diff --git a/Makefile b/Makefile index 18b45ca1e32..398ba1a285e 100644 --- a/Makefile +++ b/Makefile @@ -74,6 +74,17 @@ $(call module,ambassador,$(OSS_HOME)) include $(OSS_HOME)/build-aux/generate.mk include $(OSS_HOME)/build-aux/lint.mk +FORCE: +.PHONY: FORCE +.SECONDARY: + +$(OSS_HOME)/charts/emissary-ingress/charts: FORCE + if test -f ../go.mod && test "$$(cd .. && go list -m)" == github.com/emissary-ingress/emissary/v3; then \ + $(MAKE) -C .. $@; \ + else \ + cd $(@D) && helm dependency build && helm dependency update; \ + fi + .git/hooks/prepare-commit-msg: ln -s $(OSS_HOME)/tools/hooks/prepare-commit-msg $(OSS_HOME)/.git/hooks/prepare-commit-msg @@ -93,6 +104,7 @@ deploy: push preflight-cluster deploy-only: preflight-dev-kubeconfig $(tools/kubectl) build-output/yaml-$(patsubst v%,%,$(VERSION)) $(boguschart_dir) mkdir -p $(OSS_HOME)/build/helm/ && \ ($(tools/kubectl) --kubeconfig $(DEV_KUBECONFIG) create ns ambassador || true) && \ + helm dependency build && \ helm template ambassador --output-dir $(OSS_HOME)/build/helm -n ambassador $(boguschart_dir) \ --set createNamespace=true \ --set service.selector.service=ambassador \ diff --git a/build-aux/generate.mk b/build-aux/generate.mk index b2cce89dfba..2287790a3b2 100644 --- a/build-aux/generate.mk +++ b/build-aux/generate.mk @@ -216,7 +216,7 @@ helm.namespace.emissary-defaultns-migration = default $(OSS_HOME)/k8s-config/%/helm-expanded.yaml: \ $(OSS_HOME)/k8s-config/%/values.yaml \ $(boguschart_dir) - helm template --namespace=$(helm.namespace.$*) --values=$(@D)/values.yaml $(or $(helm.name.$*),$*) $(boguschart_dir) >$@ + helm dependency update && helm template --namespace=$(helm.namespace.$*) --values=$(@D)/values.yaml $(or $(helm.name.$*),$*) $(boguschart_dir) >$@ $(OSS_HOME)/k8s-config/%/output.yaml: \ $(OSS_HOME)/k8s-config/%/helm-expanded.yaml \ $(OSS_HOME)/k8s-config/%/require.yaml \ diff --git a/build-aux/lint.mk b/build-aux/lint.mk index 28c409dafb3..20b25e80cce 100644 --- a/build-aux/lint.mk +++ b/build-aux/lint.mk @@ -54,11 +54,15 @@ format/isort: $(OSS_HOME)/venv # # Helm +HELM_TEST_IMAGE = quay.io/helmpack/chart-testing:v3.0.0-rc.1 +CHART_DIR := $(OSS_HOME)/build-output/chart-$(patsubst v%,%,$(VERSION))_$(patsubst v%,%,$(CHART_VERSION)).d +CT_EXEC = docker run --rm -v $(KIND_KUBECONFIG):/root/.kube/config -v $(CHART_DIR):/charts --network host $(HELM_TEST_IMAGE) /charts/emissary-ingress/ci.in/ct.sh lint-deps += $(tools/ct) $(chart_dir) lint-goals += lint/chart lint/chart: $(tools/ct) $(chart_dir) - cd $(chart_dir) && $(abspath $(tools/ct)) lint --config=./ct.yaml + $(CT_EXEC) install --config /charts/ct.yaml +# cd $(chart_dir) && $(abspath $(tools/ct)) lint --config=./ct.yaml .PHONY: lint/chart # diff --git a/charts/emissary-ingress/Chart.lock b/charts/emissary-ingress/Chart.lock new file mode 100644 index 00000000000..39430612071 --- /dev/null +++ b/charts/emissary-ingress/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: ambassador-agent + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 1.0.15 +digest: sha256:5b3ed48fcf6b0ee0e9638f7261dcd2a264ee72f0a5eede7d123ff2d4b3c7e958 +generated: "2023-09-28T14:30:39.695933-04:00" diff --git a/charts/emissary-ingress/Chart.yaml.in b/charts/emissary-ingress/Chart.yaml.in index b974e51986a..f94cf03bf56 100644 --- a/charts/emissary-ingress/Chart.yaml.in +++ b/charts/emissary-ingress/Chart.yaml.in @@ -16,12 +16,19 @@ keywords: - emissary - emissary ingress maintainers: -- name: flydiverny - email: markus@maga.se -- name: kflynn - email: flynn@datawire.io -- name: nbkrause - email: nkrause@datawire.io -- name: lukeshu - email: lukeshu@datawire.io + - name: Alice Wasko + email: alicewasko@datawire.io + - name: Hamzah Qudsi + email: hqudsi@datawire.io + - name: Lance Austin + email: laustin@datawire.io + - name: Rick Lane + email: rlane@datawire.io + - name: Tenshin Higashi + email: thigashi@datawire.io engine: gotpl +dependencies: + - name: ambassador-agent + version: 1.0.15 + repository: https://s3.amazonaws.com/datawire-static-files/charts + condition: agent.enabled diff --git a/charts/emissary-ingress/ci.in/ct.sh b/charts/emissary-ingress/ci.in/ct.sh new file mode 100644 index 00000000000..1b256e4dc2f --- /dev/null +++ b/charts/emissary-ingress/ci.in/ct.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -ex + +helm repo add ambassador-agent https://s3.amazonaws.com/datawire-static-files/charts || helm repo update + +ct "$@" diff --git a/charts/emissary-ingress/templates/ambassador-agent.yaml b/charts/emissary-ingress/templates/ambassador-agent.yaml deleted file mode 100644 index 1eb4dc96c8d..00000000000 --- a/charts/emissary-ingress/templates/ambassador-agent.yaml +++ /dev/null @@ -1,284 +0,0 @@ -{{- if .Values.agent.enabled }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "ambassador.fullname" . }}-agent - namespace: {{ include "ambassador.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -{{- if .Values.docker.useImagePullSecret }} -imagePullSecrets: -- name: {{ .Values.docker.imagePullSecretName }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "ambassador.fullname" . }}-agent-config - namespace: {{ include "ambassador.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "ambassador.fullname" . }}-agent-config -subjects: -- kind: ServiceAccount - name: {{ include "ambassador.fullname" . }}-agent - namespace: {{ include "ambassador.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "ambassador.fullname" . }}-agent-config - namespace: {{ include "ambassador.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: [""] - resources: [ "configmaps" ] - verbs: [ "get", "list", "watch" ] -- apiGroups: [""] - resources: [ "secrets"] - verbs: [ "get", "list", "watch", "create", "delete", "patch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ambassador.fullname" . }}-agent - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ambassador.fullname" . }}-agent -subjects: -- kind: ServiceAccount - name: {{ include "ambassador.fullname" . }}-agent - namespace: {{ include "ambassador.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-pods - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: [""] - resources: [ "pods"] - verbs: [ "get", "list", "watch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-deployments - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: ["apps", "extensions"] - resources: [ "deployments" ] - verbs: [ "get", "list", "watch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-endpoints - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: [""] - resources: [ "endpoints" ] - verbs: [ "get", "list", "watch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-configmaps - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: [""] - resources: [ "configmaps" ] - verbs: [ "get", "list", "watch" ] ---- -{{- if .Values.agent.createArgoRBAC }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-rollouts - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: ["argoproj.io"] - resources: [ "rollouts", "rollouts/status" ] - verbs: [ "get", "list", "watch", "patch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ambassador.fullname" . }}-agent-applications - labels: - rbac.getambassador.io/role-group: {{ include "ambassador.rbacName" . }}-agent - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -rules: -- apiGroups: ["argoproj.io"] - resources: [ "applications" ] - verbs: [ "get", "list", "watch" ] -{{- end }} -{{ if ne .Values.agent.cloudConnectToken "" }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "ambassador.fullname" . }}-agent-cloud-token - namespace: {{ include "ambassador.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent-cloud-token - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -data: - CLOUD_CONNECT_TOKEN: {{ .Values.agent.cloudConnectToken }} -{{ end }} - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "ambassador.fullname" . }}-agent - namespace: {{ include "ambassador.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent - {{- include "ambassador.labels" . | nindent 4 }} - product: aes -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent - {{- include "ambassador.labels" . | nindent 8 }} - product: aes - spec: - {{- with .Values.agent.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "ambassador.fullname" . }}-agent - containers: - - name: agent - image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag }}" - imagePullPolicy: {{ .Values.agent.image.pullPolicy }} - ports: - - containerPort: 8080 - name: http - {{- with .Values.agent.containerSecurityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - env: - - name: AGENT_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: AGENT_CONFIG_RESOURCE_NAME - value: {{ include "ambassador.fullname" . }}-agent-cloud-token - - name: RPC_CONNECTION_ADDRESS - value: {{ .Values.agent.rpcAddress }} - - name: AES_SNAPSHOT_URL - value: "http://{{ include "ambassador.fullname" . }}-admin.{{ include "ambassador.namespace" . }}:{{ .Values.adminService.snapshotPort }}/snapshot-external" - - name: AES_REPORT_DIAGNOSTICS_TO_CLOUD - value: {{ .Values.agent.reportDiagnostics | quote }} - - name: AES_DIAGNOSTICS_URL - value: "http://{{ include "ambassador.fullname" . }}-admin.{{ include "ambassador.namespace" . }}:{{ .Values.adminService.port }}/ambassador/v0/diag/?json=true" - - {{- with .Values.agent.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.agent.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.agent.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - - {{ if .Values.progressDeadlines }} - {{ if hasKey .Values.progressDeadlines "agent" }} - progressDeadlineSeconds: {{ .Values.progressDeadlines.agent }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "ambassador.fullname" . }}-agent - namespace: {{ include "ambassador.namespace" . }} - labels: - {{- if ne .Values.deploymentTool "getambassador.io" }} - app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent - app.kubernetes.io/part-of: {{ .Release.Name }} - helm.sh/chart: {{ include "ambassador.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.deploymentTool }} - app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} - {{- else }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- end }} - {{- end }} - product: aes -spec: - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/charts/emissary-ingress/values.yaml.in b/charts/emissary-ingress/values.yaml.in index abe1dcaa240..4f5f7c2ba9d 100644 --- a/charts/emissary-ingress/values.yaml.in +++ b/charts/emissary-ingress/values.yaml.in @@ -406,37 +406,91 @@ prometheusExporter: # +doc-gen:break # runAsUser: 8888 -# Configure the ambassador agent -agent: - # If `true`, installs the ambassador-agent Deployment, ServiceAccount and ClusterRole in the ambassador namespace, enabling the Ambassador Cloud connectivity. - enabled: true - # API token for reporting snapshots to [Ambassador Cloud](https://app.getambassador.io/cloud/); - # If empty, agent will not report snapshots - cloudConnectToken: '' - # Address of the Ambassador Cloud rpc server. - rpcAddress: https://app.getambassador.io/ - - # If `true`, Ambassador Agent will report diagnostics to Ambassador Cloud - reportDiagnostics: true - - createArgoRBAC: true +ambassador-agent: image: - # Leave blank to use image.repository and image.tag - tag: 1.0.14 - repository: docker.io/ambassador/ambassador-agent pullPolicy: IfNotPresent + # tag: - podSecurityContext: {} - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core - # runAsUser: 8888 + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" - containerSecurityContext: {} - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core - # allowPrivilegeEscalation: false + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + + podSecurityContext: + {} + # fsGroup: 2000 + + securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + + resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + edgestack: + # agent: + # name: + # namespace: + # snapshotPort: + + rpcAddress: "" + + progressDeadline: 0 + + cloudConnectToken: "" + + logLevel: "info" + docker: + useImagePullSecret: false + imagePullSecretName: "" + + rbac: + nameOverride: "" + namespaces: [] + argo: true + + createNamespace: false - nodeSelector: {} tolerations: [] - affinity: {} + +agent: + # If `true`, installs the ambassador-agent Deployment enabling the Ambassador Cloud connectivity. + enabled: true deploymentTool: '' diff --git a/k8s-config/emissary-defaultns/require.yaml b/k8s-config/emissary-defaultns/require.yaml index 445425d58e2..44960a6d1e5 100644 --- a/k8s-config/emissary-defaultns/require.yaml +++ b/k8s-config/emissary-defaultns/require.yaml @@ -3,7 +3,6 @@ _anchors: resources: - { kind: Service, name: emissary-ingress-admin, namespace: *namespace } - { kind: Service, name: emissary-ingress, namespace: *namespace } - - { kind: Service, name: emissary-ingress-agent, namespace: *namespace } - { kind: ClusterRole, name: emissary-ingress } - { kind: ServiceAccount, name: emissary-ingress, namespace: *namespace } - { kind: ClusterRoleBinding, name: emissary-ingress } @@ -11,17 +10,35 @@ resources: - { kind: ClusterRole, name: emissary-ingress-watch } - { kind: Deployment, name: emissary-ingress, namespace: *namespace } - { kind: Module, name: ambassador, namespace: *namespace } - - { kind: ServiceAccount, name: emissary-ingress-agent, namespace: *namespace } - - { kind: ClusterRoleBinding, name: emissary-ingress-agent } - - { kind: ClusterRole, name: emissary-ingress-agent } - - { kind: ClusterRole, name: emissary-ingress-agent-pods } - - { kind: ClusterRole, name: emissary-ingress-agent-rollouts } - - { kind: ClusterRole, name: emissary-ingress-agent-applications } - - { kind: ClusterRole, name: emissary-ingress-agent-deployments } - - { kind: ClusterRole, name: emissary-ingress-agent-endpoints } - - { kind: ClusterRole, name: emissary-ingress-agent-configmaps } - - { kind: Role, name: emissary-ingress-agent-config, namespace: *namespace } - - { kind: RoleBinding, name: emissary-ingress-agent-config, namespace: *namespace } - - { kind: Role, name: emissary-ingress-apiext, namespace: emissary-system} - - { kind: RoleBinding, name: emissary-ingress-apiext, namespace: emissary-system} - - { kind: Deployment, name: emissary-ingress-agent, namespace: *namespace } + - { kind: Role, name: emissary-ingress-apiext, namespace: emissary-system } + - { kind: RoleBinding, name: emissary-ingress-apiext, namespace: emissary-system } + # - { kind: Service, name: emissary-ingress-agent, namespace: *namespace } + # - { kind: ServiceAccount, name: emissary-ingress-agent, namespace: *namespace } + # - { kind: ClusterRoleBinding, name: emissary-ingress-agent } + # - { kind: ClusterRole, name: emissary-ingress-agent } + # - { kind: ClusterRole, name: emissary-ingress-agent-pods } + # - { kind: ClusterRole, name: emissary-ingress-agent-rollouts } + # - { kind: ClusterRole, name: emissary-ingress-agent-applications } + # - { kind: ClusterRole, name: emissary-ingress-agent-deployments } + # - { kind: ClusterRole, name: emissary-ingress-agent-endpoints } + # - { kind: ClusterRole, name: emissary-ingress-agent-configmaps } + # - { kind: Role, name: emissary-ingress-agent-config, namespace: *namespace } + # - { kind: RoleBinding, name: emissary-ingress-agent-config, namespace: *namespace } + # - { kind: Deployment, name: emissary-ingress-agent, namespace: *namespace } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-applications } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-default-ns } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-deployments } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-endpoints } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-ingresses } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-pods } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-rollouts } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent } + - { kind: ClusterRoleBinding, name: emissary-ingress-ambassador-agent } + - { kind: Deployment, name: emissary-ingress-ambassador-agent, namespace: *namespace } + - { kind: Pod, name: emissary-ingress-ambassador-agent-test-connection } + - { kind: Role, name: emissary-ingress-ambassador-agent-config, namespace: *namespace } + - { kind: Role, name: emissary-ingress-ambassador-agent-leaderelection, namespace: *namespace } + - { kind: RoleBinding, name: emissary-ingress-ambassador-agent-config, namespace: *namespace } + - { kind: RoleBinding, name: emissary-ingress-ambassador-agent-leaderelection, namespace: *namespace } + - { kind: Service, name: emissary-ingress-ambassador-agent, namespace: *namespace } + - { kind: ServiceAccount, name: emissary-ingress-ambassador-agent, namespace: *namespace } diff --git a/k8s-config/emissary-emissaryns/require.yaml b/k8s-config/emissary-emissaryns/require.yaml index 42146be22d3..51a70b1924a 100644 --- a/k8s-config/emissary-emissaryns/require.yaml +++ b/k8s-config/emissary-emissaryns/require.yaml @@ -3,7 +3,6 @@ _anchors: resources: - { kind: Service, name: emissary-ingress-admin, namespace: *namespace } - { kind: Service, name: emissary-ingress, namespace: *namespace } - - { kind: Service, name: emissary-ingress-agent, namespace: *namespace } - { kind: ClusterRole, name: emissary-ingress } - { kind: ServiceAccount, name: emissary-ingress, namespace: *namespace } - { kind: ClusterRoleBinding, name: emissary-ingress } @@ -11,17 +10,36 @@ resources: - { kind: ClusterRole, name: emissary-ingress-watch } - { kind: Deployment, name: emissary-ingress, namespace: *namespace } - { kind: Module, name: ambassador, namespace: *namespace } - - { kind: ServiceAccount, name: emissary-ingress-agent, namespace: *namespace } - - { kind: ClusterRoleBinding, name: emissary-ingress-agent } - - { kind: ClusterRole, name: emissary-ingress-agent } - - { kind: ClusterRole, name: emissary-ingress-agent-pods } - - { kind: ClusterRole, name: emissary-ingress-agent-rollouts } - - { kind: ClusterRole, name: emissary-ingress-agent-applications } - - { kind: ClusterRole, name: emissary-ingress-agent-deployments } - - { kind: ClusterRole, name: emissary-ingress-agent-endpoints } - - { kind: ClusterRole, name: emissary-ingress-agent-configmaps } - - { kind: Role, name: emissary-ingress-agent-config, namespace: *namespace } - - { kind: RoleBinding, name: emissary-ingress-agent-config, namespace: *namespace } - { kind: Role, name: emissary-ingress-apiext, namespace: emissary-system} - { kind: RoleBinding, name: emissary-ingress-apiext, namespace: emissary-system} - - { kind: Deployment, name: emissary-ingress-agent, namespace: *namespace } + # - { kind: Service, name: emissary-ingress-agent, namespace: *namespace } + # - { kind: ServiceAccount, name: emissary-ingress-agent, namespace: *namespace } + # - { kind: ClusterRoleBinding, name: emissary-ingress-agent } + # - { kind: ClusterRole, name: emissary-ingress-agent } + # - { kind: ClusterRole, name: emissary-ingress-agent-pods } + # - { kind: ClusterRole, name: emissary-ingress-agent-rollouts } + # - { kind: ClusterRole, name: emissary-ingress-agent-applications } + # - { kind: ClusterRole, name: emissary-ingress-agent-deployments } + # - { kind: ClusterRole, name: emissary-ingress-agent-endpoints } + # - { kind: ClusterRole, name: emissary-ingress-agent-configmaps } + # - { kind: Role, name: emissary-ingress-agent-config, namespace: *namespace } + # - { kind: RoleBinding, name: emissary-ingress-agent-config, namespace: *namespace } + # - { kind: Deployment, name: emissary-ingress-agent, namespace: *namespace } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-applications } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-default-ns } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-deployments } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-endpoints } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-ingresses } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-pods } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent-rollouts } + - { kind: ClusterRole, name: emissary-ingress-ambassador-agent } + - { kind: ClusterRoleBinding, name: emissary-ingress-ambassador-agent } + - { kind: Deployment, name: emissary-ingress-ambassador-agent, namespace: *namespace } + - { kind: Pod, name: emissary-ingress-ambassador-agent-test-connection } + - { kind: Role, name: emissary-ingress-ambassador-agent-config, namespace: *namespace } + - { kind: Role, name: emissary-ingress-ambassador-agent-leaderelection, namespace: *namespace } + - { kind: RoleBinding, name: emissary-ingress-ambassador-agent-config, namespace: *namespace } + - { kind: RoleBinding, name: emissary-ingress-ambassador-agent-leaderelection, namespace: *namespace } + - { kind: Service, name: emissary-ingress-ambassador-agent, namespace: *namespace } + - { kind: ServiceAccount, name: emissary-ingress-ambassador-agent, namespace: *namespace } + diff --git a/manifests/emissary/emissary-defaultns.yaml.in b/manifests/emissary/emissary-defaultns.yaml.in index cd7e87ac4b9..a1da18a2619 100644 --- a/manifests/emissary/emissary-defaultns.yaml.in +++ b/manifests/emissary/emissary-defaultns.yaml.in @@ -74,23 +74,6 @@ spec: profile: main type: LoadBalancer --- -apiVersion: v1 -kind: Service -metadata: - labels: - product: aes - name: emissary-ingress-agent - namespace: default -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/name: emissary-ingress-agent ---- aggregationRule: clusterRoleSelectors: - matchLabels: @@ -407,113 +390,129 @@ spec: allow_non_local: true enabled: false --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent + app.kubernetes.io/name: emissary-ingress app.kubernetes.io/part-of: emissary-ingress product: aes - name: emissary-ingress-agent - namespace: default + rbac.getambassador.io/role-group: emissary-ingress + name: emissary-ingress-apiext + namespace: emissary-system +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent + app.kubernetes.io/name: emissary-ingress app.kubernetes.io/part-of: emissary-ingress product: aes - name: emissary-ingress-agent + name: emissary-ingress-apiext + namespace: emissary-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: emissary-ingress-agent + kind: Role + name: emissary-ingress-apiext subjects: - kind: ServiceAccount - name: emissary-ingress-agent + name: emissary-ingress namespace: default --- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.getambassador.io/role-group: emissary-ingress-agent apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent -rules: [] + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-applications +rules: +- apiGroups: + - argoproj.io + resources: + - applications + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-pods + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-default-ns rules: - apiGroups: - "" + resourceNames: + - default resources: - - pods + - namespaces verbs: - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-rollouts + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-deployments rules: - apiGroups: - - argoproj.io + - apps + - extensions resources: - - rollouts - - rollouts/status + - deployments verbs: - get - list - watch - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-applications + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-endpoints rules: - apiGroups: - - argoproj.io + - "" resources: - - applications + - endpoints + - services verbs: - get - list @@ -524,18 +523,18 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-deployments + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-ingresses rules: - apiGroups: - - apps + - networking.k8s.io - extensions resources: - - deployments + - ingresses verbs: - get - list @@ -546,17 +545,17 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-endpoints + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-pods rules: - apiGroups: - "" resources: - - endpoints + - pods verbs: - get - list @@ -567,32 +566,137 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-configmaps + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-rollouts rules: - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - rollouts + - rollouts/status verbs: - get - list - watch + - patch +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: emissary-ingress-ambassador-agent +subjects: +- kind: ServiceAccount + name: emissary-ingress-ambassador-agent + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + template: + metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + spec: + containers: + - env: + - name: LOG_LEVEL + value: info + - name: AGENT_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AGENT_CONFIG_RESOURCE_NAME + value: emissary-ingress-ambassador-agent-cloud-token + - name: RPC_CONNECTION_ADDRESS + value: null + image: docker.io/ambassador/ambassador-agent:1.0.15 + imagePullPolicy: IfNotPresent + name: ambassador-agent + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: {} + securityContext: {} + serviceAccountName: emissary-ingress-ambassador-agent +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-test-connection +spec: + containers: + - args: + - 'emissary-ingress-ambassador-agent:' + command: + - wget + image: busybox + name: wget + restartPolicy: Never --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent-config + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-config namespace: default rules: - apiGroups: @@ -610,120 +714,99 @@ rules: verbs: - get - list - - watch - create - delete - patch + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-leaderelection + namespace: default +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent-config + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-config namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: emissary-ingress-agent-config + name: emissary-ingress-ambassador-agent-config subjects: - kind: ServiceAccount - name: emissary-ingress-agent + name: emissary-ingress-ambassador-agent namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress - name: emissary-ingress-apiext - namespace: emissary-system -rules: -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-apiext - namespace: emissary-system + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-leaderelection + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: emissary-ingress-apiext + name: emissary-ingress-ambassador-agent-leaderelection subjects: - kind: ServiceAccount - name: emissary-ingress + name: emissary-ingress-ambassador-agent namespace: default --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Service metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent namespace: default spec: - progressDeadlineSeconds: 600 - replicas: 1 + ports: + - name: http + port: 80 + targetPort: http selector: - matchLabels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/name: emissary-ingress-agent - template: - metadata: - labels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - spec: - containers: - - env: - - name: AGENT_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: AGENT_CONFIG_RESOURCE_NAME - value: emissary-ingress-agent-cloud-token - - name: RPC_CONNECTION_ADDRESS - value: https://app.getambassador.io/ - - name: AES_SNAPSHOT_URL - value: http://emissary-ingress-admin.default:8005/snapshot-external - - name: AES_REPORT_DIAGNOSTICS_TO_CLOUD - value: "true" - - name: AES_DIAGNOSTICS_URL - value: http://emissary-ingress-admin.default:8877/ambassador/v0/diag/?json=true - image: docker.io/ambassador/ambassador-agent:1.0.14 - imagePullPolicy: IfNotPresent - name: agent - ports: - - containerPort: 8080 - name: http - serviceAccountName: emissary-ingress-agent + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + type: ClusterIP +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent + namespace: default diff --git a/manifests/emissary/emissary-emissaryns.yaml.in b/manifests/emissary/emissary-emissaryns.yaml.in index f4159f11d10..1a069111e09 100644 --- a/manifests/emissary/emissary-emissaryns.yaml.in +++ b/manifests/emissary/emissary-emissaryns.yaml.in @@ -74,23 +74,6 @@ spec: profile: main type: LoadBalancer --- -apiVersion: v1 -kind: Service -metadata: - labels: - product: aes - name: emissary-ingress-agent - namespace: emissary -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/name: emissary-ingress-agent ---- aggregationRule: clusterRoleSelectors: - matchLabels: @@ -407,113 +390,129 @@ spec: allow_non_local: true enabled: false --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent + app.kubernetes.io/name: emissary-ingress app.kubernetes.io/part-of: emissary-ingress product: aes - name: emissary-ingress-agent - namespace: emissary + rbac.getambassador.io/role-group: emissary-ingress + name: emissary-ingress-apiext + namespace: emissary-system +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent + app.kubernetes.io/name: emissary-ingress app.kubernetes.io/part-of: emissary-ingress product: aes - name: emissary-ingress-agent + name: emissary-ingress-apiext + namespace: emissary-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: emissary-ingress-agent + kind: Role + name: emissary-ingress-apiext subjects: - kind: ServiceAccount - name: emissary-ingress-agent + name: emissary-ingress namespace: emissary --- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.getambassador.io/role-group: emissary-ingress-agent apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent -rules: [] + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-applications +rules: +- apiGroups: + - argoproj.io + resources: + - applications + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-pods + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-default-ns rules: - apiGroups: - "" + resourceNames: + - default resources: - - pods + - namespaces verbs: - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-rollouts + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-deployments rules: - apiGroups: - - argoproj.io + - apps + - extensions resources: - - rollouts - - rollouts/status + - deployments verbs: - get - list - watch - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-applications + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-endpoints rules: - apiGroups: - - argoproj.io + - "" resources: - - applications + - endpoints + - services verbs: - get - list @@ -524,18 +523,18 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-deployments + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-ingresses rules: - apiGroups: - - apps + - networking.k8s.io - extensions resources: - - deployments + - ingresses verbs: - get - list @@ -546,17 +545,17 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-endpoints + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-pods rules: - apiGroups: - "" resources: - - endpoints + - pods verbs: - get - list @@ -567,32 +566,137 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress-agent - name: emissary-ingress-agent-configmaps + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent + name: emissary-ingress-ambassador-agent-rollouts rules: - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - rollouts + - rollouts/status verbs: - get - list - watch + - patch +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.getambassador.io/role-group: emissary-ingress-ambassador-agent +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: emissary-ingress-ambassador-agent +subjects: +- kind: ServiceAccount + name: emissary-ingress-ambassador-agent + namespace: emissary +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent + namespace: emissary +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + template: + metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + spec: + containers: + - env: + - name: LOG_LEVEL + value: info + - name: AGENT_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AGENT_CONFIG_RESOURCE_NAME + value: emissary-ingress-ambassador-agent-cloud-token + - name: RPC_CONNECTION_ADDRESS + value: null + image: docker.io/ambassador/ambassador-agent:1.0.15 + imagePullPolicy: IfNotPresent + name: ambassador-agent + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: {} + securityContext: {} + serviceAccountName: emissary-ingress-ambassador-agent +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-test-connection +spec: + containers: + - args: + - 'emissary-ingress-ambassador-agent:' + command: + - wget + image: busybox + name: wget + restartPolicy: Never --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent-config + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-config namespace: emissary rules: - apiGroups: @@ -610,120 +714,99 @@ rules: verbs: - get - list - - watch - create - delete - patch + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-leaderelection + namespace: emissary +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent-config + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-config namespace: emissary roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: emissary-ingress-agent-config + name: emissary-ingress-ambassador-agent-config subjects: - kind: ServiceAccount - name: emissary-ingress-agent + name: emissary-ingress-ambassador-agent namespace: emissary --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress - app.kubernetes.io/part-of: emissary-ingress - product: aes - rbac.getambassador.io/role-group: emissary-ingress - name: emissary-ingress-apiext - namespace: emissary-system -rules: -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-apiext - namespace: emissary-system + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent-leaderelection + namespace: emissary roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: emissary-ingress-apiext + name: emissary-ingress-ambassador-agent-leaderelection subjects: - kind: ServiceAccount - name: emissary-ingress + name: emissary-ingress-ambassador-agent namespace: emissary --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Service metadata: labels: app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - name: emissary-ingress-agent + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent namespace: emissary spec: - progressDeadlineSeconds: 600 - replicas: 1 + ports: + - name: http + port: 80 + targetPort: http selector: - matchLabels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/name: emissary-ingress-agent - template: - metadata: - labels: - app.kubernetes.io/instance: emissary-ingress - app.kubernetes.io/managed-by: getambassador.io - app.kubernetes.io/name: emissary-ingress-agent - app.kubernetes.io/part-of: emissary-ingress - product: aes - spec: - containers: - - env: - - name: AGENT_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: AGENT_CONFIG_RESOURCE_NAME - value: emissary-ingress-agent-cloud-token - - name: RPC_CONNECTION_ADDRESS - value: https://app.getambassador.io/ - - name: AES_SNAPSHOT_URL - value: http://emissary-ingress-admin.emissary:8005/snapshot-external - - name: AES_REPORT_DIAGNOSTICS_TO_CLOUD - value: "true" - - name: AES_DIAGNOSTICS_URL - value: http://emissary-ingress-admin.emissary:8877/ambassador/v0/diag/?json=true - image: docker.io/ambassador/ambassador-agent:1.0.14 - imagePullPolicy: IfNotPresent - name: agent - ports: - - containerPort: 8080 - name: http - serviceAccountName: emissary-ingress-agent + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/name: ambassador-agent + type: ClusterIP +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: emissary-ingress + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ambassador-agent + app.kubernetes.io/version: 1.0.15 + helm.sh/chart: ambassador-agent-1.0.15 + name: emissary-ingress-ambassador-agent + namespace: emissary