update 1.2.1 (#27)

* Update patches with changes for upgrade Signed-off-by: Matias Charriere <[email protected]> * Upgrade envoy-gateway to 1.2.1 Signed-off-by: Matias Charriere <[email protected]> * run sync Signed-off-by: Puja Abbassi <[email protected]> * set readOnlyRootFilesystem: true * revert * security context fix * security-context patch * security-context patch fix * security-context patch remove * doc updates * typo fix * fix image registry patch Signed-off-by: Puja Abbassi <[email protected]> * add repo to image registry patch Signed-off-by: Puja Abbassi <[email protected]> * CiliumNetworkPolicies & CiliumNetworkPolicies * netpol directory fix * labels fix * helm pre-hook annotations * more more access to api-server from certgen * Add change to namespace value * revert broken chart * Fix script for sync * Fix namespace sync --------- Signed-off-by: Matias Charriere <[email protected]> Signed-off-by: Puja Abbassi <[email protected]> Co-authored-by: Puja <[email protected]> Co-authored-by: Spyros Synodinos <[email protected]> Co-authored-by: pipo02mix <[email protected]>
giantswarm · Dec 19, 2024 · 977bd1b · 977bd1b
1 parent a1784e7
commit 977bd1b
Show file tree

Hide file tree

Showing 49 changed files with 29,110 additions and 11,213 deletions.
diff --git a/diffs/helm__envoy-gateway__templates___helpers.tpl.patch b/diffs/helm__envoy-gateway__templates___helpers.tpl.patch
@@ -1,5 +1,5 @@
 diff --git a/vendor/gateway-helm/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl
-index 24e5cbd..105a0cc 100644
+index d9aefc2..2645585 100644
 --- a/vendor/gateway-helm/templates/_helpers.tpl
 +++ b/helm/envoy-gateway/templates/_helpers.tpl
 @@ -40,6 +40,7 @@ helm.sh/chart: {{ include "eg.chart" . }}
@@ -10,3 +10,14 @@ index 24e5cbd..105a0cc 100644
  {{- end }}
 
  {{/*
+@@ -65,8 +66,8 @@ Create the name of the service account to use
+ The name of the Envoy Gateway image.
+ */}}
+ {{- define "eg.image" -}}
+-{{- if .Values.deployment.envoyGateway.image.repository }}
+-{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }}
++{{- if .Values.image.registry }}
++{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
+ {{- else if .Values.global.images.envoyGateway.image }}
+ {{- .Values.global.images.envoyGateway.image }}
+ {{- else }}
diff --git a/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch
@@ -0,0 +1,49 @@
+diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
+new file mode 100644
+index 0000000..2af4f5c
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
+@@ -0,0 +1,43 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++  name: {{ include "eg.fullname" . }}-certgen
++  namespace: {{ .Release.Namespace }}
++  annotations:
++    "helm.sh/hook": "pre-install,pre-upgrade"
++    "helm.sh/hook-weight": "-10"
++    "helm.sh/hook-delete-policy": "before-hook-creation"
++  labels:
++    app.kubernetes.io/component: "certgen"
++    {{- include "eg.labels" . | nindent 4 }}
++spec:
++  endpointSelector:
++    matchLabels:
++      app.kubernetes.io/component: "certgen"
++      {{- include "eg.selectorLabels" . | nindent 6 }}
++  egress:
++    - toEntities:
++        - kube-apiserver
++    - toEndpoints:
++        - matchLabels:
++            k8s:io.kubernetes.pod.namespace: default
++            k8s:k8s-app: kubernetes
++      toPorts:
++        - ports:
++            - port: "443"
++              protocol: TCP
++    - toEndpoints:
++        - matchLabels:
++            k8s:component: kube-apiserver
++            k8s:tier: control-plane
++    - toEndpoints:
++        - matchLabels:
++            k8s:io.kubernetes.pod.namespace: kube-system
++            k8s:k8s-app: kube-dns
++      toPorts:
++        - ports:
++            - port: "53"
++              protocol: UDP
++            - port: "53"
++              protocol: TCP
diff --git a/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch
@@ -0,0 +1,50 @@
+diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
+new file mode 100644
+index 0000000..0e9f09a
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
+@@ -0,0 +1,44 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++  name: {{ include "eg.fullname" . }}-certgen
++  namespace: {{ .Release.Namespace }}
++  annotations:
++    "helm.sh/hook": "pre-install,pre-upgrade"
++    "helm.sh/hook-weight": "-10"
++    "helm.sh/hook-delete-policy": "before-hook-creation"
++  labels:
++    app.kubernetes.io/component: "certgen"
++    {{- include "eg.labels" . | nindent 4 }}
++spec:
++  podSelector:
++    matchLabels:
++      app.kubernetes.io/component: "certgen"
++      {{- include "eg.selectorLabels" . | nindent 6 }}
++  policyTypes:
++    - Ingress
++    - Egress
++  egress:
++    - to:
++        - namespaceSelector: {}
++          podSelector:
++            matchLabels:
++              component: kube-apiserver
++              tier: control-plane
++    - to:
++        - ipBlock:
++            cidr: 172.31.0.1/32
++      ports:
++        - port: 443
++          protocol: TCP
++    - ports:
++        - port: 53
++          protocol: UDP
++        - port: 53
++          protocol: TCP
++      to:
++        - namespaceSelector: {}
++          podSelector:
++            matchLabels:
++              k8s-app: kube-dns
diff --git a/diffs/helm__envoy-gateway__templates__certgen.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen.yaml.patch
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-cnp.yaml.patch
@@ -0,0 +1,47 @@
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+new file mode 100644
+index 0000000..a44b6ee
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+@@ -0,0 +1,41 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++  name: {{ include "eg.fullname" . }}
++  namespace: {{ .Release.Namespace }}
++  annotations:
++    "helm.sh/hook": "pre-install,pre-upgrade"
++    "helm.sh/hook-weight": "-10"
++    "helm.sh/hook-delete-policy": "before-hook-creation"
++  labels:
++    control-plane: envoy-gateway
++    {{- include "eg.labels" . | nindent 4 }}
++spec:
++  endpointSelector:
++    matchLabels:
++      control-plane: envoy-gateway
++      {{- include "eg.selectorLabels" . | nindent 6 }}
++  egress:
++    - toEntities:
++        - kube-apiserver
++        - cluster
++    - toEndpoints:
++        - matchLabels:
++            k8s:io.kubernetes.pod.namespace: kube-system
++            k8s-app: kube-dns
++      toPorts:
++        - ports:
++            - port: "53"
++              protocol: UDP
++            - port: "53"
++              protocol: TCP
++  ingress:
++    - fromEntities:
++        - cluster
++      toPorts:
++        - ports:
++            {{- range .Values.deployment.envoyGateway.ports }}
++            - port: {{ printf "\"%d\"" .port }}
++              protocol: TCP
++            {{- end }}
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-deployment.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-deployment.yaml.patch
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-netpol.yaml.patch
@@ -0,0 +1,51 @@
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+new file mode 100644
+index 0000000..9d9049d
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+@@ -0,0 +1,45 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++  name: {{ include "eg.fullname" . }}
++  namespace: {{ .Release.Namespace }}
++  annotations:
++    "helm.sh/hook": "pre-install,pre-upgrade"
++    "helm.sh/hook-weight": "-10"
++    "helm.sh/hook-delete-policy": "before-hook-creation"
++  labels:
++    control-plane: envoy-gateway
++    {{- include "eg.labels" . | nindent 4 }}
++spec:
++  podSelector:
++    matchLabels:
++      control-plane: envoy-gateway
++      {{- include "eg.selectorLabels" . | nindent 6 }}
++  policyTypes:
++    - Ingress
++    - Egress
++  egress:
++    - to:
++        - namespaceSelector: {}
++          podSelector:
++            matchLabels:
++              k8s-app: kube-apiserver
++    - to:
++        - namespaceSelector: {}
++          podSelector:
++            matchLabels:
++              k8s-app: kube-dns
++      ports:
++        - port: 53
++          protocol: UDP
++        - port: 53
++          protocol: TCP
++  ingress:
++    - ports:
++        {{- range .Values.deployment.envoyGateway.ports }}
++        - port: {{ .port }}
++          protocol: TCP
++        {{- end }}
++      from:
++        - namespaceSelector: {}
diff --git a/diffs/helm__envoy-gateway__templates__namespace.yaml.patch b/diffs/helm__envoy-gateway__templates__namespace.yaml.patch
@@ -0,0 +1,12 @@
+diff --git a/helm/envoy-gateway/templates/namespace.yaml b/helm/envoy-gateway/templates/namespace.yaml
+new file mode 100644
+index 0000000..c68c79a
+--- /dev/null
++++ b/helm/envoy-gateway/templates/namespace.yaml
+@@ -0,0 +1,6 @@
++{{ if .Values.createNamespace }}
++apiVersion: v1
++kind: Namespace
++metadata:
++  name: '{{ .Values.namespace }}'
++{{ end }}