endOfLifeDate: "2024-11-15" branch: release-2.5 - edition: kuma - version: 2.6.11 + version: 2.6.12 release: 2.6.x releaseDate: "2024-02-01" endOfLifeDate: "2025-02-01" branch: release-2.6 - edition: kuma - version: 2.7.7 + version: 2.7.8 release: 2.7.x releaseDate: "2024-04-19" endOfLifeDate: "2026-04-19" branch: release-2.7 lts: true - edition: kuma - version: 2.8.3 + version: 2.8.4 release: 2.8.x latest: true releaseDate: "2024-06-24"