Merge branch 'main' into kube-linter

Kong · Feb 16, 2023 · 72a82bd · 72a82bd
2 parents 72d20d4 + 2f73810
commit 72a82bd
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 6 deletions.
diff --git a/.github/workflows/main-pr.yaml b/.github/workflows/main-pr.yaml
@@ -36,7 +36,7 @@ jobs:
       - name: Run linters
         run: make lint
 
-  lint-test-with-ct:
+  lint-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -2,19 +2,32 @@
 
 ## Unreleased
 
+### Improvements
+
+* Added support for controller's admin API service discovery.
+  With `ingressController.serviceDiscovery.enabled` set to `true` Kong Ingress Controller
+  will enable service discovery for admin API service.
+  For more information on this please see
+  [the corresponding README.md section][kic_service_discovery_readme]
+  [#747](https://github.com/Kong/charts/pull/747)
+
 ### Under the hood 
 
 * Add kube-linter to the CI pipeline to ensure produced manifests comply
   with community best practices.
   [#751](https://github.com/Kong/charts/pull/751)
 
+[kic_service_discovery_readme]: ./README.md#the-servicediscovery-section
+
 ## 2.16.5
 
+### Fixed
+
 * Fix autoscaling version detection.
-  [#744](https://github.com/Kong/charts/pull/744)
+  [#752](https://github.com/Kong/charts/pull/752)
 * Don't include a clear-stale-pid initContainer when kong gateway is not
   enabled in the deployment.
-  [#744](https://github.com/Kong/charts/pull/744)
+  [#749](https://github.com/Kong/charts/pull/749)
 
 ## 2.16.4
 
@@ -32,14 +45,14 @@
 
 ## 2.16.2
 
-### Fixed 
+### Fixed
 
 * The admission webhook is disabled when the ingress controller is disabled, as
   the admission webhook requires a service provided by the ingress controller.
 
 ## 2.16.1
 
-### Fixed 
+### Fixed
 
 * serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
   [#735](https://github.com/Kong/charts/pull/735)

diff --git a/charts/kong/README.md b/charts/kong/README.md
@@ -725,6 +725,11 @@ section of `values.yaml` file:
 | userDefinedVolumes                      | Create volumes. Please go to Kubernetes doc for the spec of the volumes                                                                                  |                                    |
 | userDefinedVolumeMounts                 | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts                                                                        |                                    |
 | terminationGracePeriodSeconds           | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30                                 |
+| serviceDiscovery.enabled                | Enables Kong instance service discovery (for more details see [serviceDiscovery section][sd_section])                                                    |  false                             |
+| serviceDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [serviceDiscovery section][sd_section])                                             |  `.Release.Namespace`              |
+| serviceDiscovery.adminApiService.name   | The name of the Kong admin API service (for more details see [serviceDiscovery section][sd_section])                                                     |  ""                                |
+
+[sd_section]: #the-servicediscovery-section
 
 #### The `env` section
 For a complete list of all configuration values you can set in the
@@ -746,6 +751,33 @@ kong:
       TZ: "Europe/Berlin"
 ```
 
+#### The `serviceDiscovery` section
+
+Kong Ingress Controller v2.9 has introduced service discovery which allows
+the controller to discover Gateway instances that it should configure.
+
+You'll be able to configure this feature through configuration section under
+`ingressController.serviceDiscovery`.
+
+For admin API service discovery:
+
+- If `ingressController.serviceDiscovery.enable` is set to `false`: the ingress controller
+  will control a pre-determined set of Gateway instances based on Admin API URLs
+  (provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
+
+- If `ingressController.serviceDiscovery.enable` is set to `true`: the ingress controller
+  will dynamically locate Gateway instances by watching the specified Kubernetes
+  service.
+  (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
+
+  The following admin API Service flags have to be provided in order for service
+  discovery to work:
+
+  - `ingressController.serviceDiscovery.adminApiServie.name`
+  - `ingressController.serviceDiscovery.adminApiServie.namespace`
+
+For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
+
 ### General Parameters
 
 | Parameter                          | Description                                                                           | Default             |

diff --git a/charts/kong/example-values/README.md b/charts/kong/example-values/README.md
@@ -52,5 +52,15 @@ common Kong deployment scenarios on Kubernetes.
   restarts them, so starting control planes second, but around the same time
   will usually work), but is the smoothest option.
 
+* [minimal-kong-sd-controller.yaml](minimal-kong-sd-controller.yaml) and
+  [minimal-kong-sd-gateway.yaml](minimal-kong-sd-gateway.yaml) install a
+  single controller and cluster of gateway instances. The controller release
+  configuration must specify the names of the gateway proxy and and admin
+  Services. The examples use `gw` as the gateway release name. If you wish to
+  use another name, set the controller configuration to match. For example, if
+  you use `hydrogen` as your gateway release name, set
+  `proxy.nameOverride=hydrogen-kong-proxy` and
+  `ingressController.adminApiService.name=hydrogen-kong-admin`.
+
 All Enterprise examples require some level of additional user configuration to
 install properly. Read the comments at the top of each file for instructions.
diff --git a/charts/kong/example-values/minimal-kong-sd-controller.yaml b/charts/kong/example-values/minimal-kong-sd-controller.yaml
@@ -0,0 +1,23 @@
+deployment:
+  kong:
+    enabled: false
+
+proxy:
+  ## This must match the gateway release's proxy Service name.
+  ## The Service name uses the pattern "<release name>-kong-proxy".
+  ## In this example, the companion gateway release is named "gw"
+  nameOverride: gw-kong-proxy
+
+ingressController:
+  enabled: true
+  ## This example creates a static 2-Pod Kong Igress Controller deployment
+  ## With service discovery enabled leader election will be enabled and only one
+  ## instance will ever talk to the accompanying Gateways.
+  replicaCount: 2
+  serviceDiscovery:
+    enabled: true
+    adminApiService:
+      ## This must match the gateway release's admin Service name.
+      ## The Service name uses the pattern "<release name>-kong-admin".
+      ## In this example, the companion gateway release is named "gw"
+      name: gw-kong-admin
diff --git a/charts/kong/example-values/minimal-kong-sd-gateway.yaml b/charts/kong/example-values/minimal-kong-sd-gateway.yaml
@@ -0,0 +1,14 @@
+admin:
+  enabled: true
+  type: ClusterIP
+  clusterIP: None
+
+ingressController:
+  enabled: false
+
+replicaCount: 3
+## This example creates a static 3-Pod Kong gateway Deployment.
+## To use autoscaling instead, comment the above replicaCount and uncomment
+## the autoscaling section below.
+# autoscaling:
+#   enabled: true
diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl
@@ -316,6 +316,18 @@ Create a single listen (IP+port+parameter combo)
   {{- $listen | join " " -}}
 {{- end -}}
 
+{{/*
+Return the admin API service name for service discovery
+*/}}
+{{- define "kong.adminSvc" -}}
+{{- $_namespace := .Values.ingressController.serviceDiscovery.adminApiService.namespace | default ( include "kong.namespace" . ) -}}
+{{- $_name := .Values.ingressController.serviceDiscovery.adminApiService.name -}}
+{{- if and (not $_name) (.Values.ingressController.serviceDiscovery.enabled) -}}
+{{- fail ".ingressController.serviceDiscovery.adminApiService.name has to be provided when .Values.ingressController.serviceDiscovery.enabled is set to true" -}}
+{{- end -}}
+{{- printf "%s/%s" $_namespace $_name -}}
+{{- end -}}
+
 {{/*
 Return the local admin API URL, preferring HTTPS if available
 */}}
@@ -371,10 +383,14 @@ The name of the service used for the ingress controller's validation webhook
 
 {{- $autoEnv := dict -}}
 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
-{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}}
+{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
 {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
 {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
+{{- if .Values.ingressController.serviceDiscovery.enabled -}}
+{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
+{{- else -}}
 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
+{{- end -}}
 {{- if .Values.ingressController.admissionWebhook.enabled }}
   {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
 {{- end }}
@@ -1336,6 +1352,14 @@ resource roles into their separate templates.
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 {{- end -}}
 
 {{/*

diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml
@@ -258,6 +258,8 @@ proxy:
   # Enable creating a Kubernetes service for the proxy
   enabled: true
   type: LoadBalancer
+  # Override proxy Service name
+  nameOverride: ""
   # To specify annotations or labels for the proxy service, add them to the respective
   # "annotations" or "labels" dictionaries below.
   annotations: {}
@@ -479,6 +481,12 @@ ingressController:
     effectiveSemver:
   args: []
 
+  serviceDiscovery:
+    enabled: false
+    adminApiService:
+      namespace: ""
+      name: ""
+
   # Specify individual namespaces to watch for ingress configuration. By default,
   # when no namespaces are set, the controller watches all namespaces and uses a
   # ClusterRole to grant access to Kubernetes resources. When you list specific