Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow gatewayProvisioner to create contour that only watch limited na… #6073

Merged
merged 12 commits into from
Jan 30, 2024
Merged

Allow gatewayProvisioner to create contour that only watch limited na… #6073

merged 12 commits into from
Jan 30, 2024

Conversation

lubronzhan
Copy link
Contributor

@lubronzhan lubronzhan commented Jan 12, 2024
edited
Loading

…mespaces of resources

Fix #5256

Based on change of @padlar here

Previous PR didn't take care of the case of GatewayProvisioner. Since gatewayProvisioner has its own manager, and gatewayClass is a clusterscope variable

Now, if customer set spec.contour.watchNamespaces in ContourDeployment, the contour instance created by gatewayProvisioner will only watch namespaces under spec.contour.watchNamespaces and the resources under the namespace where the contour instance is located.

I have one concern is, if customer doesn't include ContourDeployment's namespace in watchNamespace, do we automatically add it to the Contour's watchNamespace, or we put condition inside Gateway to show that this is an issue, that they should include the namespace in the watchNamespace. Open to ideas about whether to choose 1st or 2nd option

@lubronzhan lubronzhan requested a review from a team as a code owner January 12, 2024 00:17
@lubronzhan lubronzhan requested review from skriss and sunjayBhatia and removed request for a team January 12, 2024 00:17
@sunjayBhatia sunjayBhatia requested review from a team and clayton-gonsalves and removed request for a team January 12, 2024 00:17
@lubronzhan lubronzhan force-pushed the topic/lubron/fix-5256 branch 2 times, most recently from a237ddf to 45b732e Compare January 12, 2024 00:20
@lubronzhan
Copy link
Contributor Author

How do I set the label of release-note?

@lubronzhan lubronzhan changed the title Allow gatewayProvisioner to create contour that only watch limited na… [WIP]Allow gatewayProvisioner to create contour that only watch limited na… Jan 12, 2024
@codecov Codecov
Copy link

codecov bot commented Jan 12, 2024
edited
Loading

Codecov Report

Attention: 71 lines in your changes are missing coverage. Please review.

Comparison is base (9eb2838) 78.82% compared to head (0746ba4) 78.52%.
Report is 10 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6073      +/-   ##
==========================================
- Coverage   78.82%   78.52%   -0.31%     
==========================================
  Files         138      140       +2     
  Lines       19766    19911     +145     
==========================================
+ Hits        15581    15635      +54     
- Misses       3878     3967      +89     
- Partials      307      309       +2
Files Coverage Δ
internal/provisioner/controller/gateway.go 62.27% <100.00%> (+0.22%) ⬆️
internal/provisioner/model/model.go 100.00% <100.00%> (ø)
internal/provisioner/model/names.go 100.00% <100.00%> (ø)
...ernal/provisioner/objects/deployment/deployment.go 89.25% <100.00%> (+0.27%) ⬆️
...ovisioner/objects/rbac/clusterrole/cluster_role.go 64.70% <100.00%> (-15.63%) ⬇️
internal/provisioner/objects/rbac/util/util.go 100.00% <100.00%> (ø)
...ovisioner/objects/rbac/rolebinding/role_binding.go 56.36% <40.00%> (-15.07%) ⬇️
internal/provisioner/objects/rbac/role/role.go 62.31% <41.93%> (-7.45%) ⬇️
internal/provisioner/objects/rbac/rbac.go 12.00% <6.81%> (-1.64%) ⬇️

... and 3 files with indirect coverage changes

@lubronzhan lubronzhan force-pushed the topic/lubron/fix-5256 branch 2 times, most recently from d205e85 to a52c282 Compare January 12, 2024 06:05
@skriss skriss requested a review from izturn January 12, 2024 16:40
@skriss
Copy link
Member

skriss commented Jan 12, 2024

@lubronzhan the other thing we want to do here is generate per-namespace Roles/RoleBindings for Contour, instead of the default ClusterRole/ClusterRoleBinding, since the user typically wants/should want least privileges when restricting to 1+ specific namespace(s). Effectively doing the same as what's in https://github.com/projectcontour/contour/blob/main/examples/namespaced/kustomization.yaml. The code for the provisioner generating RBAC resources is in https://github.com/projectcontour/contour/tree/main/internal/provisioner/objects/rbac

skriss
skriss requested changes Jan 12, 2024
View reviewed changes
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll definitely want an E2E test on this, to ensure we got all the RBAC right. See https://github.com/projectcontour/contour/blob/main/test/e2e/provisioner/provisioner_test.go for existing provisioner tests that instantiate a Contour and test traffic routing.

apis/projectcontour/v1alpha1/contourdeployment.go Outdated Show resolved Hide resolved
internal/provisioner/model/model.go Outdated Show resolved Hide resolved
@lubronzhan
Copy link
Contributor Author

Effectively doing the same as what's in main/examples/namespaced/kustomization.yaml. The code for the provisioner generating RBAC resources is in main/internal/provisioner/objects/rbac

Ohk, I thought just doing the kustomization is enough, for example I added an example here. https://github.com/lubronzhan/contour/blob/topic/lubron/fix-5256/examples/namespaced-gatewayapi/kustomization.yaml
ohk let me change that https://github.com/projectcontour/contour/tree/main/internal/provisioner/objects/rbac?rgh-link-date=2024-01-12T16%3A54%3A04Z

Do we have e2e test for the kustomization as well? or we just manually test it

@izturn izturn added the area/gateway-provisioner Issues or PRs related to the Gateway provisioner label Jan 15, 2024
@izturn izturn added the release-note/small A small change that needs one line of explanation in the release notes. label Jan 15, 2024
This was referenced Jan 17, 2024
Closed
Merged
@lubronzhan lubronzhan force-pushed the topic/lubron/fix-5256 branch 2 times, most recently from 34281ac to 189131c Compare January 17, 2024 05:48
@lubronzhan
Copy link
Contributor Author

lubronzhan commented Jan 17, 2024
edited
Loading

Ok the code-gene difference is

-                    description: WatchNamespaces is an array of namespaces. Setting
-                      it will instruct the contour instance to only watch these set
-                      of namespaces
+                    description: |-
+                      WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance
+                      to only watch these set of namespaces

Turns out I need to rebase

@lubronzhan
Initial code of e2e test
80c6735 
Signed-off-by: lubronzhan <lubronzhan@gmail.com>
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan
Validate e2e tests locally
e729fca 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan
Resolve comments
3fb1e9c 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan lubronzhan mentioned this pull request Jan 24, 2024
Open
@lubronzhan
Basic validation
4455855 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan lubronzhan force-pushed the topic/lubron/fix-5256 branch 2 times, most recently from 5746d35 to d7a63b1 Compare January 26, 2024 01:02
@lubronzhan
Add namespace alias for string for validation purpose
c8666ad 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
sunjayBhatia
sunjayBhatia reviewed Jan 26, 2024
View reviewed changes
Copy link
Member

@sunjayBhatia sunjayBhatia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is pretty much good to go minus some small things, one thing I would maybe change too is to put the new API Namespace type in the v1 package so we can use it in that package later as well, better to have a type there and use it in v1alpha than the other way round I think (and not have to define it twice)

apis/projectcontour/v1alpha1/contourdeployment_helpers_test.go Outdated Show resolved Hide resolved
test/e2e/provisioner/provisioner_test.go Outdated Show resolved Hide resolved
test/e2e/framework.go Outdated Show resolved Hide resolved
internal/provisioner/objects/deployment/deployment_test.go Outdated Show resolved Hide resolved
@lubronzhan
Resolve comments
7fc8fed 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan
Remove kustimization
ca7c2cd 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan
Make generate
c179a3c 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
skriss
skriss requested changes Jan 29, 2024
View reviewed changes
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple more tiny spelling nits, otherwise I think this is about good to go as well

internal/provisioner/model/names.go Outdated Show resolved Hide resolved
internal/provisioner/model/names.go Outdated Show resolved Hide resolved
test/e2e/gatewayapi_predicates.go Outdated Show resolved Hide resolved
@lubronzhan
More comments
c2d5d1d 
Signed-off-by: Lubron Zhan <lubronzhan@gmail.com>
@lubronzhan
Copy link
Contributor Author

Thanks!

@lubronzhan
Resolve comments
0746ba4 
Signed-off-by: lubronzhan <lubronzhan@gmail.com>
@izturn
Copy link
Member

izturn commented Jan 30, 2024

@lubronzhan LGTM thx

@skriss skriss merged commit 29201bb into projectcontour:main Jan 30, 2024
25 of 26 checks passed
@lubronzhan lubronzhan deleted the topic/lubron/fix-5256 branch January 30, 2024 23:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@izturn izturn izturn left review comments

@sunjayBhatia sunjayBhatia sunjayBhatia approved these changes

@skriss skriss skriss approved these changes

@clayton-gonsalves clayton-gonsalves Awaiting requested review from clayton-gonsalves clayton-gonsalves was automatically assigned from projectcontour/contour-reviewers

Assignees

@lubronzhan lubronzhan

Labels
area/gateway-provisioner Issues or PRs related to the Gateway provisioner release-note/small A small change that needs one line of explanation in the release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support namespace-scoped Contour instances via Gateway provisioner
4 participants
@lubronzhan @skriss @izturn @sunjayBhatia