From eef68ba1926871d06644f7284e81665a9cb032a7 Mon Sep 17 00:00:00 2001 From: Jason Valdron Date: Wed, 16 Apr 2025 10:35:18 -0300 Subject: [PATCH] Add support for Gateway API within Cilium Squashed commit of the following: Update documentation and CRDs Update pkg/model/components/cilium.go Remove gateway API managed addon Update CRDs Fix RBAC and update docs Fix up files that shouldn't of been touched Remove namespace from cluster RBAC resources --- docs/networking/cilium.md | 26 ++++ k8s/crds/kops.k8s.io_clusters.yaml | 14 ++ pkg/apis/kops/networking.go | 13 ++ pkg/apis/kops/v1alpha2/networking.go | 13 ++ .../kops/v1alpha2/zz_generated.conversion.go | 50 +++++++ .../kops/v1alpha2/zz_generated.deepcopy.go | 31 ++++ pkg/apis/kops/v1alpha3/networking.go | 13 ++ .../kops/v1alpha3/zz_generated.conversion.go | 50 +++++++ .../kops/v1alpha3/zz_generated.deepcopy.go | 31 ++++ pkg/apis/kops/validation/validation_test.go | 13 +- pkg/apis/kops/zz_generated.deepcopy.go | 31 ++++ pkg/model/components/cilium.go | 11 ++ ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + ...s_s3_object_cluster-completed.spec_content | 2 + .../k8s-1.16-v1.15.yaml.template | 137 ++++++++++++++++++ 20 files changed, 444 insertions(+), 3 deletions(-) diff --git a/docs/networking/cilium.md b/docs/networking/cilium.md index ff249ab58b..284a22c139 100644 --- a/docs/networking/cilium.md +++ b/docs/networking/cilium.md @@ -249,6 +249,32 @@ EOF Note that you can create an ingress resource for Hubble UI by configuring the `hubble.ui.ingress` stanza. See [Cilium Helm chart documentation](https://artifacthub.io/packages/helm/cilium/cilium/1.11.1) for more information. +## Gateway API Support + +{{ kops_feature_table(kops_added_default='1.32') }} + +Cilium supports the Kubernetes Gateway API, which provides a more expressive and extensible way to configure ingress traffic. To enable Gateway API support in Cilium, you need to: + +1. Enable the cluster-wide Gateway API feature in your cluster spec +2. Enable Cilium's Gateway API support + +Here's how to configure it: + +```yaml +spec: + networking: + cilium: + gatewayAPI: + enabled: true +``` + +Note that enabling Cilium's Gateway API support requires having the Gateway API custom resources definitions (CRDs) deployed manually or through a custom addon first. The current version of Cilium requires the experimental channel. To install it manually, simply run: +```bash +kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml +``` + +For more information about using the Gateway API with Cilium, see the [Cilium Gateway API documentation](https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/). + ## Getting help For problems with deploying Cilium please post an issue to Github: diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 4c3528a243..d90ce0220c 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -5495,6 +5495,20 @@ spec: The cluster is operated by cilium-etcd-operator. Default: false type: boolean + gatewayAPI: + description: GatewayAPI specifies the configuration for Cilium + Gateway API settings. + properties: + enableSecretsSync: + description: |- + EnableSecretsSync specifies whether synchronization of secrets is enabled. + Default: true + type: boolean + enabled: + description: Enabled specifies whether Cilium Gateway + API is enabled. + type: boolean + type: object hubble: description: Hubble configures the Hubble service on the Cilium agent. diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index ab3c26fe7e..1cdc3fb28b 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -525,6 +525,9 @@ type CiliumNetworkingSpec struct { // Ingress specifies the configuration for Cilium Ingress settings. Ingress *CiliumIngressSpec `json:"ingress,omitempty"` + + // GatewayAPI specifies the configuration for Cilium Gateway API settings. + GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"` } // CiliumIngressSpec configures Cilium Ingress settings. @@ -554,6 +557,16 @@ type CiliumIngressSpec struct { SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } +// CiliumGatewayAPISpec configures Cilium Gateway API settings. +type CiliumGatewayAPISpec struct { + // Enabled specifies whether Cilium Gateway API is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` +} + // HubbleSpec configures the Hubble service on the Cilium agent. type HubbleSpec struct { // Enabled decides if Hubble is enabled on the agent or not diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index caf42fb57c..205529392e 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -642,6 +642,9 @@ type CiliumNetworkingSpec struct { // Ingress specifies the configuration for Cilium Ingress settings. Ingress *CiliumIngressSpec `json:"ingress,omitempty"` + + // GatewayAPI specifies the configuration for Cilium Gateway API settings. + GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"` } // CiliumIngressSpec configures Cilium Ingress settings. @@ -671,6 +674,16 @@ type CiliumIngressSpec struct { SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } +// CiliumGatewayAPISpec configures Cilium Gateway API settings. +type CiliumGatewayAPISpec struct { + // Enabled specifies whether Cilium Gateway API is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` +} + // HubbleSpec configures the Hubble service on the Cilium agent. type HubbleSpec struct { // Enabled decides if Hubble is enabled on the agent or not diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 2bc89b6d8b..5428af1ca2 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -214,6 +214,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*CiliumGatewayAPISpec)(nil), (*kops.CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(a.(*CiliumGatewayAPISpec), b.(*kops.CiliumGatewayAPISpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*kops.CiliumGatewayAPISpec)(nil), (*CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(a.(*kops.CiliumGatewayAPISpec), b.(*CiliumGatewayAPISpec), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope) }); err != nil { @@ -1953,6 +1963,28 @@ func Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.CertM return autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in, out, s) } +func autoConvert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnableSecretsSync = in.EnableSecretsSync + return nil +} + +// Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec is an autogenerated conversion function. +func Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error { + return autoConvert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in, out, s) +} + +func autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnableSecretsSync = in.EnableSecretsSync + return nil +} + +// Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec is an autogenerated conversion function. +func Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error { + return autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in, out, s) +} + func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps @@ -2105,6 +2137,15 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * } else { out.Ingress = nil } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(kops.CiliumGatewayAPISpec) + if err := Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(*in, *out, s); err != nil { + return err + } + } else { + out.GatewayAPI = nil + } return nil } @@ -2178,6 +2219,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * } else { out.Ingress = nil } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(CiliumGatewayAPISpec) + if err := Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(*in, *out, s); err != nil { + return err + } + } else { + out.GatewayAPI = nil + } return nil } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index d7b847c6d4..63ec34abfa 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -527,6 +527,32 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec. +func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec { + if in == nil { + return nil + } + out := new(CiliumGatewayAPISpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { *out = *in @@ -689,6 +715,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(CiliumIngressSpec) (*in).DeepCopyInto(*out) } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(CiliumGatewayAPISpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index 9c9e0151d2..458f5f5e78 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -473,6 +473,9 @@ type CiliumNetworkingSpec struct { // Ingress specifies the configuration for Cilium Ingress settings. Ingress *CiliumIngressSpec `json:"ingress,omitempty"` + + // GatewayAPI specifies the configuration for Cilium Gateway API settings. + GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"` } // CiliumIngressSpec configures Cilium Ingress settings. @@ -502,6 +505,16 @@ type CiliumIngressSpec struct { SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"` } +// CiliumGatewayAPISpec configures Cilium Gateway API settings. +type CiliumGatewayAPISpec struct { + // Enabled specifies whether Cilium Gateway API is enabled. + Enabled *bool `json:"enabled,omitempty"` + + // EnableSecretsSync specifies whether synchronization of secrets is enabled. + // Default: true + EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"` +} + // HubbleSpec configures the Hubble service on the Cilium agent. type HubbleSpec struct { // Enabled decides if Hubble is enabled on the agent or not diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 4db32f01a5..65aecd8991 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -234,6 +234,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*CiliumGatewayAPISpec)(nil), (*kops.CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(a.(*CiliumGatewayAPISpec), b.(*kops.CiliumGatewayAPISpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*kops.CiliumGatewayAPISpec)(nil), (*CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(a.(*kops.CiliumGatewayAPISpec), b.(*CiliumGatewayAPISpec), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope) }); err != nil { @@ -2135,6 +2145,28 @@ func Convert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in *kops.CertM return autoConvert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in, out, s) } +func autoConvert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnableSecretsSync = in.EnableSecretsSync + return nil +} + +// Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec is an autogenerated conversion function. +func Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error { + return autoConvert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in, out, s) +} + +func autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error { + out.Enabled = in.Enabled + out.EnableSecretsSync = in.EnableSecretsSync + return nil +} + +// Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec is an autogenerated conversion function. +func Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error { + return autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in, out, s) +} + func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error { out.Enabled = in.Enabled out.EnforceHttps = in.EnforceHttps @@ -2235,6 +2267,15 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * } else { out.Ingress = nil } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(kops.CiliumGatewayAPISpec) + if err := Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(*in, *out, s); err != nil { + return err + } + } else { + out.GatewayAPI = nil + } return nil } @@ -2313,6 +2354,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in * } else { out.Ingress = nil } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(CiliumGatewayAPISpec) + if err := Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(*in, *out, s); err != nil { + return err + } + } else { + out.GatewayAPI = nil + } return nil } diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index 2325808a6f..b3c024f466 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -588,6 +588,32 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec. +func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec { + if in == nil { + return nil + } + out := new(CiliumGatewayAPISpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { *out = *in @@ -711,6 +737,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(CiliumIngressSpec) (*in).DeepCopyInto(*out) } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(CiliumGatewayAPISpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 1c6b072f2b..8082c3e9ba 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -1221,6 +1221,15 @@ func Test_Validate_Cilium(t *testing.T) { }, }, }, + { + Cilium: kops.CiliumNetworkingSpec{ + Version: "v1.16.0", + GatewayAPI: &kops.CiliumGatewayAPISpec{ + Enabled: fi.PtrTo(true), + EnableSecretsSync: fi.PtrTo(true), + }, + }, + }, { Cilium: kops.CiliumNetworkingSpec{ Version: "v1.16.0", @@ -1236,9 +1245,7 @@ func Test_Validate_Cilium(t *testing.T) { }, } for _, g := range grid { - g.Spec.Networking = kops.NetworkingSpec{ - Cilium: &g.Cilium, - } + g.Spec.Networking.Cilium = &g.Cilium if g.Spec.KubernetesVersion == "" { g.Spec.KubernetesVersion = "1.17.0" } diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 5e492dd34e..9ca9ca1ae8 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -669,6 +669,32 @@ func (in *ChannelSpec) DeepCopy() *ChannelSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.EnableSecretsSync != nil { + in, out := &in.EnableSecretsSync, &out.EnableSecretsSync + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec. +func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec { + if in == nil { + return nil + } + out := new(CiliumGatewayAPISpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) { *out = *in @@ -792,6 +818,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(CiliumIngressSpec) (*in).DeepCopyInto(*out) } + if in.GatewayAPI != nil { + in, out := &in.GatewayAPI, &out.GatewayAPI + *out = new(CiliumGatewayAPISpec) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index 446cd05967..79d0790c62 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -187,5 +187,16 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error { } } + gatewayAPI := c.GatewayAPI + if gatewayAPI != nil { + if gatewayAPI.Enabled == nil { + gatewayAPI.Enabled = fi.PtrTo(true) + } + } else { + c.GatewayAPI = &kops.CiliumGatewayAPISpec{ + Enabled: fi.PtrTo(false), + } + } + return nil } diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index 73865e7bd7..85c7e3db5e 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -201,6 +201,8 @@ spec: enableLocalRedirectPolicy: false enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 096feeb19e..5d410403eb 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -193,6 +193,8 @@ spec: enableLocalRedirectPolicy: false enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index 99572eb80f..9b3c37f093 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -189,6 +189,8 @@ spec: enableNodePort: true enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index adc0fa350f..8b7c2769e8 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -195,6 +195,8 @@ spec: enableLocalRedirectPolicy: false enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index 3a44ef1bd3..2b1751bc92 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -199,6 +199,8 @@ spec: enableLocalRedirectPolicy: false enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index 8a8bb21639..e18f8379b7 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -208,6 +208,8 @@ spec: enableLocalRedirectPolicy: false enableRemoteNodeIdentity: true enableUnreachableRoutes: false + gatewayAPI: + enabled: false hubble: enabled: true metrics: diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index 6a1e40f560..a4a4aa5411 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -207,6 +207,8 @@ spec: enableRemoteNodeIdentity: true enableUnreachableRoutes: false etcdManaged: true + gatewayAPI: + enabled: false hubble: enabled: false identityAllocationMode: crd diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template index 32b67c9e0e..147b575e6c 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template @@ -317,6 +317,15 @@ data: {{ end }} {{ end }} + {{ if WithDefaultBool .GatewayAPI.Enabled false }} + enable-gateway-api: "true" + gateway-api-secrets-namespace: kube-system + + {{ if .GatewayAPI.EnableSecretsSync }} + enable-gateway-api-secrets-sync: "{{ .GatewayAPI.EnableSecretsSync }}" + {{ end }} + {{ end }} + # Tell the agent to generate and write a CNI configuration file write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist cni-exclusive: "{{ .CniExclusive }}" @@ -735,6 +744,54 @@ rules: verbs: - update {{ end }} +{{ if WithDefaultBool .GatewayAPI.Enabled false }} +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - tlsroutes + - httproutes + - grpcroutes + - referencegrants + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - patch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - grpcroutes/status + - tlsroutes/status + verbs: + - update + - patch +- apiGroups: + - cilium.io + resources: + - ciliumgatewayclassconfigs + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumgatewayclassconfigs/status + verbs: + - update + - patch +{{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -913,6 +970,86 @@ subsets: - port: 9999 {{ end }} {{ end }} +{{ if WithDefaultBool .GatewayAPI.Enabled false }} +--- +# Source: cilium/templates/cilium-agent/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-gateway-secrets + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +# Source: cilium/templates/cilium-operator/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-gateway-secrets + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-gateway-secrets +subjects: + - kind: ServiceAccount + name: "cilium" + namespace: kube-system +--- +# Source: cilium/templates/cilium-operator/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-operator-gateway-secrets + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch +--- +# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-operator-gateway-secrets + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator-gateway-secrets +subjects: + - kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system +--- +# Source: cilium/templates/cilium-gateway-api-class.yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: cilium +spec: + controllerName: io.cilium/gateway-controller + description: The default Cilium GatewayClass +{{ end }} {{ if WithDefaultBool .Hubble.Enabled false }} {{ if .Hubble.Metrics }} ---