From 5f32e159e548125cb2a75476b58e561a26506d02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=BE=84=E6=BD=AD?= Date: Mon, 3 Apr 2023 16:14:42 +0800 Subject: [PATCH] Jwt policy compat (#266) --- Makefile.core.mk | 4 ++-- VERSION | 2 +- helm/core/Chart.yaml | 4 ++-- helm/core/templates/_helpers.tpl | 10 +++++++++- helm/core/templates/configmap.yaml | 1 + helm/core/templates/controller-deployment.yaml | 8 ++++---- helm/core/templates/deployment.yaml | 6 +++--- helm/core/values.yaml | 2 +- helm/higress/Chart.lock | 8 ++++---- helm/higress/Chart.yaml | 8 ++++---- 10 files changed, 31 insertions(+), 22 deletions(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 38a58da2c..3d31497cd 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -193,7 +193,7 @@ kube-load-image: $(tools/kind) ## Install the EG image to a kind cluster using t run-ingress-e2e-test: @echo -e "\n\033[36mRunning higress conformance tests...\033[0m" @echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n" - kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available + kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available @echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n" - kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available + kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true diff --git a/VERSION b/VERSION index 8b20e4852..63f2359f6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.7.0 +v0.7.1 diff --git a/helm/core/Chart.yaml b/helm/core/Chart.yaml index 8bbf970da..d12920797 100644 --- a/helm/core/Chart.yaml +++ b/helm/core/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.7.0 +appVersion: 0.7.1 description: Helm chart for deploying higress gateways icon: https://higress.io/img/higress_logo_small.png keywords: @@ -9,4 +9,4 @@ name: higress-core sources: - http://github.com/alibaba/higress type: application -version: 0.7.0 +version: 0.7.1 diff --git a/helm/core/templates/_helpers.tpl b/helm/core/templates/_helpers.tpl index 8a10b6c6d..ceb713dad 100644 --- a/helm/core/templates/_helpers.tpl +++ b/helm/core/templates/_helpers.tpl @@ -86,4 +86,12 @@ higress: {{ include "controller.name" . }} {{- else }} {{- .Values.controller.serviceAccount.name | default "default" }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- define "controller.jwtPolicy" -}} +{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion }} +{{- .Values.global.jwtPolicy | default "third-party-jwt" }} +{{- else }} +{{- print "first-party-jwt" }} +{{- end }} +{{- end }} diff --git a/helm/core/templates/configmap.yaml b/helm/core/templates/configmap.yaml index 8c1696f5b..8afa0361c 100644 --- a/helm/core/templates/configmap.yaml +++ b/helm/core/templates/configmap.yaml @@ -4,6 +4,7 @@ trustDomain: "cluster.local" accessLogEncoding: TEXT accessLogFile: "/dev/stdout" + ingressControllerMode: "OFF" accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"} ' diff --git a/helm/core/templates/controller-deployment.yaml b/helm/core/templates/controller-deployment.yaml index 9c1827d39..78d6704a2 100644 --- a/helm/core/templates/controller-deployment.yaml +++ b/helm/core/templates/controller-deployment.yaml @@ -80,7 +80,7 @@ spec: - name: REVISION value: "{{ .Values.revision | default `default` }}" - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} + value: {{ include "controller.jwtPolicy" . }} - name: PILOT_CERT_PROVIDER value: "istiod" - name: POD_NAME @@ -147,7 +147,7 @@ spec: volumeMounts: - name: config mountPath: /etc/istio/config - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true @@ -241,7 +241,7 @@ spec: - emptyDir: medium: Memory name: local-certs - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token projected: sources: @@ -249,6 +249,7 @@ spec: audience: {{ .Values.global.sds.token.aud }} expirationSeconds: 43200 path: istio-token + {{- end }} # Optional: user-generated root - name: cacerts secret: @@ -264,4 +265,3 @@ spec: name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- end }} {{- end }} - {{- end }} diff --git a/helm/core/templates/deployment.yaml b/helm/core/templates/deployment.yaml index 933bc7ce0..b79acd887 100644 --- a/helm/core/templates/deployment.yaml +++ b/helm/core/templates/deployment.yaml @@ -129,7 +129,7 @@ spec: - name: ENABLE_INGRESS_GATEWAY_SDS value: "false" - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} + value: {{ include "controller.jwtPolicy" . }} - name: ISTIO_META_HTTP10 value: "1" - name: ISTIO_META_CLUSTER_ID @@ -177,7 +177,7 @@ spec: {{- toYaml .Values.gateway.resources | nindent 12 }} {{- end }} volumeMounts: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true @@ -213,7 +213,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token projected: sources: diff --git a/helm/core/values.yaml b/helm/core/values.yaml index 6c4490019..7f03625f5 100644 --- a/helm/core/values.yaml +++ b/helm/core/values.yaml @@ -455,7 +455,7 @@ controller: name: "higress-controller" replicas: 1 image: higress - tag: "0.7.0" + tag: "0.7.1" env: {} labels: {} diff --git a/helm/higress/Chart.lock b/helm/higress/Chart.lock index 33a2b5322..7f66af73d 100644 --- a/helm/higress/Chart.lock +++ b/helm/higress/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: higress-core repository: file://../core - version: 0.7.0 + version: 0.7.1 - name: higress-console repository: https://higress.io/helm-charts/ - version: 0.1.0 -digest: sha256:3fd6cfb0fd10178927569d57e0cbff5250870dd677cbf30995c49ced83e38f7c -generated: "2023-03-15T15:09:02.878072+08:00" + version: 0.1.1 +digest: sha256:051fbd7b2916d1d0c26839d0e27653f6e42d20e9294bd9eed9628f24c5a7b228 +generated: "2023-04-03T13:42:23.705379+08:00" diff --git a/helm/higress/Chart.yaml b/helm/higress/Chart.yaml index 09cbf24a0..798d204c6 100644 --- a/helm/higress/Chart.yaml +++ b/helm/higress/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.7.0 +appVersion: 0.7.1 description: Helm chart for deploying higress gateways icon: https://higress.io/img/higress_logo_small.png keywords: @@ -11,9 +11,9 @@ sources: dependencies: - name: higress-core repository: "file://../core" - version: 0.7.0 + version: 0.7.1 - name: higress-console repository: "https://higress.io/helm-charts/" - version: 0.1.0 + version: 0.1.1 type: application -version: 0.7.0 +version: 0.7.1