diff --git a/Makefile.core.mk b/Makefile.core.mk index b805b6f42a..ff11410af7 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -4,6 +4,8 @@ export BASE_VERSION ?= 2022-10-27T19-02-22 export HUB ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/higress +export CHARTS ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/charts + GO ?= go GOARCH_LOCAL := $(TARGET_ARCH) @@ -94,11 +96,11 @@ build-gateway: prebuild external/package/envoy.tar.gz cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker helm-push: - cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(HUB)/charts" + cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)" helm-push-istio: cd helm/istio; helm dependency update - cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(HUB)/charts" + cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)" DIRS_TO_CLEAN := $(OUT) diff --git a/helm/higress/templates/clusterrole.yaml b/helm/higress/templates/clusterrole.yaml new file mode 100644 index 0000000000..cacec50bbc --- /dev/null +++ b/helm/higress/templates/clusterrole.yaml @@ -0,0 +1,23 @@ +{{- if .Values.gateway.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/istio/1.12/patches/istio/20221107-mcp-skip-validate.patch b/istio/1.12/patches/istio/20221107-mcp-skip-validate.patch new file mode 100644 index 0000000000..a0ab0aae16 --- /dev/null +++ b/istio/1.12/patches/istio/20221107-mcp-skip-validate.patch @@ -0,0 +1,12 @@ +diff -Naur istio/pilot/pkg/bootstrap/configcontroller.go new/pilot/pkg/bootstrap/configcontroller.go +--- istio/pilot/pkg/bootstrap/configcontroller.go 2022-11-07 21:47:11.000000000 +0800 ++++ new/pilot/pkg/bootstrap/configcontroller.go 2022-11-07 21:50:31.000000000 +0800 +@@ -250,7 +250,7 @@ + if err != nil { + return fmt.Errorf("failed to dial XDS %s %v", configSource.Address, err) + } +- store := memory.Make(collections.Pilot) ++ store := memory.MakeSkipValidation(collections.Pilot) + configController := memory.NewController(store) + configController.RegisterHasSyncedHandler(xdsMCP.HasSynced) + xdsMCP.Store = model.MakeIstioStore(configController) diff --git a/istio/1.12/patches/istio/20221107-support-ingress-secret.patch b/istio/1.12/patches/istio/20221107-support-ingress-secret.patch new file mode 100644 index 0000000000..ced7961190 --- /dev/null +++ b/istio/1.12/patches/istio/20221107-support-ingress-secret.patch @@ -0,0 +1,37 @@ +diff -Naur istio/pilot/pkg/model/credentials/ali_resource.go new/pilot/pkg/model/credentials/ali_resource.go +--- istio/pilot/pkg/model/credentials/ali_resource.go 2022-11-07 21:40:10.000000000 +0800 ++++ new/pilot/pkg/model/credentials/ali_resource.go 2022-11-07 19:03:22.000000000 +0800 +@@ -4,6 +4,7 @@ + "fmt" + "strings" + ++ "istio.io/istio/pilot/pkg/features" + "istio.io/istio/pkg/cluster" + ) + +@@ -13,6 +14,9 @@ + ) + + func ToKubernetesIngressResource(clusterId, namespace, name string) string { ++ if clusterId == "" { ++ clusterId = features.ClusterName ++ } + return fmt.Sprintf("%s://%s/%s/%s", KubernetesIngressSecretType, clusterId, namespace, name) + } + +diff -Naur istio/pilot/pkg/xds/sds.go new/pilot/pkg/xds/sds.go +--- istio/pilot/pkg/xds/sds.go 2022-11-07 21:40:10.000000000 +0800 ++++ new/pilot/pkg/xds/sds.go 2022-11-07 21:44:28.000000000 +0800 +@@ -229,6 +229,12 @@ + } else { + deniedResources = append(deniedResources, r.Name) + } ++ case credentials.KubernetesIngressSecretType: ++ if isAuthorized() { ++ allowedResources = append(allowedResources, r) ++ } else { ++ deniedResources = append(deniedResources, r.Name) ++ } + default: + // Should never happen + log.Warnf("unknown credential type %q", r.Type)