diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml index f15ca0ee..a9ad277c 100644 --- a/charts/controlplane/Chart.yaml +++ b/charts/controlplane/Chart.yaml @@ -28,3 +28,8 @@ dependencies: version: 80.8.0 alias: monitoring condition: monitoring.enabled +- name: gateway-helm + alias: envoy-gateway + repository: oci://docker.io/envoyproxy + version: v1.6.4 + condition: envoy-gateway.enabled diff --git a/charts/controlplane/README.md b/charts/controlplane/README.md index da3ed2ca..3d70c317 100644 --- a/charts/controlplane/README.md +++ b/charts/controlplane/README.md @@ -20,6 +20,9 @@ helm repo add flyte https://helm.flyte.org # Add Ingress NGINX Helm repository (if using ingress-nginx) helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +# Add Envoy Gateway Helm repository (if using Envoy Gateway) +helm repo add envoy-gateway oci://docker.io/envoyproxy + # Add ScyllaDB Helm repository (if using ScyllaDB) helm repo add scylla https://scylla-operator-charts.storage.googleapis.com/stable @@ -52,6 +55,7 @@ Kubernetes: `>= 1.28.0-0` |------------|------|---------|----------|-------| | https://helm.flyte.org | flyte-core(flyte) | v1.16.0-b2 | No | Required | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.12.3 | Yes | Only if `ingress-nginx.enabled: true` | +| oci://docker.io/envoyproxy | gateway-helm(envoy-gateway) | v1.6.4 | Yes | Only if `envoy-gateway.enabled: true`; for selfmanaged deployments install via ArgoCD ApplicationSet instead | | https://scylla-operator-charts.storage.googleapis.com/stable | scylla-operator | v1.18.1 | Yes | Only if `scylla.enabled: true` | | https://scylla-operator-charts.storage.googleapis.com/stable | scylla | v1.18.1 | Yes | Only if `scylla.enabled: true` | | https://prometheus-community.github.io/helm-charts | monitoring(kube-prometheus-stack) | 80.8.0 | Yes | Only if `monitoring.enabled: true` | @@ -261,17 +265,41 @@ helm upgrade --install union-controlplane unionai/controlplane \ --values values.yaml ``` -### Installation with Ingress NGINX +### Ingress Controller + +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | -If you need ingress support: +#### Installation with Ingress NGINX ```yaml +global: + INGRESS_PROVIDER: nginx + ingress-nginx: enabled: true +``` + +#### Installation with Envoy Gateway + +Envoy Gateway can be installed as a sub-chart (managed deployments) or as a separate Helm release via ArgoCD (selfmanaged deployments — see [Self-Hosted Guides](#alternative-deployment-models)). + +For sub-chart installation: + +```yaml +global: + INGRESS_PROVIDER: envoy + +envoy-gateway: + enabled: true # installs gateway-helm as a sub-chart -ingress: - className: "controlplane" - secretService: true +envoyGateway: + gatewayClassName: envoy # must match the GatewayClass created by the EG install ``` ## Verification @@ -302,7 +330,7 @@ helm show values unionai/controlplane - **Postgres Configuration** (Required): Set `dbHost`, `dbName`, `dbUser`, and `dbPass` for the primary database used by all control plane services except the queue service - **ScyllaDB Configuration** (Required): Configure `scylla` section for the queue service database. Set `scylla.enabled: true` for embedded cluster or provide `scylla.externalHost` for external ScyllaDB - **Object Storage**: Configure `bucketName`, `artifactsBucketName`, and `region` for S3-compatible storage -- **Ingress**: Enable and configure ingress under `ingress-nginx` section +- **Ingress**: Set `global.INGRESS_PROVIDER` to `nginx`, `envoy`, or `both`. Enable the relevant controller (`ingress-nginx.enabled` or `envoy-gateway.enabled`) and configure `envoyGateway.gatewayClassName` when using Envoy Gateway --- diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index 2a3ed017..3d75590a 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -275,13 +275,23 @@ global: # override is configured. ``` -### TLS Requirements +### Ingress Controller -gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration. +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | + +#### NGINX (default) + +TLS is required for gRPC over HTTP/2. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration. ```yaml global: - # Configure namespace and name of the Kubernetes TLS secret. + INGRESS_PROVIDER: nginx TLS_SECRET_NAMESPACE: "" TLS_SECRET_NAME: "" @@ -292,12 +302,35 @@ ingress-nginx: default-ssl-certificate: "/" ``` +#### Envoy Gateway + +Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it: + +1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`). +2. Set the ingress provider and gateway class in your overrides: + +```yaml +global: + INGRESS_PROVIDER: envoy # or "both" during parallel rollout + +envoyGateway: + gatewayClassName: controlplane-envoy # must match the GatewayClass created by the EG install +``` + +The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately: + +```yaml +envoy-gateway: + enabled: false # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart +``` + ### Service Discovery Control plane services discover each other via Kubernetes DNS: - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81` - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local` +- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG) - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local` ## Authentication (OIDC/OAuth2) @@ -403,7 +436,7 @@ flyte: useAuth: true ``` -This enables nginx auth-subrequest validation on protected ingress routes. +This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy). ### Verifying Authentication diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md index 6de7fe03..d2a846c5 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md @@ -287,13 +287,23 @@ global: # override is configured. ``` -### TLS Requirements +### Ingress Controller -gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration. +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | + +#### NGINX (default) + +TLS is required for gRPC over HTTP/2. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration. ```yaml global: - # Configure namespace and name of the Kubernetes TLS secret. + INGRESS_PROVIDER: nginx TLS_SECRET_NAMESPACE: "" TLS_SECRET_NAME: "" @@ -304,12 +314,35 @@ ingress-nginx: default-ssl-certificate: "/" ``` +#### Envoy Gateway + +Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it: + +1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`). +2. Set the ingress provider and gateway class in your overrides: + +```yaml +global: + INGRESS_PROVIDER: envoy # or "both" during parallel rollout + +envoyGateway: + gatewayClassName: controlplane-envoy # must match the GatewayClass created by the EG install +``` + +The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately: + +```yaml +envoy-gateway: + enabled: false # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart +``` + ### Service Discovery Control plane services discover each other via Kubernetes DNS: - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81` - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local` +- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG) - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local` ## Authentication (OIDC/OAuth2) @@ -415,7 +448,7 @@ flyte: useAuth: true ``` -This enables nginx auth-subrequest validation on protected ingress routes. +This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy). ### Verifying Authentication diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml new file mode 100644 index 00000000..27ca2a0f --- /dev/null +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -0,0 +1,108 @@ +{{- define "control-plane-library.backendtrafficpolicy" }} +# BackendTrafficPolicy — configures Envoy→gRPC backend connection settings. +# Replaces nginx grpc_connect_timeout, grpc_read_timeout, grpc_send_timeout. +# Two policies (one per GRPCRoute) so h2c and timeouts are scoped to gRPC traffic only. +# +# requestTimeout applies to unary calls; maxStreamDuration applies to streaming calls. +# "0s" for maxStreamDuration means no limit (equivalent to grpc_read_timeout 604800s on streaming routes). +# Both protected and unprotected GRPCRoutes contain streaming methods so both get the same config. +# +# Rate limit is also included here (when enabled) because route-level BTPs override gateway-level ones, +# so the gateway-level rate-limit BTP below would be suppressed for these two GRPCRoutes without it. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-grpc-protected-h2c + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: GRPCRoute + name: {{ template "flyte.name" . }}-grpc-protected + timeout: + tcp: + connectTimeout: "1200s" # grpc_connect_timeout 1200s + http: + requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) + maxStreamDuration: "0s" # no limit for streaming (grpc_read_timeout 604800s on streaming routes) + tcpKeepalive: + probes: 9 + idleTime: "15s" + interval: "15s" + http2: {} +{{- if .Values.envoyGateway.rateLimit.enabled }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-grpc-unprotected-h2c + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: GRPCRoute + name: {{ template "flyte.name" . }}-grpc-unprotected + timeout: + tcp: + connectTimeout: "1200s" # grpc_connect_timeout 1200s + http: + requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) + maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming + tcpKeepalive: + probes: 9 + idleTime: "15s" + interval: "15s" + http2: {} +{{- if .Values.envoyGateway.rateLimit.enabled }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} +{{- if .Values.envoyGateway.rateLimit.enabled }} +--- +# Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation. +# Requires EG rateLimit backend (envoyproxy/ratelimit + Redis) to be running. +# Enable via envoyGateway.rateLimit.enabled: true once the backend is confirmed healthy. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-global-rate-limit + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: {{ template "flyte.name" . }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_clienttrafficpolicy.yaml b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml new file mode 100644 index 00000000..6d2d2785 --- /dev/null +++ b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml @@ -0,0 +1,23 @@ +{{- define "control-plane-library.clienttrafficpolicy" }} +# ClientTrafficPolicy — configures inbound client connection settings on the Gateway. +# Replaces nginx server-snippet: client_header_timeout, client_body_timeout, +# client_header_buffer_size, and large_client_header_buffers. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-client-policy + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: {{ template "flyte.name" . }} + timeout: + http: + requestReceivedTimeout: "0s" # client_header_timeout 604800 + streamIdleTimeout: "0s" # client_body_timeout 604800 + connection: + # large_client_header_buffers 64 32k = 2Mi total; mitigates 400 errors from large cookies + # at the /me auth endpoint (see PE-1101). + bufferLimit: "2Mi" +{{- end }} diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml new file mode 100644 index 00000000..cb9f9bda --- /dev/null +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -0,0 +1,44 @@ +{{- define "control-plane-library.gateway" }} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} +spec: + gatewayClassName: {{ .Values.envoyGateway.gatewayClassName }} + listeners: + - name: https + protocol: HTTPS + port: 443 + hostname: {{ .Values.global.UNION_HOST | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + namespace: {{ .Values.global.TLS_SECRET_NAMESPACE }} + name: {{ .Values.global.TLS_SECRET_NAME }} + {{- if .Values.flyte.common.ingress.isServerless }} + - name: https-serverless + protocol: HTTPS + port: 443 + hostname: {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + namespace: {{ .Values.global.TLS_SECRET_NAMESPACE }} + name: {{ .Values.global.TLS_SECRET_NAME }} + {{- end }} + {{- $intraHost := .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if and $intraHost (ne $intraHost .Values.global.UNION_HOST) }} + - name: https-intracluster + protocol: HTTPS + port: 443 + hostname: {{ $intraHost | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: controlplane-intracluster-tls-secret + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml new file mode 100644 index 00000000..2dab2ab8 --- /dev/null +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -0,0 +1,195 @@ +{{- define "control-plane-library.grpcroute-protected" }} +# Consolidates nginx protected-grpc, protected-grpc-streaming, apps-protected, +# and protected-grpc-high-tput ingresses. GRPCRoute service-level matches +# cover all methods; specific-method matches are used where routes vary by method. +apiVersion: gateway.networking.k8s.io/v1 +kind: GRPCRoute +metadata: + name: {{ template "flyte.name" . }}-grpc-protected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- with .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if ne . $.Values.global.UNION_HOST }} + - {{ . | quote }} + {{- end }} + {{- end }} + rules: + # flyteadmin — protected gRPC (AdminService, ProjectService, IdentityService, etc.) + - matches: + - method: {service: "flyteidl.service.AdminService"} + - method: {service: "flyteidl2.project.ProjectService"} + - method: {service: "flyteidl2.auth.IdentityService"} + - method: {service: "flyteidl.service.WatchService"} + - method: {service: "cloudidl.cloudadmin.CloudAdminService"} + - method: {service: "flyteidl.service.IdentityService"} + - method: {service: "flyteidl.service.SignalService"} + backendRefs: + - name: flyteadmin + port: 81 + # executions + - matches: + - method: {service: "cloudidl.execution.ExecutionService"} + - method: {service: "cloudidl.echo.EchoService"} + - method: {service: "cloudidl.app.AppService"} + - method: {service: "cloudidl.workflow.RunLogsService"} + - method: {service: "cloudidl.workflow.TranslatorService"} + - method: {service: "flyteidl2.app.AppService"} + - method: {service: "flyteidl2.workflow.RunLogsService"} + backendRefs: + - name: executions + port: 80 + # cluster + - matches: + - method: {service: "cloudidl.cluster.ClusterService"} + - method: {service: "cloudidl.cluster.ClusterNodepoolService"} + - method: {service: "cloudidl.cloudaccounts.CloudAccountsService"} + - method: {service: "cloudidl.cluster.ManagedClusterService"} + - method: {service: "cloudidl.clusterpool.ClusterPoolService"} + - method: {service: "cloudidl.clusterconfig.ClusterConfigService"} + backendRefs: + - name: cluster + port: 80 + # identity + - matches: + - method: {service: "cloudidl.apikey.APIKeyService"} + - method: {service: "cloudidl.identity.AppsService"} + - method: {service: "cloudidl.identity.UserService"} + - method: {service: "cloudidl.identity.MemberService"} + - method: {service: "cloudidl.identity.RoleService"} + - method: {service: "cloudidl.identity.PolicyService"} + - method: {service: "cloudidl.identity.IdentityService"} + backendRefs: + - name: identity + port: 83 + - matches: + - method: {service: "cloudidl.identity.SelfServe"} + backendRefs: + - name: identity + port: 80 + # organizations + - matches: + - method: {service: "cloudidl.org.OrgService"} + backendRefs: + - name: organizations + port: 83 + # usage + - matches: + - method: {service: "cloudidl.usage.UsageService"} + backendRefs: + - name: usage + port: 80 + # authorizer + - matches: + - method: {service: "cloudidl.authorizer.AuthorizerService"} + backendRefs: + - name: authorizer + port: 83 + # datacatalog + - matches: + - method: {service: "datacatalog.DataCatalog"} + backendRefs: + - name: datacatalog + port: 89 + # cacheservice + - matches: + - method: {service: "flyteidl.cacheservice.CacheService"} + - method: {service: "flyteidl.cacheservice.v2.CacheService"} + backendRefs: + - name: cacheservice + port: 89 + # dataproxy (gRPC) + - matches: + - method: {service: "cloudidl.actor.ActorEnvironmentService"} + - method: {service: "cloudidl.agent.AgentService"} + - method: {service: "cloudidl.support.SupportService"} + - method: {service: "cloudidl.clouddataproxy.CloudDataProxyService"} + - method: {service: "flyteidl.service.DataProxyService"} + - method: {service: "flyteidl2.dataproxy.DataProxyService"} + - method: {service: "cloudidl.logs.LogsService"} + - method: {service: "cloudidl.app.AppLogsService"} + - method: {service: "cloudidl.app.ReplicaService"} + - method: {service: "flyteidl2.app.AppLogsService"} + - method: {service: "flyteidl2.app.ReplicaService"} + backendRefs: + - name: dataproxy + port: 80 + # queue + - matches: + - method: {service: "cloudidl.workflow.QueueService"} + - method: {service: "cloudidl.workflow.StateService"} + - method: {service: "cloudidl.workflow.LeaseService"} + - method: {service: "flyteidl2.workflow.QueueService"} + - method: {service: "flyteidl2.workflow.StateService"} + backendRefs: + - name: queue + port: 80 + # image builder (dataproxy) + - matches: + - method: {service: "cloudidl.imagebuilder.ImageService"} + - method: {service: "flyteidl2.imagebuilder.ImageService"} + backendRefs: + - name: dataproxy + port: 80 + {{- if .Values.flyte.common.ingress.secretService }} + - matches: + - method: {service: "cloudidl.secret.SecretService"} + - method: {service: "flyteidl2.secret.SecretService"} + backendRefs: + - name: dataproxy + port: 80 + {{- end }} + {{- if ((.Values.artifacts).enabled) }} + - matches: + - method: {service: "flyteidl.artifact.ArtifactRegistry"} + backendRefs: + - name: artifacts + port: 80 + {{- end }} + {{- if (((.Values.objectstore).controlPlane).enabled) }} + - matches: + - method: {service: "cloudidl.objectstore.v1.ObjectStoreService"} + backendRefs: + - name: dataproxy + port: 80 + {{- end }} + {{- if ((.Values.hooksService).enabled) }} + - matches: + - method: {service: "cloudidl.hooks.HooksService"} + backendRefs: + - name: hooks-service + port: 80 + {{- end }} + {{- if ((.Values.workspaceService).enabled) }} + - matches: + - method: {service: "cloudidl.workspace.WorkspaceRegistryService"} + - method: {service: "cloudidl.workspace.WorkspaceInstanceService"} + backendRefs: + - name: executions + port: 80 + {{- end }} + # Union v2 workflow services (executions) + - matches: + - method: {service: "cloudidl.workflow.RunService"} + - method: {service: "cloudidl.workflow.InternalRunService"} + - method: {service: "cloudidl.workflow.TaskService"} + - method: {service: "cloudidl.workflow.TriggerService"} + - method: {service: "flyteidl2.workflow.RunService"} + - method: {service: "flyteidl2.workflow.TranslatorService"} + - method: {service: "flyteidl2.task.TaskService"} + - method: {service: "flyteidl2.trigger.TriggerService"} + backendRefs: + - name: executions + port: 80 + {{- if ((.Values.assistant).enabled) }} + - matches: + - method: {service: "cloudidl.workflow.AssistantService"} + backendRefs: + - name: executions + port: 80 + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_grpcroute-unprotected.yaml b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml new file mode 100644 index 00000000..ec3bc0cc --- /dev/null +++ b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml @@ -0,0 +1,37 @@ +{{- define "control-plane-library.grpcroute-unprotected" }} +# Unauthenticated gRPC routes — health checks and auth metadata used by clients +# before they have a token. Mirrors the gRPC rules in the nginx unprotected ingress. +apiVersion: gateway.networking.k8s.io/v1 +kind: GRPCRoute +metadata: + name: {{ template "flyte.name" . }}-grpc-unprotected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + {{- with .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if ne . $.Values.global.UNION_HOST }} + - {{ . | quote }} + {{- end }} + {{- end }} + rules: + - matches: + - method: + service: "flyteidl.service.HealthService" + - method: + service: "flyteidl.service.AuthMetadataService" + - method: + service: "flyteidl2.auth.AuthMetadataService" + - method: + service: "flyteidl.service.WatchService" + method: "WatchExecutionStatusUpdates" + backendRefs: + - name: flyteadmin + port: 81 +{{- end }} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml new file mode 100644 index 00000000..4eb263f6 --- /dev/null +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -0,0 +1,108 @@ +{{- define "control-plane-library.httproute-protected" }} +# NOTE: Auth enforcement (SecurityPolicy/ExtAuthz) is added in M2. +# These routes currently allow unauthenticated access — they match the +# nginx protected-ingress paths but without the auth-url annotation. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ template "flyte.name" . }}-protected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + rules: + # Flyte REST API + - matches: + - path: {type: PathPrefix, value: "/api"} + - path: {type: PathPrefix, value: "/v1"} + - path: {type: PathPrefix, value: "/cloudadmin"} + backendRefs: + - name: flyteadmin + port: 80 + # Dataproxy HTTP + - matches: + - path: {type: PathPrefix, value: "/actor"} + - path: {type: PathPrefix, value: "/agent"} + - path: {type: PathPrefix, value: "/dataplane"} + - path: {type: PathPrefix, value: "/spark-history-server"} + - path: {type: PathPrefix, value: "/api/v1/dataproxy"} + - path: {type: PathPrefix, value: "/cloudidl.support.SupportService"} + backendRefs: + - name: dataproxy + port: 81 + # Executions HTTP + - matches: + - path: {type: PathPrefix, value: "/app"} + - path: {type: PathPrefix, value: "/apps"} + - path: {type: PathPrefix, value: "/echo"} + - path: {type: PathPrefix, value: "/execution"} + backendRefs: + - name: executions + port: 81 + # Cluster HTTP + - matches: + - path: {type: PathPrefix, value: "/cluster"} + - path: {type: PathPrefix, value: "/clusterpool"} + - path: {type: PathPrefix, value: "/clusterconfig"} + - path: {type: PathPrefix, value: "/managed_cluster"} + backendRefs: + - name: cluster + port: 81 + # Authorizer HTTP + - matches: + - path: {type: PathPrefix, value: "/authorizer"} + backendRefs: + - name: authorizer + port: 81 + # Usage HTTP + - matches: + - path: {type: PathPrefix, value: "/usage"} + backendRefs: + - name: usage + port: 81 + {{- if ((.Values.artifacts).enabled) }} + # Artifacts HTTP + - matches: + - path: {type: PathPrefix, value: "/artifacts"} + backendRefs: + - name: artifacts + port: 81 + {{- end }} + {{- if ((.Values.workspaceService).enabled) }} + # Workspace HTTP + - matches: + - path: {type: PathPrefix, value: "/workspace_registry"} + - path: {type: PathPrefix, value: "/workspace_instance"} + backendRefs: + - name: executions + port: 81 + {{- end }} + {{- if (((.Values.dataproxy).prometheus).enabled) }} + # Prometheus (via dataproxy) + - matches: + - path: {type: PathPrefix, value: "/prometheus"} + backendRefs: + - name: dataproxy + port: 81 + {{- end }} + # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading, and root catch-all + - matches: + - path: {type: PathPrefix, value: "/console"} + - path: {type: PathPrefix, value: "/dashboard"} + - path: {type: PathPrefix, value: "/resources"} + - path: {type: PathPrefix, value: "/cost"} + - path: {type: PathPrefix, value: "/loading"} + - path: {type: PathPrefix, value: "/"} + backendRefs: + - name: flyteconsole + port: 80 + # Union v2 console + - matches: + - path: {type: PathPrefix, value: "/v2"} + backendRefs: + - name: unionconsole + port: 80 +{{- end }} diff --git a/charts/controlplane/templates/common/_httproute-unprotected.yaml b/charts/controlplane/templates/common/_httproute-unprotected.yaml new file mode 100644 index 00000000..6094f157 --- /dev/null +++ b/charts/controlplane/templates/common/_httproute-unprotected.yaml @@ -0,0 +1,95 @@ +{{- define "control-plane-library.httproute-unprotected" }} +# WARNING: any route here is accessible without authentication. +# Flyteadmin acts as an auth server and is therefore publicly accessible. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ template "flyte.name" . }}-unprotected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + # Auth / identity endpoints — publicly required for OIDC flows + - matches: + - path: {type: PathPrefix, value: "/.well-known"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/login"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/logout"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/callback"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/config"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/oauth2"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/auth"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: Exact, value: "/me"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: Exact, value: "/healthcheck"} + backendRefs: + - name: flyteadmin + port: 80 + # OpenAPI / redoc — port 87 in flyteadmin + - matches: + - path: {type: PathPrefix, value: "/openapi"} + backendRefs: + - name: flyteadmin + port: 87 + # Console healthcheck + - matches: + - path: {type: Exact, value: "/healthz"} + backendRefs: + - name: flyteconsole + port: 80 + # Webhook endpoints + - matches: + - path: {type: PathPrefix, value: "/enqueue_metronome_request/v1"} + backendRefs: + - name: usage + port: 81 + - matches: + - path: {type: PathPrefix, value: "/enqueue_stripe_request/v1"} + backendRefs: + - name: usage + port: 81 + {{- if ((.Values.hooksService).enabled) }} + - matches: + - path: {type: PathPrefix, value: "/okta_event_webhook/v1"} + backendRefs: + - name: hooks-service + port: 81 + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index 8914bb5a..ede74cda 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -1,5 +1,7 @@ {{- include "control-plane-library.flyteadmin" . }} --- +{{- /* ingress-nginx Ingress objects — active when INGRESS_PROVIDER is "nginx" (default) or "both" (parallel-run migration phase) */}} +{{- if or (eq (default "nginx" .Values.global.INGRESS_PROVIDER) "nginx") (eq .Values.global.INGRESS_PROVIDER "both") }} {{- include "control-plane-library.dataproxy-ingress" . }} --- {{- include "control-plane-library.usage-ingress" . }} @@ -10,3 +12,21 @@ --- {{- include "control-plane-library.console-protected-ingress" . }} --- +{{- end }} +{{- /* Envoy Gateway API resources — active when INGRESS_PROVIDER is "envoy" or "both" */}} +{{- if or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both") }} +{{- include "control-plane-library.gateway" . }} +--- +{{- include "control-plane-library.httproute-unprotected" . }} +--- +{{- include "control-plane-library.httproute-protected" . }} +--- +{{- include "control-plane-library.grpcroute-unprotected" . }} +--- +{{- include "control-plane-library.grpcroute-protected" . }} +--- +{{- include "control-plane-library.backendtrafficpolicy" . }} +--- +{{- include "control-plane-library.clienttrafficpolicy" . }} +--- +{{- end }} diff --git a/charts/controlplane/values.aws.selfhosted-intracluster.yaml b/charts/controlplane/values.aws.selfhosted-intracluster.yaml index 2f9f3058..cdf885ca 100644 --- a/charts/controlplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.aws.selfhosted-intracluster.yaml @@ -34,6 +34,14 @@ global: + # Controls which ingress controller is active for this deployment. + # nginx - ingress-nginx Ingress objects only (default) + # envoy - Envoy Gateway API resources only + # both - both sets rendered simultaneously (parallel-run migration phase) + # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml + # exists in the environment directory. + INGRESS_PROVIDER: nginx + # AWS region for all resources # Example: "us-west-2", "us-east-1", "eu-west-1" AWS_REGION: "" @@ -431,7 +439,32 @@ ingress-nginx: name: controlplane # ---------------------------------------------------------------------------- -# SECTION 9: Service-Specific Configuration +# SECTION 9: Envoy Gateway Configuration +# ---------------------------------------------------------------------------- +# Envoy Gateway is installed as a separate Helm release (via the envoy-gateway +# ArgoCD ApplicationSet) and is NOT a sub-chart of the controlplane chart. +# This section configures how the controlplane chart interacts with Envoy Gateway +# when it is present in the cluster. +# +# Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists +# in the environment directory. Manual override possible by setting enabled: true. + +# Envoy Gateway controller installed through external chart. +envoy-gateway: + # Set to true when Envoy Gateway is installed alongside this controlplane. + # Automatically set by Terraform when envoy-gateway/revisions.yaml exists. + enabled: false + +# Configuration for the controlplane chart to use Envoy Gateway. +envoyGateway: + # GatewayClass name created by the Envoy Gateway installation. + # Must match the gatewayClassName in the Gateway resource rendered by the + # controlplane chart when global.ingressProvider is "envoy" or "both". + # Uses a distinct name from the dataplane's gateway class to avoid conflicts. + gatewayClassName: controlplane-envoy + +# ---------------------------------------------------------------------------- +# SECTION 10: Service-Specific Configuration # ---------------------------------------------------------------------------- services: diff --git a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml index 417a2e82..eb93fbf0 100644 --- a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml @@ -34,6 +34,14 @@ global: + # Controls which ingress controller is active for this deployment. + # nginx - ingress-nginx Ingress objects only (default) + # envoy - Envoy Gateway API resources only + # both - both sets rendered simultaneously (parallel-run migration phase) + # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml + # exists in the environment directory. + INGRESS_PROVIDER: nginx + # Region for all resources # Example for GCP: "us-central1", "us-east1", "europe-west1" GCP_REGION: "us-central1" @@ -390,7 +398,32 @@ ingress: # Override here only if you need to customize auth behavior for this deployment mode. # ---------------------------------------------------------------------------- -# SECTION 7: NGINX Ingress Controller +# SECTION 7: Envoy Gateway Configuration +# ---------------------------------------------------------------------------- +# Envoy Gateway is installed as a separate Helm release (via the envoy-gateway +# ArgoCD ApplicationSet) and is NOT a sub-chart of the controlplane chart. +# This section configures how the controlplane chart interacts with Envoy Gateway +# when it is present in the cluster. +# +# Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists +# in the environment directory. Manual override possible by setting enabled: true. + +# Envoy Gateway controller installed through external chart. +envoy-gateway: + # Set to true when Envoy Gateway is installed alongside this controlplane. + # Automatically set by Terraform when envoy-gateway/revisions.yaml exists. + enabled: false + +# Configuration for the controlplane chart to use Envoy Gateway. +envoyGateway: + # GatewayClass name created by the Envoy Gateway installation. + # Must match the gatewayClassName in the Gateway resource rendered by the + # controlplane chart when global.ingressProvider is "envoy" or "both". + # Uses a distinct name from the dataplane's gateway class to avoid conflicts. + gatewayClassName: controlplane-envoy + +# ---------------------------------------------------------------------------- +# SECTION 8: NGINX Ingress Controller # ---------------------------------------------------------------------------- ingress-nginx: diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index f814a9c5..d52e03b0 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -51,6 +51,9 @@ global: # Contact Union for controlplane access and distribution. IMAGE_REPOSITORY_PREFIX: "643379628101.dkr.ecr.us-east-1.amazonaws.com/union-cp" + # Ingress controller provider. Options: "nginx", "envoy", "both" + INGRESS_PROVIDER: nginx + # OAuth2 client ID for service-to-service authentication (client_credentials flow). # Services use this to acquire tokens for internal calls through nginx. # Example: "0oa3xyz4abc5def6g7h8" @@ -246,6 +249,14 @@ ingress: nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-User-Subject,X-User-Claim-Identitytype,X-User-Claim-Preferred-Username,X-User-Token" nginx.ingress.kubernetes.io/auth-cache-key: "$http_authorization$http_flyte_authorization$http_cookie" +envoyGateway: + # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both". + gatewayClassName: envoy + rateLimit: + enabled: false + requestsPerUnit: 100 + unit: Second + # -- Central logging configuration. All controlplane services pull their log level from here. # Go services use level 1–6 (1=least verbose, 6=most verbose; 4=INFO, 6=DEBUG). # Log format options: json, text, gcp diff --git a/charts/envoy-gateway-config/Chart.yaml b/charts/envoy-gateway-config/Chart.yaml new file mode 100644 index 00000000..fdf88dda --- /dev/null +++ b/charts/envoy-gateway-config/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: envoy-gateway-config +description: Cluster-operator resources for Envoy Gateway — GatewayClass, EnvoyProxy, BackendTrafficPolicy, and EnvoyPatchPolicy. +type: application +version: 0.1.0 +kubeVersion: '>= 1.28.0-0' diff --git a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml new file mode 100644 index 00000000..fe84026b --- /dev/null +++ b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml @@ -0,0 +1,36 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: control-plane-auth + namespace: {{ .Values.envoyGateway.controlplaneNamespace }} +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: controlplane + type: JSONPatch + jsonPatches: + {{- range $idx, $pluginName := .Values.envoyGateway.httpFilters }} + - type: type.googleapis.com/envoy.config.listener.v3.Listener + name: {{ $.Values.envoyGateway.controlplaneNamespace }}/controlplane/https + operation: + op: add + path: /filter_chains/0/filters/0/typed_config/http_filters/{{ $idx }} + value: + name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: control-plane-auth + library_path: /lib/control-plane-auth.so + plugin_name: {{ $pluginName }} + {{- if eq $pluginName "identity-auth" }} + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + loginURL: {{ $.Values.envoyGateway.identityAuth.loginURL | quote }} + bypassPaths: + {{- range $.Values.envoyGateway.identityAuth.bypassPaths }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml new file mode 100644 index 00000000..5cf75569 --- /dev/null +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -0,0 +1,37 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: envoy-proxy-config + namespace: envoy-gateway-system +spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + {{- if .Values.envoyGateway.proxyServiceName }} + name: {{ .Values.envoyGateway.proxyServiceName }} + {{- end }} + {{- if .Values.envoyGateway.loadBalancerClass }} + loadBalancerClass: {{ .Values.envoyGateway.loadBalancerClass }} + {{- end }} + {{- if .Values.envoyGateway.serviceAnnotations }} + annotations: + {{- toYaml .Values.envoyGateway.serviceAnnotations | nindent 10 }} + {{- end }} + envoyDeployment: + pod: + annotations: + # Disable Linkerd sidecar injection — Envoy is itself a proxy; + # double-proxying causes routing conflicts. + linkerd.io/inject: disabled + {{- if or .Values.envoyGateway.envoyDeployment.pluginImage .Values.envoyGateway.envoyDeployment.container.env }} + container: + {{- if .Values.envoyGateway.envoyDeployment.pluginImage }} + image: {{ .Values.envoyGateway.envoyDeployment.pluginImage }} + {{- end }} + {{- if .Values.envoyGateway.envoyDeployment.container.env }} + env: + {{- toYaml .Values.envoyGateway.envoyDeployment.container.env | nindent 12 }} + {{- end }} + {{- end }} diff --git a/charts/envoy-gateway-config/templates/gatewayclass.yaml b/charts/envoy-gateway-config/templates/gatewayclass.yaml new file mode 100644 index 00000000..5ba4ea3e --- /dev/null +++ b/charts/envoy-gateway-config/templates/gatewayclass.yaml @@ -0,0 +1,11 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{ .Values.envoyGateway.gatewayClassName }} +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: envoy-proxy-config + namespace: envoy-gateway-system diff --git a/charts/envoy-gateway-config/templates/redis.yaml b/charts/envoy-gateway-config/templates/redis.yaml new file mode 100644 index 00000000..1ba2b96d --- /dev/null +++ b/charts/envoy-gateway-config/templates/redis.yaml @@ -0,0 +1,43 @@ +{{- if .Values.config.envoyGateway.rateLimit.backend.redis.url }} +# Minimal Redis deployment for envoyproxy/ratelimit. +# When config.envoyGateway.rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit +# in this namespace and expects a Redis instance at the configured URL. +# Service name: redis-ratelimit → URL: redis-ratelimit.envoy-gateway-system.svc.cluster.local:6379 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-ratelimit + namespace: envoy-gateway-system +spec: + replicas: 1 + selector: + matchLabels: + app: redis-ratelimit + template: + metadata: + labels: + app: redis-ratelimit + annotations: + # Redis is only accessed within the cluster by envoyproxy/ratelimit — no Linkerd proxy needed. + linkerd.io/inject: disabled + spec: + containers: + - name: redis + image: {{ .Values.redis.image }} + ports: + - containerPort: 6379 + resources: + {{- toYaml .Values.redis.resources | nindent 12 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-ratelimit + namespace: envoy-gateway-system +spec: + selector: + app: redis-ratelimit + ports: + - port: 6379 + targetPort: 6379 +{{- end }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml new file mode 100644 index 00000000..b9fbe4b1 --- /dev/null +++ b/charts/envoy-gateway-config/values.yaml @@ -0,0 +1,92 @@ +# Redis deployment for envoyproxy/ratelimit (deployed in envoy-gateway-system). +# Deployed automatically when config.envoyGateway.rateLimit.backend.redis.url is set. +redis: + image: redis:7-alpine + resources: + requests: + cpu: "50m" + memory: "64Mi" + limits: + memory: "128Mi" + +# Passed through to the gateway-helm EnvoyGateway CR via the config.envoyGateway values key. +# When rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit in envoy-gateway-system. +config: + envoyGateway: + extensionApis: + enableEnvoyPatchPolicy: true + +envoyGateway: + # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. + gatewayClassName: envoy + + # Namespace where controlplane resources (EnvoyPatchPolicy) live. + controlplaneNamespace: union-cp + + # Annotations applied to the Envoy fleet LoadBalancer Service (provider-specific NLB config). + serviceAnnotations: {} + + # proxyServiceName overrides the EG-generated Service name (which includes an unpredictable hash + # suffix in EG v1.2+). Setting a stable name allows CONTROLPLANE_INTRA_CLUSTER_HOST to be + # derived deterministically: .envoy-gateway-system.svc.cluster.local + proxyServiceName: envoy-controlplane + + # loadBalancerClass sets spec.loadBalancerClass on the envoy fleet Service (e.g. eks.amazonaws.com/nlb). + # Omitted when null. + loadBalancerClass: null + + # envoyDeployment configures the Envoy proxy fleet managed by EG. + # pluginImage: custom Envoy proxy image built from Dockerfile.envoy-plugins-ingress + # (contrib Envoy + control-plane-auth.so baked in). Set by the internal selfmanaged + # pipeline in the gitops values file at: + # selfmanaged-internal/envoy-gateway/{env}/{org}/values.yaml + # Must be a contrib-variant image — the standard distroless image does not include + # the envoy.filters.http.golang extension required by the EnvoyPatchPolicy. + # Leave empty to use the EG-managed default image (no Go filter support). + # container.env: extra env vars injected into the proxy container. + # CONTROL_PLANE_AUTHZ_AUTHURL is required when pluginImage is set. + envoyDeployment: + pluginImage: "" + container: + env: [] + + # httpFilters lists the plugin_name values to inject into the Envoy HCM filter chain, in order. + # All plugins must be registered in /lib/control-plane-auth.so. + httpFilters: + - identity-auth # strips spoofable X-User-* headers, enforces credential validation + - auth-proxy-cache # caches OAuth2 token responses for the auth-proxy token endpoint + + # identityAuth configures the identity-auth HCM filter. + identityAuth: + # loginURL is the path unauthenticated browser GET requests are redirected to. + # Mirrors nginx's auth-signin annotation: redirects to ?redirect_url=. + # Leave empty to return 401 for all unauthenticated requests (no redirect). + loginURL: "/login" + + # bypassPaths lists path prefixes that skip credential validation. + # Identity headers (X-User-*) are still stripped on these paths to prevent spoofing. + # Mirrors the paths in the unprotected HTTPRoute and GRPCRoute templates. + bypassPaths: + # OIDC / auth flows (flyteadmin:80) + - "/.well-known" + - "/login" + - "/logout" + - "/callback" + - "/config" + - "/oauth2" + - "/auth" + - "/me" + - "/healthcheck" + # OpenAPI docs (flyteadmin:87) + - "/openapi" + # Console healthcheck + - "/healthz" + # Webhooks (usage-service, hooks-service) + - "/enqueue_metronome_request/" + - "/enqueue_stripe_request/" + - "/okta_event_webhook/" + # Unprotected gRPC services (path format: /./) + - "/flyteidl.service.HealthService/" + - "/flyteidl.service.AuthMetadataService/" + - "/flyteidl2.auth.AuthMetadataService/" + - "/flyteidl.service.WatchService/WatchExecutionStatusUpdates" diff --git a/tests/generated/controlplane.aws.billing-enable.yaml b/tests/generated/controlplane.aws.billing-enable.yaml index 6ceee05f..15175b8a 100644 --- a/tests/generated/controlplane.aws.billing-enable.yaml +++ b/tests/generated/controlplane.aws.billing-enable.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -345,6 +358,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4803,6 +4856,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5468,6 +5653,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5501,6 +5700,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5532,6 +5835,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5552,6 +5897,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5944,6 +6325,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9810,3 +10295,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union diff --git a/tests/generated/controlplane.aws.yaml b/tests/generated/controlplane.aws.yaml index cebe2ed3..48caa9b0 100644 --- a/tests/generated/controlplane.aws.yaml +++ b/tests/generated/controlplane.aws.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -345,6 +358,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4803,6 +4856,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5468,6 +5653,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5501,6 +5700,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5532,6 +5835,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5552,6 +5897,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5944,6 +6325,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9849,3 +10334,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union diff --git a/tests/generated/controlplane.external-authz.yaml b/tests/generated/controlplane.external-authz.yaml index 89c4ad62..34f18ba4 100644 --- a/tests/generated/controlplane.external-authz.yaml +++ b/tests/generated/controlplane.external-authz.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -343,6 +356,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4808,6 +4861,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5473,6 +5658,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5506,6 +5705,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5537,6 +5840,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5557,6 +5902,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5949,6 +6330,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9851,3 +10336,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union diff --git a/tests/generated/controlplane.userclouds.yaml b/tests/generated/controlplane.userclouds.yaml index 205a3236..053a4c15 100644 --- a/tests/generated/controlplane.userclouds.yaml +++ b/tests/generated/controlplane.userclouds.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -345,6 +358,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4803,6 +4856,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5468,6 +5653,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5501,6 +5700,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5532,6 +5835,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5552,6 +5897,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5944,6 +6325,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9840,3 +10325,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union