From 195aa000753704942ae4efcc29830d692bd11393 Mon Sep 17 00:00:00 2001 From: Ignas Baranauskas Date: Mon, 16 Oct 2023 12:23:49 +0100 Subject: [PATCH] Separated kuadrant policies --- config/examples/dashboards/kustomization.yaml | 4 + config/examples/enterprise/README.md | 4 + config/examples/enterprise/all.yaml | 90 ---- config/examples/kube-prometheus/bundle.yaml | 411 +++++++++++++++++- .../grafana_deployment_patch.yaml | 8 +- .../ksm_clusterrole_patch.yaml | 11 - .../kube-state-metrics/cluster-role.yaml | 8 - .../kuadrant.io_ratelimitpolicies.yaml | 397 ----------------- .../crd/standard/kuadrant.io_tlspolicies.yaml | 313 ------------- config/kuadrant/README.md | 43 ++ config/kuadrant/clusterrole-patch.yaml | 21 + .../crd/kuadrant.io_ratelimitpolicies.yaml | 245 +++++++++++ .../kuadrant/crd/kuadrant.io_tlspolicies.yaml | 216 +++++++++ config/kuadrant/kuadrant.yaml | 89 ++++ hack/local_dev.sh | 6 + 15 files changed, 1031 insertions(+), 835 deletions(-) delete mode 100644 config/gateway-api/crd/standard/kuadrant.io_ratelimitpolicies.yaml delete mode 100644 config/gateway-api/crd/standard/kuadrant.io_tlspolicies.yaml create mode 100644 config/kuadrant/README.md create mode 100644 config/kuadrant/clusterrole-patch.yaml create mode 100644 config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml create mode 100644 config/kuadrant/crd/kuadrant.io_tlspolicies.yaml create mode 100644 config/kuadrant/kuadrant.yaml diff --git a/config/examples/dashboards/kustomization.yaml b/config/examples/dashboards/kustomization.yaml index 1d3a222..7c8b8c1 100644 --- a/config/examples/dashboards/kustomization.yaml +++ b/config/examples/dashboards/kustomization.yaml @@ -31,3 +31,7 @@ configMapGenerator: namespace: monitoring files: - ./udproutes.json +- name: grafana-policies + namespace: monitoring + files: + - ./policies.json diff --git a/config/examples/enterprise/README.md b/config/examples/enterprise/README.md index 7efaad9..c6da202 100644 --- a/config/examples/enterprise/README.md +++ b/config/examples/enterprise/README.md @@ -72,10 +72,14 @@ There are 3 Gateways with various services attached. ```bash kind create cluster kubectl create -f ../../gateway-api/crd/standard/ +kubectl apply -f ../../kuadrant/crd/ kubectl create -f ./all.yaml kubectl replace --subresource=status -f ./all.yaml +kubectl apply -f ../../kuadrant/kuadrant.yaml +kubectl replace --subresource=status -f ../../kuadrant/kuadrant.yaml kubectl apply --server-side -f ../kube-prometheus/bundle_crd.yaml kubectl apply -f ../kube-prometheus/bundle.yaml +kubectl patch clusterrole kube-state-metrics --type=json -p "$(cat ../../kuadrant/clusterrole-patch.yaml)" kubectl -n monitoring wait --timeout=5m deployment/grafana --for=condition=Available kubectl -n monitoring port-forward service/grafana 3000:3000 > /dev/null & kubectl -n monitoring rollout status --watch --timeout=5m statefulset/prometheus-k8s diff --git a/config/examples/enterprise/all.yaml b/config/examples/enterprise/all.yaml index 045f1ca..887b831 100644 --- a/config/examples/enterprise/all.yaml +++ b/config/examples/enterprise/all.yaml @@ -625,96 +625,6 @@ status: - group: gateway.networking.k8s.io kind: GRPCRoute --- -apiVersion: kuadrant.io/v1alpha1 -kind: TLSPolicy -metadata: - name: external - namespace: istio-system -spec: - targetRef: - name: external - group: gateway.networking.k8s.io - kind: Gateway - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: selfsigned-cluster-issuer -status: - conditions: - - lastTransitionTime: "2023-08-21T22:53:08Z" - message: Gateway is TLS Enabled - reason: GatewayTLSEnabled - status: "True" - type: Ready ---- -apiVersion: kuadrant.io/v1alpha1 -kind: TLSPolicy -metadata: - name: internal - namespace: istio-system -spec: - targetRef: - name: internal - group: gateway.networking.k8s.io - kind: Gateway - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: selfsigned-cluster-issuer -status: - conditions: - - lastTransitionTime: "2023-08-21T22:53:08Z" - message: Gateway is TLS Enabled - reason: GatewayTLSEnabled - status: "True" - type: Ready ---- -apiVersion: kuadrant.io/v1beta2 -kind: RateLimitPolicy -metadata: - name: rlp-www -spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: www - limits: - "global": - rates: - - limit: 5 - duration: 10 - unit: second -status: - conditions: - - lastTransitionTime: "2023-08-21T22:53:08Z" - message: HTTPRoute is ratelimited - reason: HTTPRouteProtected - status: "True" - type: Available ---- -apiVersion: kuadrant.io/v1beta2 -kind: RateLimitPolicy -metadata: - name: rlp-cdn -spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: cdn - limits: - "global": - rates: - - limit: 5 - duration: 10 - unit: second -status: - conditions: - - lastTransitionTime: "2023-08-21T22:53:08Z" - message: HTTPRoute is ratelimited - reason: HTTPRouteProtected - status: "True" - type: Available ---- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: BackendTLSPolicy metadata: diff --git a/config/examples/kube-prometheus/bundle.yaml b/config/examples/kube-prometheus/bundle.yaml index 01aa0b4..de5e935 100644 --- a/config/examples/kube-prometheus/bundle.yaml +++ b/config/examples/kube-prometheus/bundle.yaml @@ -494,14 +494,6 @@ rules: verbs: - list - watch -- apiGroups: - - kuadrant.io - resources: - - tlspolicies - - ratelimitpolicies - verbs: - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -41202,6 +41194,401 @@ metadata: name: grafana-httproutes-mhg79c4bbk namespace: monitoring +--- +apiVersion: v1 +data: + policies.json: | + { + "editable": false, + "links": [ + { + "asDropdown": false, + "includeVars": true, + "keepTime": true, + "tags": [ + "gateway-api-state" + ], + "targetBlank": false, + "title": "Gateway Dashboards", + "type": "dashboards" + } + ], + "panels": [ + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 1, + "title": "TLSPolicy", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total number of TLSPolicy across all clusters", + "gridPos": { + "h": 3, + "w": 2, + "x": 0, + "y": 1 + }, + "id": 2, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_tlspolicy_status)", + "instant": true + } + ], + "title": "Total", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total TLSPolicy with an Ready state", + "gridPos": { + "h": 3, + "w": 2, + "x": 2, + "y": 1 + }, + "id": 3, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_tlspolicy_status{type=\"Ready\"})", + "instant": true + } + ], + "title": "Ready", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "gridPos": { + "h": 6, + "w": 10, + "x": 4, + "y": 1 + }, + "id": 4, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "gatewayapi_tlspolicy_target_info", + "format": "table", + "instant": true, + "range": false + } + ], + "title": "TLSPolicy", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "name", + "target_kind", + "target_name" + ] + } + } + }, + { + "id": "organize", + "options": { + "renameByName": { + "name": "Name", + "target_kind": "Target Kind", + "target_name": "Target Name" + } + } + } + ], + "type": "table" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 2 + }, + "id": 5, + "title": "RateLimitPolicy", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total number of RateLimitPolicy across all clusters", + "gridPos": { + "h": 3, + "w": 2, + "x": 0, + "y": 3 + }, + "id": 6, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_ratelimitpolicy_status)", + "instant": true + } + ], + "title": "Total", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total RateLimitPolicy with an Available state", + "gridPos": { + "h": 3, + "w": 2, + "x": 2, + "y": 3 + }, + "id": 7, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_ratelimitpolicy_status{type=\"Available\"})", + "instant": true + } + ], + "title": "Available", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "gridPos": { + "h": 6, + "w": 10, + "x": 4, + "y": 7 + }, + "id": 8, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "gatewayapi_ratelimitpolicy_target_info", + "format": "table", + "instant": true, + "range": false + } + ], + "title": "RateLimitPolicy", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "name", + "target_kind", + "target_name" + ] + } + } + }, + { + "id": "organize", + "options": { + "renameByName": { + "name": "Name", + "target_kind": "Target Kind", + "target_name": "Target Name" + } + } + } + ], + "type": "table" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 8 + }, + "id": 9, + "title": "BackendTLSPolicy", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "gridPos": { + "h": 6, + "w": 10, + "x": 4, + "y": 9 + }, + "id": 10, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "gatewayapi_backendtlspolicy_target_info", + "format": "table", + "instant": true, + "range": false + } + ], + "title": "BackendTLSPolicy", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "name", + "target_kind", + "target_name" + ] + } + } + }, + { + "id": "organize", + "options": { + "renameByName": { + "name": "Name", + "target_kind": "Target Kind", + "target_name": "Target Name" + } + } + } + ], + "type": "table" + } + ], + "schemaVersion": 36, + "style": "dark", + "tags": [ + "gateway-api", + "gateway-api-state" + ], + "templating": { + "list": [ + { + "label": "Data Source", + "name": "datasource", + "query": "prometheus", + "type": "datasource" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "includeAll": true, + "label": "TLSPolicy", + "multi": true, + "name": "tlspolicy", + "query": { + "query": "label_values(gatewayapi_tlspolicy_created, name)", + "refId": "StandardVariableQuery" + }, + "regex": "/(.*)/", + "type": "query" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "includeAll": true, + "label": "RateLimitPolicy", + "multi": true, + "name": "ratelimitpolicy", + "query": { + "query": "label_values(gatewayapi_ratelimitpolicy_created, name)", + "refId": "StandardVariableQuery" + }, + "regex": "/(.*)/", + "type": "query" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "includeAll": true, + "label": "BackendTLSPolicy", + "multi": true, + "name": "backendtlspolicy", + "query": { + "query": "label_values(gatewayapi_backendtlspolicy_created, name)", + "refId": "StandardVariableQuery" + }, + "regex": "/(.*)/", + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timezone": "utc", + "title": "Gateway API State / Policies", + "uid": "gatewayapipolicies" + } +kind: ConfigMap +metadata: + name: grafana-policies-bggb44htkm + namespace: monitoring + --- apiVersion: v1 data: @@ -43836,8 +44223,8 @@ spec: name: grafana-tcproutes - mountPath: /grafana-dashboard-definitions/0/grafana-udproutes name: grafana-udproutes - - mountPath: /grafana-dashboard-definitions/0/grafana-tlspolicy - name: grafana-tlspolicy + - mountPath: /grafana-dashboard-definitions/0/grafana-policies + name: grafana-policies nodeSelector: kubernetes.io/os: linux securityContext: @@ -43954,8 +44341,8 @@ spec: name: grafana-tlsroutes - configMap: defaultMode: 420 - name: grafana-tlspolicy - name: grafana-tlspolicy + name: grafana-policies-bggb44htkm + name: grafana-policies - configMap: defaultMode: 420 name: grafana-tcproutes-d7tt7t272g diff --git a/config/examples/kube-prometheus/grafana_deployment_patch.yaml b/config/examples/kube-prometheus/grafana_deployment_patch.yaml index f773ae2..07550b7 100644 --- a/config/examples/kube-prometheus/grafana_deployment_patch.yaml +++ b/config/examples/kube-prometheus/grafana_deployment_patch.yaml @@ -36,10 +36,10 @@ - op: add path: /spec/template/spec/volumes/- value: - name: grafana-tlspolicy + name: grafana-policies configMap: defaultMode: 420 - name: grafana-tlspolicy + name: grafana-policies - op: add path: /spec/template/spec/volumes/- value: @@ -92,5 +92,5 @@ - op: add path: /spec/template/spec/containers/0/volumeMounts/- value: - name: grafana-tlspolicy - mountPath: /grafana-dashboard-definitions/0/grafana-tlspolicy + name: grafana-policies + mountPath: /grafana-dashboard-definitions/0/grafana-policies diff --git a/config/examples/kube-prometheus/ksm_clusterrole_patch.yaml b/config/examples/kube-prometheus/ksm_clusterrole_patch.yaml index 0f7a09b..d27de11 100644 --- a/config/examples/kube-prometheus/ksm_clusterrole_patch.yaml +++ b/config/examples/kube-prometheus/ksm_clusterrole_patch.yaml @@ -25,14 +25,3 @@ verbs: - list - watch -- op: add - path: /rules/- - value: - apiGroups: - - "kuadrant.io" - resources: - - tlspolicies - - ratelimitpolicies - verbs: - - list - - watch diff --git a/config/examples/kube-state-metrics/cluster-role.yaml b/config/examples/kube-state-metrics/cluster-role.yaml index 9be9447..dfc6514 100644 --- a/config/examples/kube-state-metrics/cluster-role.yaml +++ b/config/examples/kube-state-metrics/cluster-role.yaml @@ -147,11 +147,3 @@ rules: verbs: - list - watch -- apiGroups: - - "kuadrant.io" - resources: - - tlspolicies - - ratelimitpolicies - verbs: - - list - - watch diff --git a/config/gateway-api/crd/standard/kuadrant.io_ratelimitpolicies.yaml b/config/gateway-api/crd/standard/kuadrant.io_ratelimitpolicies.yaml deleted file mode 100644 index a5c6b16..0000000 --- a/config/gateway-api/crd/standard/kuadrant.io_ratelimitpolicies.yaml +++ /dev/null @@ -1,397 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: ratelimitpolicies.kuadrant.io -spec: - group: kuadrant.io - names: - kind: RateLimitPolicy - listKind: RateLimitPolicyList - plural: ratelimitpolicies - singular: ratelimitpolicy - scope: Namespaced - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: RateLimitPolicy is the Schema for the ratelimitpolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RateLimitPolicySpec defines the desired state of RateLimitPolicy - properties: - limits: - additionalProperties: - description: Limit represents a complete rate limit configuration - properties: - counters: - description: Counters defines additional rate limit counters - based on context qualifiers and well known selectors TODO - Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors - items: - description: 'ContextSelector defines one item from the well - known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes - Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors - They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL' - maxLength: 253 - minLength: 1 - type: string - type: array - rates: - description: Rates holds the list of limit rates - items: - description: Rate defines the actual rate limit that will - be used when there is a match - properties: - duration: - description: Duration defines the time period for which - the Limit specified above applies. - type: integer - limit: - description: Limit defines the max value allowed for a - given period of time - type: integer - unit: - description: 'Duration defines the time uni Possible values - are: "second", "minute", "hour", "day"' - enum: - - second - - minute - - hour - - day - type: string - required: - - duration - - limit - - unit - type: object - type: array - routeSelectors: - description: RouteSelectors defines semantics for matching an - HTTP request based on conditions - items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - properties: - hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be prefixed - with a wildcard label (`*.`). The wildcard label must - appear by itself as the first label. \n Hostname can - be \"precise\" which is a domain name without the - terminating dot of a network host (e.g. \"foo.example.com\") - or \"wildcard\", which is a domain name prefixed with - a single wildcard label (e.g. `*.example.com`). \n - Note that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters or '-', - and must start and end with an alphanumeric character. - No other punctuation is allowed." - type: string - type: array - matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - items: - description: "HTTPRouteMatch defines the predicate used - to match requests to a given action. Multiple match - types are ANDed together, i.e. the match will evaluate - to true only if all conditions are satisfied. \n For - example, the match below will match a HTTP request - only if its path starts with `/foo` AND it contains - the `version: v1` header: \n ``` match: \n path: value: - \"/foo\" headers: - name: \"version\" value \"v1\" - \n ```" - properties: - headers: - description: Headers specifies HTTP request header - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - headers to select the route. - items: - description: HTTPHeaderMatch describes how to - select a HTTP route by matching HTTP request - headers. - properties: - name: - description: "Name is the name of the HTTP - Header to be matched. Name matching MUST - be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered for - a match. Subsequent entries with an equivalent - header name MUST be ignored. Due to the - case-insensitivity of header names, \"foo\" - and \"Foo\" are considered equivalent. \n - When a header is repeated in an HTTP request, - it is implementation-specific behavior as - to how this is represented. Generally, proxies - should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." - type: string - type: - description: "Type specifies how to match - against the value of the header. \n Support: - Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of regular - expressions. Please read the implementation's - documentation to determine the supported - dialect." - type: string - value: - description: Value is the value of HTTP Header - to be matched. - type: string - required: - - name - - value - type: object - type: array - method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched only - if the request has the specified method. \n Support: - Extended" - type: string - path: - description: Path specifies a HTTP request path - matcher. If this field is not specified, a default - prefix match on the "/" path is provided. - properties: - type: - description: "Type specifies how to match against - the path Value. \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific (RegularExpression)" - type: string - value: - description: Value of the HTTP path to match - against. - type: string - type: object - queryParams: - description: "QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - query parameters to select the route. \n Support: - Extended" - items: - description: HTTPQueryParamMatch describes how - to select a HTTP route by matching HTTP query - parameters. - properties: - name: - description: "Name is the name of the HTTP - query param to be matched. This must be - an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with an - equivalent query param name MUST be ignored. - \n If a query param is repeated in an HTTP - request, the behavior is purposely left - undefined, since different data planes have - different capabilities. However, it is *recommended* - that implementations should match against - the first value of the param if the data - plane supports it, as this behavior is expected - in other load balancing contexts outside - of the Gateway API. \n Users SHOULD NOT - route traffic based on repeated query params - to guard themselves against potential differences - in the implementations." - type: string - type: - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." - type: string - value: - description: Value is the value of HTTP query - param to be matched. - type: string - required: - - name - - value - type: object - type: array - type: object - type: array - type: object - type: array - when: - description: When holds the list of conditions for the policy - to be enforced. Called also "soft" conditions as route selectors - must also match - items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - properties: - operator: - description: 'The binary operator to be applied to the - content fetched from the selector Possible values are: - "eq" (equal to), "neq" (not equal to)' - enum: - - eq - - neq - - startswith - - endswith - - incl - - excl - - matches - type: string - selector: - description: Selector defines one item from the well known - selectors TODO Document properly "Well-known selector" - https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors - maxLength: 253 - minLength: 1 - type: string - value: - description: The value of reference for the comparison. - type: string - required: - - operator - - selector - - value - type: object - type: array - type: object - description: Limits holds the struct of limits indexed by a unique - name - type: object - targetRef: - description: TargetRef identifies an API object to apply policy to. - properties: - group: - description: Group is the group of the target resource. - type: string - kind: - description: Kind is kind of the target resource. - type: string - name: - description: Name is the name of the target resource. - type: string - namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. - type: string - required: - - group - - kind - - name - type: object - required: - - targetRef - type: object - status: - description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy - properties: - conditions: - description: 'Represents the observations of a foo''s current state. - Known .status.conditions.type are: "Available"' - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - type: string - status: - description: status of the condition, one of True, False, Unknown. - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - observedGeneration: - description: ObservedGeneration reflects the generation of the most - recently observed spec. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} \ No newline at end of file diff --git a/config/gateway-api/crd/standard/kuadrant.io_tlspolicies.yaml b/config/gateway-api/crd/standard/kuadrant.io_tlspolicies.yaml deleted file mode 100644 index 0b55aa1..0000000 --- a/config/gateway-api/crd/standard/kuadrant.io_tlspolicies.yaml +++ /dev/null @@ -1,313 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - gateway.networking.k8s.io/policy: direct - creationTimestamp: null - name: tlspolicies.kuadrant.io -spec: - group: kuadrant.io - names: - kind: TLSPolicy - listKind: TLSPolicyList - plural: tlspolicies - singular: tlspolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: TLSPolicy ready. - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: TLSPolicy is the Schema for the tlspolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TLSPolicySpec defines the desired state of TLSPolicy - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If unset - this defaults to 90 days. Certificate will be renewed either 2/3 - through its duration or `renewBefore` period before its expiry, - whichever is later. Minimum accepted duration is 1 hour. Value must - be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer - with the provided name will be used. The `name` field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified - and `size` is not provided, key size of 256 will be used for - `ECDSA` key algorithm and key size of 2048 will be used for - `RSA` key algorithm. key size is ignored when using the `Ed25519` - key algorithm. - enum: - - RSA - - ECDSA - - Ed25519 - type: string - encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and - PKCS#8, respectively. Defaults to `PKCS1` if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. If `algorithm` is set to `Ed25519`, Size is ignored. - No other values are allowed. - type: integer - type: object - renewBefore: - description: How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of - the issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit is the maximum number of CertificateRequest - revisions that are maintained in the Certificate's history. Each - revision represents a single `CertificateRequest` created by this - Certificate, either when it was created, renewed, or Spec was changed. - Revisions will be removed by oldest first if the number of revisions - exceeds this number. If set, revisionHistoryLimit must be a value - of `1` or greater. If unset (`nil`), revisions will not be garbage - collected. Default value is `nil`. - format: int32 - type: integer - targetRef: - description: PolicyTargetReference identifies an API object to apply - policy to. This should be used as part of Policy resources that - can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer - to the policy attachment documentation for Gateway API. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - targetRef - type: object - status: - description: TLSPolicyStatus defines the observed state of TLSPolicy - properties: - conditions: - description: "conditions are any conditions associated with the policy - \n If configuring the policy fails, the \"Failed\" condition will - be set with a reason and message describing the cause of the failure." - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: observedGeneration is the most recently observed generation - of the TLSPolicy. When the TLSPolicy is updated, the controller - updates the corresponding configuration. If an update fails, that - failure is recorded in the status condition - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/config/kuadrant/README.md b/config/kuadrant/README.md new file mode 100644 index 0000000..92b561e --- /dev/null +++ b/config/kuadrant/README.md @@ -0,0 +1,43 @@ +```bash +kubectl apply -f ./config/kuadrant/crd/ +kubectl patch clusterrole kube-state-metrics --type=json -p "$(cat ./config/kuadrant/clusterrole-patch.yaml)" +kubectl apply -f ./config/kuadrant/kuadrant.yaml +kubectl replace --subresource=status -f ./config/kuadrant/kuadrant.yaml +kubectl delete pods -n monitoring -l app.kubernetes.io/name=kube-state-metrics +``` + + +## 1. Apply the Kuadrant Resource Definitions (CRD) + +Apply the custom resource definitions (CRDs) required for Kuadrant + +```bash +kubectl apply -f ./config/kuadrant/crd/ +``` + +## 2. Patch the ClusterRole + +Patching an existing ClusterRole allows you to add specific permissions to it +```bash +kubectl patch clusterrole kube-state-metrics --type=json -p "$(cat ./config/kuadrant/clusterrole-patch.yaml)" +``` + +## 3. Deploy Kuadrant Components + +Deploy Kuadrant components to your cluster +```bash +kubectl apply -f ./config/kuadrant/kuadrant.yaml +``` +## 4. Update Kuadrant Resources + +Update the Kuadrant resources to reflect the desired status +```bash +kubectl replace --subresource=status -f ./config/kuadrant/kuadrant.yaml +``` + +## 5. Restart Pods + +Restart pods in the "monitoring" namespace matching the specified label selector +```bash +kubectl delete pods -n monitoring -l app.kubernetes.io/name=kube-state-metrics +``` \ No newline at end of file diff --git a/config/kuadrant/clusterrole-patch.yaml b/config/kuadrant/clusterrole-patch.yaml new file mode 100644 index 0000000..684cf2e --- /dev/null +++ b/config/kuadrant/clusterrole-patch.yaml @@ -0,0 +1,21 @@ +- op: add + path: /rules/- + value: + apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - list + - watch +- op: add + path: /rules/- + value: + apiGroups: + - "kuadrant.io" + resources: + - tlspolicies + - ratelimitpolicies + verbs: + - list + - watch diff --git a/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml b/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml new file mode 100644 index 0000000..48e7bf4 --- /dev/null +++ b/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml @@ -0,0 +1,245 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: ratelimitpolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: RateLimitPolicy + listKind: RateLimitPolicyList + plural: ratelimitpolicies + singular: ratelimitpolicy + scope: Namespaced + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + description: RateLimitPolicy is the Schema for the ratelimitpolicies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RateLimitPolicySpec defines the desired state of RateLimitPolicy + properties: + limits: + additionalProperties: + description: Limit represents a complete rate limit configuration + properties: + counters: + description: Counters defines additional rate limit counters based on context qualifiers and well known selectors TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + items: + description: 'ContextSelector defines one item from the well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL' + maxLength: 253 + minLength: 1 + type: string + type: array + rates: + description: Rates holds the list of limit rates + items: + description: Rate defines the actual rate limit that will be used when there is a match + properties: + duration: + description: Duration defines the time period for which the Limit specified above applies. + type: integer + limit: + description: Limit defines the max value allowed for a given period of time + type: integer + unit: + description: 'Duration defines the time uni Possible values are: "second", "minute", "hour", "day"' + enum: + - second + - minute + - hour + - day + type: string + required: + - duration + - limit + - unit + type: object + type: array + routeSelectors: + description: RouteSelectors defines semantics for matching an HTTP request based on conditions + items: + description: RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + type: string + type: array + matches: + description: Matches define conditions used for matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n path: value: \"/foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + type: string + type: + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + type: string + value: + description: Value is the value of HTTP Header to be matched. + type: string + required: + - name + - value + type: object + type: array + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + type: string + path: + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + type: string + type: + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + type: string + value: + description: Value is the value of HTTP query param to be matched. + type: string + required: + - name + - value + type: object + type: array + type: object + type: array + type: object + type: array + when: + description: When holds the list of conditions for the policy to be enforced. Called also "soft" conditions as route selectors must also match + items: + description: RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec + properties: + operator: + description: 'The binary operator to be applied to the content fetched from the selector Possible values are: "eq" (equal to), "neq" (not equal to)' + enum: + - eq + - neq + - startswith + - endswith + - incl + - excl + - matches + type: string + selector: + description: Selector defines one item from the well known selectors TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + maxLength: 253 + minLength: 1 + type: string + value: + description: The value of reference for the comparison. + type: string + required: + - operator + - selector + - value + type: object + type: array + type: object + description: Limits holds the struct of limits indexed by a unique name + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + type: string + kind: + description: Kind is kind of the target resource. + type: string + name: + description: Name is the name of the target resource. + type: string + namespace: + description: Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy. + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy + properties: + conditions: + description: 'Represents the observations of a foo''s current state. Known .status.conditions.type are: "Available"' + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: ObservedGeneration reflects the generation of the most recently observed spec. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml b/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml new file mode 100644 index 0000000..05d8830 --- /dev/null +++ b/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml @@ -0,0 +1,216 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + gateway.networking.k8s.io/policy: direct + creationTimestamp: null + name: tlspolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: TLSPolicy + listKind: TLSPolicyList + plural: tlspolicies + singular: tlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: TLSPolicy ready. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TLSPolicy is the Schema for the tlspolicies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSPolicySpec defines the desired state of TLSPolicy + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + enum: + - RSA + - ECDSA + - Ed25519 + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + enum: + - PKCS1 + - PKCS8 + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string + size: + description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: RevisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + format: int32 + type: integer + targetRef: + description: PolicyTargetReference identifies an API object to apply policy to. This should be used as part of Policy resources that can target Gateway API resources. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + usages: + description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - targetRef + type: object + status: + description: TLSPolicyStatus defines the observed state of TLSPolicy + properties: + conditions: + description: "conditions are any conditions associated with the policy \n If configuring the policy fails, the \"Failed\" condition will be set with a reason and message describing the cause of the failure." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: observedGeneration is the most recently observed generation of the TLSPolicy. When the TLSPolicy is updated, the controller updates the corresponding configuration. If an update fails, that failure is recorded in the status condition + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/config/kuadrant/kuadrant.yaml b/config/kuadrant/kuadrant.yaml new file mode 100644 index 0000000..932f881 --- /dev/null +++ b/config/kuadrant/kuadrant.yaml @@ -0,0 +1,89 @@ +apiVersion: kuadrant.io/v1alpha1 +kind: TLSPolicy +metadata: + name: external + namespace: istio-system +spec: + targetRef: + name: external + group: gateway.networking.k8s.io + kind: Gateway + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-cluster-issuer +status: + conditions: + - lastTransitionTime: "2023-08-21T22:53:08Z" + message: Gateway is TLS Enabled + reason: GatewayTLSEnabled + status: "True" + type: Ready +--- +apiVersion: kuadrant.io/v1alpha1 +kind: TLSPolicy +metadata: + name: internal + namespace: istio-system +spec: + targetRef: + name: internal + group: gateway.networking.k8s.io + kind: Gateway + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-cluster-issuer +status: + conditions: + - lastTransitionTime: "2023-08-21T22:53:08Z" + message: Gateway is TLS Enabled + reason: GatewayTLSEnabled + status: "True" + type: Ready +--- +apiVersion: kuadrant.io/v1beta2 +kind: RateLimitPolicy +metadata: + name: rlp-www +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: www + limits: + "global": + rates: + - limit: 5 + duration: 10 + unit: second +status: + conditions: + - lastTransitionTime: "2023-08-21T22:53:08Z" + message: HTTPRoute is ratelimited + reason: HTTPRouteProtected + status: "True" + type: Available +--- +apiVersion: kuadrant.io/v1beta2 +kind: RateLimitPolicy +metadata: + name: rlp-cdn +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: cdn + limits: + "global": + rates: + - limit: 5 + duration: 10 + unit: second +status: + conditions: + - lastTransitionTime: "2023-08-21T22:53:08Z" + message: HTTPRoute is ratelimited + reason: HTTPRouteProtected + status: "True" + type: Available diff --git a/hack/local_dev.sh b/hack/local_dev.sh index ebecb40..e2b2f0d 100755 --- a/hack/local_dev.sh +++ b/hack/local_dev.sh @@ -12,6 +12,12 @@ kubectl replace --subresource=status -f ./config/examples/enterprise/all.yaml kubectl apply --server-side -f ./config/examples/kube-prometheus/bundle_crd.yaml kubectl apply -f ./config/examples/kube-prometheus/bundle.yaml +echo "Setting up kuadrant" +kubectl apply -f ./config/kuadrant/crd/ +kubectl patch clusterrole kube-state-metrics --type=json -p "$(cat ./config/kuadrant/clusterrole-patch.yaml)" +kubectl apply -f ./config/kuadrant/kuadrant.yaml +kubectl replace --subresource=status -f ./config/kuadrant/kuadrant.yaml + echo "Installing grafana-operator" helm upgrade -i grafana-operator oci://ghcr.io/grafana-operator/helm-charts/grafana-operator --version v5.4.1