rollout v0.5.0 changelog (#190)

* rollout v0.5.0 changelog Signed-off-by: liheng.zms <liheng.zms@alibaba-inc.com> * modify rollout types description Signed-off-by: liheng.zms <liheng.zms@alibaba-inc.com> * limit secret & configmaps namespace rbac Signed-off-by: liheng.zms <liheng.zms@alibaba-inc.com> * modify rollout v0.5.0 changelog Signed-off-by: liheng.zms <liheng.zms@alibaba-inc.com> --------- Signed-off-by: liheng.zms <liheng.zms@alibaba-inc.com>
2023-12-21 15:23:02 +08:00 · 2023-12-21 15:23:02 +08:00 · 83eedb354e
parent 862040870d
commit 83eedb354e
8 changed files with 98 additions and 23 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,41 @@
 # Change Log

+## v0.5.0
+### Resources Graduating to BETA
+
+After more than a year of development, we have now decided to upgrade the following resources to v1beta1, as follows:
+- Rollout
+- BatchRelease
+
+Please refer to the [community documentation](https://openkruise.io/rollouts/user-manuals/api-specifications) for detailed api definitions.
+
+**Note:** The v1alpha1 api is still available, and you can still use the v1alpha1 api in v0.5.0.
+But we still recommend that you migrate to v1beta1 gradually, as some of the new features will only be available in v1beta1,
+e.g., [Extensible Traffic Routing Based on Lua Script](https://openkruise.io/rollouts/developer-manuals/custom-network-provider/).
+
+### Bump To V1beta1 Gateway API
+Support for GatewayAPI from v1alpha2 to v1beta1, you can use v1beta1 gateway API.
+
+### Extensible Traffic Routing Based on Lua Script
+
+The Gateway API is a standard gateway resource given by the K8S community, but there are still a large number of users in the community who are still using some customized gateway resources, such as VirtualService, Apisix, and so on.
+In order to adapt to this behavior and meet the diverse demands of the community for gateway resources, we support a traffic routing scheme based on Lua scripts.
+
+Kruise Rollout utilizes a Lua-script-based customization approach for API Gateway resources (Istio VirtualService, Apisix ApisixRoute, Kuma TrafficRoute and etc.).
+Kruise Rollout involves invoking Lua scripts to retrieve and update the desired configurations of resources based on release strategies and the original configurations of API Gateway resources (including spec, labels, and annotations).
+It enables users to easily adapt and integrate various types of API Gateway resources without modifying existing code and configurations.
+
+By using Kruise Rollout, users can:
+- Customize Lua scripts for handling API Gateway resources, allowing for flexible implementation of resource processing and providing support for a wider range of resources.
+- Utilize a common Rollout configuration template to configure different resources, reducing configuration complexity and facilitating user configuration.
+
+### Traffic Routing with Istio
+Based on the lua script approach, now we add built-in support for Istio resources VirtualService,
+you can directly use Kruise Rollout to achieve Istio scenarios Canary, A/B Testing release.
+
+### Others
+- Bug fix: wait grace period seconds after pod creation/upgrade. ([#185](https://github.com/openkruise/rollouts/pull/185), [@veophi](https://github.com/veophi))
+
 ## v0.4.0
 ### Kruise-Rollout-Controller
 - Rollout Support Kruise Advanced DaemonSet. ([#134](https://github.com/openkruise/rollouts/pull/134), [@Yadan-Wei](https://github.com/Yadan-Wei))
--- a/21
+++ b/21
@ -1,7 +1,7 @@
 # Build the manager binary
 ARG BASE_IMAGE=alpine
 ARG BASE_IMAGE_VERION=3.17
-FROM --platform=$BUILDPLATFORM golang:1.18-alpine3.17 as builder
+FROM --platform=$BUILDPLATFORM golang:1.19-alpine3.17 as builder

 WORKDIR /workspace

@ -23,12 +23,25 @@ ARG BASE_IMAGE
 ARG BASE_IMAGE_VERION
 FROM ${BASE_IMAGE}:${BASE_IMAGE_VERION}

-RUN apk add --no-cache ca-certificates=~20220614-r4 bash=~5.2.15-r0 expat=~2.5.0-r0 \
-    && rm -rf /var/cache/apk/*
+RUN set -eux; \
+    apk --no-cache --update upgrade && \
+    apk --no-cache add ca-certificates && \
+    apk --no-cache add tzdata && \
+    rm -rf /var/cache/apk/* && \
+    update-ca-certificates && \
+    echo "only include root and nobody user" && \
+    echo -e "root:x:0:0:root:/root:/bin/ash\nnobody:x:65534:65534:nobody:/:/sbin/nologin" | tee /etc/passwd && \
+    echo -e "root:x:0:root\nnobody:x:65534:" | tee /etc/group && \
+    rm -rf /usr/local/sbin/* && \
+    rm -rf /usr/local/bin/* && \
+    rm -rf /usr/sbin/* && \
+    rm -rf /usr/bin/* && \
+    rm -rf /sbin/* && \
+    rm -rf /bin/*

 WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY lua_configuration /lua_configuration
-USER 1000
+USER 65534

 ENTRYPOINT ["/manager"]
--- a/api/v1beta1/rollout_types.go
+++ b/api/v1beta1/rollout_types.go
@ -82,7 +82,7 @@ type CanaryStrategy struct {
 	// Steps define the order of phases to execute release in batches(20%, 40%, 60%, 80%, 100%)
 	// +optional
 	Steps []CanaryStep `json:"steps,omitempty"`
-	// TrafficRoutings hosts all the supported service meshes supported to enable more fine-grained traffic routing
+	// TrafficRoutings support ingress, gateway api and custom network resource(e.g. istio, apisix) to enable more fine-grained traffic routing
 	// and current only support one TrafficRouting
 	TrafficRoutings []TrafficRoutingRef `json:"trafficRoutings,omitempty"`
 	// FailureThreshold indicates how many failed pods can be tolerated in all upgraded pods.
@ -123,6 +123,7 @@ type CanaryStep struct {

 type TrafficRoutingStrategy struct {
 	// Traffic indicate how many percentage of traffic the canary pods should receive
+	// Value is of string type and is a percentage, e.g. 5%.
 	// +optional
 	Traffic *string `json:"traffic,omitempty"`
 	// Set overwrites the request with the given header (name, value)
--- a/config/crd/bases/rollouts.kruise.io_rollouts.yaml
+++ b/config/crd/bases/rollouts.kruise.io_rollouts.yaml
@ -808,7 +808,8 @@ spec:
                              type: object
                            traffic:
                              description: Traffic indicate how many percentage of
-                                traffic the canary pods should receive
+                                traffic the canary pods should receive Value is of
+                                string type and is a percentage, e.g. 5%.
                              type: string
                          type: object
                        type: array
@ -816,9 +817,10 @@ spec:
                        description: TrafficRoutingRef is TrafficRouting's Name
                        type: string
                      trafficRoutings:
-                        description: TrafficRoutings hosts all the supported service
-                          meshes supported to enable more fine-grained traffic routing
-                          and current only support one TrafficRouting
+                        description: TrafficRoutings support ingress, gateway api
+                          and custom network resource(e.g. istio, apisix) to enable
+                          more fine-grained traffic routing and current only support
+                          one TrafficRouting
                        items:
                          description: TrafficRoutingRef hosts all the different configuration
                            for supported service meshes to enable more fine-grained
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -196,18 +196,6 @@ rules:
  - get
  - patch
  - update
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
  - ""
  resources:
@ -376,3 +364,24 @@ rules:
  - get
  - patch
  - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: manager-role
+  namespace: system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@ -10,3 +10,17 @@ subjects:
 - kind: ServiceAccount
  name: controller-manager
  namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-rolebinding
+  namespace: system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/openkruise/rollouts

-go 1.18
+go 1.19

 require (
 	github.com/davecgh/go-spew v1.1.1
--- a/pkg/webhook/server.go
+++ b/pkg/webhook/server.go
@ -101,7 +101,7 @@ func SetupWithManager(mgr manager.Manager) error {
 	return nil
 }

-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete,namespace=system
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;update;patch