Merge branch 'main' into feat/admission-log

Kong · Jun 7, 2024 · 391c2c1 · 391c2c1
2 parents 7893b49 + 89782de
commit 391c2c1
Show file tree

Hide file tree

Showing 213 changed files with 8,619 additions and 1,963 deletions.
diff --git a/.github/test_dependencies.yaml b/.github/test_dependencies.yaml
@@ -12,7 +12,7 @@ e2e:
     - 'v1.25.16'
   gke:
     # renovate: datasource=custom.gke-rapid depName=gke versioning=semver
-    - '1.30.0'
+    - '1.30.1'
 
   # For Istio, we define combinations of Kind and Istio versions that will be
   # used directly in the test matrix `include` section.
@@ -44,13 +44,13 @@ integration:
   # renovate: datasource=docker depName=kindest/node versioning=docker
   kind: 'v1.30.0'
   # renovate: datasource=docker depName=kong versioning=docker
-  kong-oss: '3.6.1'
+  kong-oss: '3.7.0'
   # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.6.1.4'
+  kong-ee: '3.7.0.0'
 
 kongintegration:
   # renovate: datasource=docker depName=kong versioning=docker
-  kong-oss: '3.6.1'
+  kong-oss: '3.7.0'
 
 envtests:
   # Because of a bug that was introduced in Kong EE 3.5 (https://konghq.atlassian.net/browse/KAG-3699),

diff --git a/.github/workflows/regenerate_on_deps_bump.yaml b/.github/workflows/regenerate_on_deps_bump.yaml
@@ -22,16 +22,25 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - uses: jdx/mise-action@v2
+        with:
+          install: false
+
       - name: regenerate
         run: make manifests
 
+      - name: Set github url and credentials
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.K8S_TEAM_BOT_GH_PAT }}:x-oauth-basic@github".insteadOf ssh://git@github
+          /usr/bin/git config --global --add url."https://${{ secrets.K8S_TEAM_BOT_GH_PAT }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.K8S_TEAM_BOT_GH_PAT }}:x-oauth-basic@github".insteadOf git@github
+
       - name: commit and push (if changes detected)
-        env:
-          GITHUB_TOKEN: ${{ secrets.K8S_TEAM_BOT_GH_PAT }}
         run: |
           git config --global user.name "github-actions"
           git config --global user.email "[email protected]"
           git add ./test/e2e/manifests
+          git status
           git diff-index --quiet HEAD || \
           git commit -m "chore: regenerate manifests" && \
           git push origin ${{ github.event.pull_request.head.ref }}
diff --git a/.tools_versions.yaml b/.tools_versions.yaml
@@ -5,18 +5,18 @@ controller-tools: "0.15.0"
 # renovate: datasource=github-releases depName=kubernetes-sigs/kustomize
 kustomize: "5.3.0"
 # renovate: datasource=github-releases depName=golangci/golangci-lint
-golangci-lint: "1.58.2"
+golangci-lint: "1.59.0"
 # renovate: datasource=github-releases depName=GoogleContainerTools/skaffold
 skaffold: "2.12.0"
 # renovate: datasource=github-releases depName=kubernetes-sigs/controller-runtime
-setup-envtest: "0.18.2"
+setup-envtest: "0.18.4"
 # renovate: datasource=github-releases depName=elastic/crd-ref-docs
 crd-ref-docs: "0.0.12"
 # renovate: datasource=github-releases depName=mikefarah/yq
 yq: "4.44.1"
 # renovate: datasource=github-releases depName=jstemmer/go-junit-report
 gojunit-report: "2.1.0"
 # renovate: datasource=github-releases depName=gotestyourself/gotestsum
-gotestsum: "1.11.0"
+gotestsum: "1.12.0"
 # renovate: datasource=github-releases depName=dominikh/go-tools
 staticcheck: "0.4.7"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -102,6 +102,16 @@ Adding a new version? You'll need three changes:
   performance benefits, however, so labeling plugin configuration Secrets and
   enabling the filter is recommended as soon as is convenient.
   [#5856](https://github.com/Kong/kubernetes-ingress-controller/pull/5856)
+- Dynamically set the proxy protocol of GRPCRoute to `grpc` or `grpcs` based on the port listened by Gateway.
+  If you don't set the protocol for Service via `konghq.com/protocol` annotation, Kong will use `grpc` instead of `grpcs`.
+  [#5776](https://github.com/Kong/kubernetes-ingress-controller/pull/5776)
+- The `/debug/config/failed` and `/debug/config/successful` diagnostic
+  endpoints now nest configuration dumps under a `config` key. These endpoints
+  previously returned the configuration dump at the root. They now return
+  additional metadata along with the configuration. This change should not
+  impact normal usage, but if you scrape these endpoints, be aware that their
+  output format has changed.
+  [#6101](https://github.com/Kong/kubernetes-ingress-controller/pull/6101)
 
 ### Added
 
@@ -133,9 +143,19 @@ Adding a new version? You'll need three changes:
   is more robust - leading and trailing whitespace characters are discarded.
   [#5977](https://github.com/Kong/kubernetes-ingress-controller/pull/5977)
 - Added the CRD `KongCustomEntity` to support custom Kong entities that are not
-  defined in KIC yet.
+  defined in KIC yet. The current version only supports translating custom
+  entities into declarative configuration in DBless mode, and cannot apply
+  custom entities to DB backed Kong gateways.
+  Feature gate `KongCustomEntity` is required to set to `true` to enabled the
+  `KongCustomEntity` controller.
+  **Note**: The IDs of Kong services, routes and consumers referred by custom
+  entities via `foreign` type fields of custom entities are filled by the `FillID`
+  method of the corresponding type because the IDs of these entities are required
+  to fill the `foreign` fields of custom entities. So the `FillIDs` feature gate
+  is also required when `KongCustomEntity` is enabled.
   [#5982](https://github.com/Kong/kubernetes-ingress-controller/pull/5982)
   [#6006](https://github.com/Kong/kubernetes-ingress-controller/pull/6006)
+  [#6055](https://github.com/Kong/kubernetes-ingress-controller/pull/6055)
 - Added `FallbackConfiguration` feature gate to enable the controller to generate a fallback configuration
   for Kong when it fails to apply the original one. The feature gate is disabled by default.
   [#5993](https://github.com/Kong/kubernetes-ingress-controller/pull/5993)
@@ -144,7 +164,23 @@ Adding a new version? You'll need three changes:
   [#6071](https://github.com/Kong/kubernetes-ingress-controller/pull/6071)
 - Add `INFO` log when admission result is not allowed
   [#6084](https://github.com/Kong/kubernetes-ingress-controller/issues/6084)
-
+- Added `--use-last-valid-config-for-fallback` CLI flag to enable using the last valid configuration cache
+  to backfill excluded broken objects when the `FallbackConfiguration` feature gate is enabled.
+  [#6098](https://github.com/Kong/kubernetes-ingress-controller/pull/6098)
+- Added `FallbackKongConfigurationSucceeded`, `FallbackKongConfigurationTranslationFailed` and
+  `FallbackKongConfigurationApplyFailed` Kubernetes Events to report the status of the fallback configuration.
+  [#6099](https://github.com/Kong/kubernetes-ingress-controller/pull/6099)
+- Added Prometheus metrics covering `FallbackConfiguration` feature: 
+  - `ingress_controller_fallback_translation_count`
+  - `ingress_controller_fallback_translation_broken_resource_count`
+  - `ingress_controller_fallback_configuration_push_count`
+  - `ingress_controller_fallback_configuration_push_last`
+  - `ingress_controller_fallback_configuration_push_duration_milliseconds`
+  - `ingress_controller_fallback_configuration_push_broken_resource_count`
+  - `ingress_controller_fallback_cache_generating_duration_milliseconds`
+  - `ingress_controller_processed_config_snapshot_cache_hit`
+  - `ingress_controller_processed_config_snapshot_cache_miss`
+  [#6105](https://github.com/Kong/kubernetes-ingress-controller/pull/6105)
 - Add support for Kubernetes Gateway API v1.1:
   - add a flag `--enable-controller-gwapi-grpcroute` to control whether enable or disable GRPCRoute controller.
   - add support for `GRPCRoute` v1, which requires users to upgrade the Gateway API's CRD to v1.1.
@@ -161,6 +197,8 @@ Adding a new version? You'll need three changes:
   [#5965](https://github.com/Kong/kubernetes-ingress-controller/pull/5965)
 - Fallback configuration no longer omits licenses and vaults.
   [#6048](https://github.com/Kong/kubernetes-ingress-controller/pull/6048)
+- Add support for Gateway API GRPCRoute and pass related Gateway API conformance test.
+  [#5776](https://github.com/Kong/kubernetes-ingress-controller/pull/5776)
 
 ### Fixed
 
@@ -180,7 +218,22 @@ Adding a new version? You'll need three changes:
   is seen as a parent other than the controller and ignored in parentRef check.
   [#5919](https://github.com/Kong/kubernetes-ingress-controller/pull/5919)
 - Redacted values no longer cause collisions in configuration reported to Konnect.
-  [5964](https://github.com/Kong/kubernetes-ingress-controller/pull/5964)
+  [#5964](https://github.com/Kong/kubernetes-ingress-controller/pull/5964)
+- The `--dump-sensitive-config` flag is no longer backwards.
+  [#6073](https://github.com/Kong/kubernetes-ingress-controller/pull/6073)
+- Fixed KIC clearing Gateway API *Route status of routes that it shouldn't reconcilce, e.g.
+  those attached to Gateways that do not belong to GatewayClass that KIC reconciles.
+  [#6079](https://github.com/Kong/kubernetes-ingress-controller/pull/6079)
+- Fixed KIC non leaders correctly getting up to date Admin API addresses by not
+  requiring leader election for the related controller.
+  [#6126](https://github.com/Kong/kubernetes-ingress-controller/pull/6126)
+- Plugins attached to both a KongConsumerGroup and a route-like resource or
+  Service now properly generate a plugin attached to both a Kong consumer group
+  and route or service. Previously, these incorrectly generated plugins
+  attached to the route or service only.
+  [#6132](https://github.com/Kong/kubernetes-ingress-controller/pull/6132)
+- KongPlugin's `config` field is no longer incorrectly sanitized.
+  [#6138](https://github.com/Kong/kubernetes-ingress-controller/pull/6138)
 
 ### Changed
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 ### Standard binary
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.22.3 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22.4 as builder
 
 ARG GOPATH
 ARG GOCACHE

diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -1,5 +1,5 @@
 # Build a manager binary with debug symbols and download Delve
-FROM --platform=$BUILDPLATFORM golang:1.22.3 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22.4 as builder
 
 ARG GOPATH
 ARG GOCACHE
@@ -46,7 +46,7 @@ RUN --mount=type=cache,target=$GOPATH/pkg/mod \
 
 ### Debug
 # Create an image that runs a debug build with Delve installed
-FROM golang:1.22.3 AS debug
+FROM golang:1.22.4 AS debug
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
 # We want all source so Delve file location operations work
 COPY --from=builder /workspace/bin/manager-debug /

diff --git a/FEATURE_GATES.md b/FEATURE_GATES.md
@@ -70,6 +70,8 @@ Features that reach GA and over time become stable will be removed from this tab
 | RewriteURIs                | `false` | Alpha | 2.12.0 | TBD   |
 | KongServiceFacade          | `false` | Alpha | 3.1.0  | TBD   |
 | SanitizeKonnectConfigDumps | `true`  | Beta  | 3.1.0  | TBD   |
+| FallbackConfiguration      | `false` | Alpha | 3.2.0  | TBD   |
+| KongCustomEntity           | `false` | Alpha | 3.2.0  | TBD   |
 
 **NOTE**: The `Gateway` feature gate refers to [Gateway
  API](https://github.com/kubernetes-sigs/gateway-api) APIs which are in

diff --git a/Makefile b/Makefile
@@ -423,14 +423,14 @@ test.unit.pretty:
 
 .PHONY: test.golden.update
 test.golden.update:
-	@go test -v -run TestTranslator_GoldenTests ./internal/dataplane/translator -update
+	@go test -v -run TestKongClient_GoldenTests ./internal/dataplane -update
 
 
 .PHONY: use-setup-envtest
 use-setup-envtest:
 	$(SETUP_ENVTEST) use
 
-ENVTEST_TIMEOUT ?= 5m
+ENVTEST_TIMEOUT ?= 8m
 
 .PHONY: _test.envtest
 .ONESHELL: _test.envtest

diff --git a/config/base/kong-ingress-dbless.yaml b/config/base/kong-ingress-dbless.yaml
@@ -134,6 +134,9 @@ spec:
         - name: cmetrics
           containerPort: 10255
           protocol: TCP
+        - name: diagnostics
+          containerPort: 10256
+          protocol: TCP
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/config/components/konnect/manager.yaml b/config/components/konnect/manager.yaml
@@ -27,18 +27,3 @@ spec:
               secretKeyRef:
                 name: konnect-client-tls
                 key: tls.key
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: proxy-kong
-  namespace: kong
-spec:
-  template:
-    spec:
-      containers:
-        - name: proxy
-          env:
-            - name: KONG_ROUTER_FLAVOR
-              value: traditional_compatible
-
diff --git a/config/components/manager_dev_patch/kustomization.yaml b/config/components/manager_dev_patch/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: manager.yaml
diff --git a/config/variants/multi-gw/dev/manager.yaml → ...components/manager_dev_patch/manager.yaml b/config/variants/multi-gw/dev/manager.yaml → ...components/manager_dev_patch/manager.yaml
@@ -16,10 +16,13 @@ spec:
     spec:
       containers:
       - name: ingress-controller
-        args:
-          - --feature-gates=GatewayAlpha=true,KongServiceFacade=true
-          - --anonymous-reports=false
         env:
+        - name: CONTROLLER_DUMP_CONFIG
+          value: "true"
         - name: CONTROLLER_LOG_LEVEL
           value: debug
+        - name: CONTROLLER_FEATURE_GATES
+          value: GatewayAlpha=true,KongServiceFacade=true,FallbackConfiguration=true
+        - name: CONTROLLER_ANONYMOUS_REPORTS
+          value: "false"
         image: kic-placeholder:placeholder