Backport of NET-3908: allow configuration of SecurityContextConstraints when running on OpenShift into release/1.2.x #2738
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add FIPS builds for linux amd64 * add version check * fix CI labels and add local dev commands * fix ci version tagging * switch to ubuntu 20.04 * add CLI version tag * add gcompat for alpine glibc cgo compatibility * remove FIPS version check from connect-init * address comments
- making this trigger nightly until after 1.2.0 GA - leaving 0.49.x active until after 1.2.0 GA
* first run through, needs help * still need to make secure pass * left something uncommented * it works and also cleanup * fix acceptance tests
* [API Gateway] Add acceptance test for cluster peering * Fix linter * Fix random unrelated linter errors to get CI to run: revert later? * one more linter fix to later probably revert * more linter fixes * Revert "more linter fixes" This reverts commit 6210dff. * Revert "one more linter fix to later probably revert" This reverts commit 030c563. * Revert "Fix random unrelated linter errors to get CI to run: revert later?" This reverts commit fdeccab.
…ersion of kind and k8s 1.27 (#2304) * update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage * updated readme for supported kubernetes versions * added changelog
* [API Gateway] WAN Federation test and fixes * Fix unit tests
* Fix when gateways are deleted before we get services populated into cache * a bit of cleanup
…assConfig are obeyed (#2272) * Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed * Add test case for scaling w/ no min or max configured
* Rename GatewayClassController to prevent name collision * Use gateway instead of gatewayclass in name * Use the constant in ownership checks * Change GatewayClass name to "consul" * Change GatewayClass name in cases * Change ApiGatewayClass back
* Fix SupportedKinds array to be what Conformance test expects * Fix cert validation status condition for listeners * Add programmed condition for listeners * Fix unit test --------- Co-authored-by: Nathan Coleman <[email protected]>
* first pass at halting: got httproute and api-gateway done * clean up test * Handle all set for infinite reconcile check * Add table tests for minimal setup * Added some odd field names to test normalization is handled correctly * Use funky casing http routes
* Added helm inputs for managing audit logs * Remove unwanted changes from values
* fix: use correct flag when translating namespaces * Use non-normalized namespace when deregistering services * Guard against namespace queries when namespaces not enabled in cache
* added imagePullPolicy for images in values.yaml * fix: renamed pullPolicy key according to image * fixed dafault always in tmpl * changed structure of image in yaml * revert changes * added global imagePullPolicy * fixed typo * added changelog file
This brings consul-k8s in line with consul. Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported.
* update changelog based on changes made to 1.2.x * fixed test cases - enterprise cases were in the OSS test cases
* trigger conformance tests nightly, squash * remove extra line * Update nightly-api-gateway-conformance.yml
making scripts more robust and removing changing helm chart
* Fix cache and service deletion issue * Add comments * add in acceptance test * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <[email protected]> Co-authored-by: Sarah Alsmiller <[email protected]>
* Adding support for weighted k8s service * Adding changelog * if per-app weight is 0 then pull the weight to 1 * Addressing review comments * Addressing review comments * Addressing review comments * Comment update * Comment update * Parameterized table test * Parameterized table test * fixing linting issue * fixing linting issue --------- Co-authored-by: srahul3 <[email protected]>
* Bumping go-discover to the lastest version
Adds missing closing ``` to existing changelog entry as well
…eferences in test
…in and make better
hc-github-team-consul-core
force-pushed
the
backport/NET-3908-openshift/broadly-hardy-dove
branch
from
0f2eaac
to
ae2a733
Compare
hc-github-team-consul-core
force-pushed
the
backport/NET-3908-openshift/broadly-hardy-dove
branch
from
ae2a733
to
0f2eaac
Compare
|
Closing in favor of #2737 . Backport bot seems to be behaving oddly |
nathancoleman
deleted the
backport/NET-3908-openshift/broadly-hardy-dove
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2184 to be assessed for backporting due to the inclusion of the label backport/1.2.x.
🚨
The person who merged in the original PR is:
@missylbytes
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Changes proposed in this PR:
When deploying api-gateway into OpenShift, a
SecurityContextConstraints(SCC) must exist, and theRolemust have the ability tousethat SCC.Rather than deploy a duplicative SCC for each api-gateway, the Helm chart will default to using an SCC that already exists:
restricted-v2and use it for each gateway made with the managed gateway class. The user can replace this value in the ManagedGatewayClass stanza of the helm chart.The user can also use their own SCC if they desire by creating one and adding it to the gatewayClass that they create (or the managedGatewayClass in our chart).
How I've tested this PR:
When you get to the helm install step, use the local chart in this PR as well as the image from it: https://hub.docker.com/layers/hashicorppreview/consul-k8s-control-plane/1.3.0-dev-pr-23f0bf1a08cff2c49662332a6a4d5447fa57959b/images/sha256-e6347378502ec3c63f230d8afaa5872df17018258f47cecd75580d77a66eff1c?context=explore
^^ You will need to update the sha linked here if there have been new commits to the PR
How I expect reviewers to test this PR:
Checklist:
Overview of commits