From b2565d6cd0f982043c977a0234145931ac173001 Mon Sep 17 00:00:00 2001 From: Travis Raines <571832+rainest@users.noreply.github.com> Date: Thu, 24 Feb 2022 11:11:17 -0800 Subject: [PATCH 1/2] feat(controllers) add IngressClass v1 Add an IngressClass controller. Add IngressClass functions to the stores. Add IngressClass permissions and a default IngressClass resource to the manifests. --- CHANGELOG.md | 6 ++ config/base/ingressclass.yaml | 6 ++ config/base/kustomization.yaml | 1 + config/rbac/role.yaml | 16 +++++ .../all-in-one-dbless-k4k8s-enterprise.yaml | 23 +++++++ deploy/single/all-in-one-dbless.yaml | 23 +++++++ .../all-in-one-postgres-enterprise.yaml | 23 +++++++ deploy/single/all-in-one-postgres.yaml | 23 +++++++ .../generators/controllers/networking/main.go | 12 ++++ .../configuration/zz_generated_controllers.go | 61 +++++++++++++++++++ internal/manager/config.go | 2 + internal/manager/controllerdef.go | 10 +++ internal/store/fake_store.go | 9 +++ internal/store/fake_store_test.go | 35 +++++++++++ internal/store/store.go | 37 ++++++++++- 15 files changed, 285 insertions(+), 2 deletions(-) create mode 100644 config/base/ingressclass.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0075563443..0248db64c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,12 @@ > Release date: TBD +#### Added + +- Deployment manifests now include an IngressClass resource and permissions to + read IngressClass resources. + [#2292](https://github.com/Kong/kubernetes-ingress-controller/pull/2292) + #### Fixed - Unconfigured fields now use their default value according to the Kong proxy diff --git a/config/base/ingressclass.yaml b/config/base/ingressclass.yaml new file mode 100644 index 0000000000..fdf99576f8 --- /dev/null +++ b/config/base/ingressclass.yaml @@ -0,0 +1,6 @@ +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: kong +spec: + controller: ingress-controllers.konghq.com/kong diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml index 9dca2e3b22..818ae5ee4f 100644 --- a/config/base/kustomization.yaml +++ b/config/base/kustomization.yaml @@ -3,6 +3,7 @@ resources: - namespace.yaml - ../crd - ../rbac +- ingressclass.yaml - service.yaml - serviceaccount.yaml - validation-service.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 4d275df76d..a0f27847c2 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -248,6 +248,22 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: diff --git a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml index b28d3bfa34..a4e43e6873 100644 --- a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml +++ b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml @@ -1198,6 +1198,22 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: @@ -1414,3 +1430,10 @@ spec: imagePullSecrets: - name: kong-enterprise-edition-docker serviceAccountName: kong-serviceaccount +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: kong +spec: + controller: ingress-controllers.konghq.com/kong diff --git a/deploy/single/all-in-one-dbless.yaml b/deploy/single/all-in-one-dbless.yaml index 11b6fff4ce..c69687fdf1 100644 --- a/deploy/single/all-in-one-dbless.yaml +++ b/deploy/single/all-in-one-dbless.yaml @@ -1198,6 +1198,22 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: @@ -1407,3 +1423,10 @@ spec: successThreshold: 1 timeoutSeconds: 1 serviceAccountName: kong-serviceaccount +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: kong +spec: + controller: ingress-controllers.konghq.com/kong diff --git a/deploy/single/all-in-one-postgres-enterprise.yaml b/deploy/single/all-in-one-postgres-enterprise.yaml index 2c68b6ed1a..6b89424468 100644 --- a/deploy/single/all-in-one-postgres-enterprise.yaml +++ b/deploy/single/all-in-one-postgres-enterprise.yaml @@ -1198,6 +1198,22 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: @@ -1597,3 +1613,10 @@ spec: image: busybox name: wait-for-postgres restartPolicy: OnFailure +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: kong +spec: + controller: ingress-controllers.konghq.com/kong diff --git a/deploy/single/all-in-one-postgres.yaml b/deploy/single/all-in-one-postgres.yaml index be59874729..48de96a449 100644 --- a/deploy/single/all-in-one-postgres.yaml +++ b/deploy/single/all-in-one-postgres.yaml @@ -1198,6 +1198,22 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: @@ -1522,3 +1538,10 @@ spec: image: busybox name: wait-for-postgres restartPolicy: OnFailure +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: kong +spec: + controller: ingress-controllers.konghq.com/kong diff --git a/hack/generators/controllers/networking/main.go b/hack/generators/controllers/networking/main.go index f071527340..37ce0be6b6 100644 --- a/hack/generators/controllers/networking/main.go +++ b/hack/generators/controllers/networking/main.go @@ -79,6 +79,18 @@ var inputControllersNeeded = &typesNeeded{ AcceptsIngressClassNameSpec: true, RBACVerbs: []string{"get", "list", "watch"}, }, + typeNeeded{ + PackageImportAlias: "netv1", + PackageAlias: "NetV1", + Package: netv1, + Type: "IngressClass", + Plural: "ingressclasses", + URL: "networking.k8s.io", + CacheType: "IngressV1", + AcceptsIngressClassNameAnnotation: false, + AcceptsIngressClassNameSpec: false, + RBACVerbs: []string{"get", "list", "watch"}, + }, typeNeeded{ PackageImportAlias: "netv1beta1", PackageAlias: "NetV1Beta1", diff --git a/internal/controllers/configuration/zz_generated_controllers.go b/internal/controllers/configuration/zz_generated_controllers.go index b6571cd19c..c43572b8d8 100644 --- a/internal/controllers/configuration/zz_generated_controllers.go +++ b/internal/controllers/configuration/zz_generated_controllers.go @@ -297,6 +297,67 @@ func (r *NetV1IngressReconciler) Reconcile(ctx context.Context, req ctrl.Request return ctrl.Result{}, nil } +// ----------------------------------------------------------------------------- +// NetV1 IngressClass +// ----------------------------------------------------------------------------- + +// NetV1IngressClass reconciles IngressClass resources +type NetV1IngressClassReconciler struct { + client.Client + + Log logr.Logger + Scheme *runtime.Scheme + Proxy proxy.Proxy +} + +// SetupWithManager sets up the controller with the Manager. +func (r *NetV1IngressClassReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr).For(&netv1.IngressClass{}).Complete(r) +} + +//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses,verbs=get;list;watch +//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses/status,verbs=get;update;patch + +// Reconcile processes the watched objects +func (r *NetV1IngressClassReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := r.Log.WithValues("NetV1IngressClass", req.NamespacedName) + + // get the relevant object + obj := new(netv1.IngressClass) + if err := r.Get(ctx, req.NamespacedName, obj); err != nil { + if errors.IsNotFound(err) { + obj.Namespace = req.Namespace + obj.Name = req.Name + return ctrlutils.EnsureProxyDeleteObject(r.Proxy, obj) + } + return ctrl.Result{}, err + } + log.V(util.DebugLevel).Info("reconciling resource", "namespace", req.Namespace, "name", req.Name) + + // clean the object up if it's being deleted + if !obj.DeletionTimestamp.IsZero() && time.Now().After(obj.DeletionTimestamp.Time) { + log.V(util.DebugLevel).Info("resource is being deleted, its configuration will be removed", "type", "IngressClass", "namespace", req.Namespace, "name", req.Name) + objectExistsInCache, err := r.Proxy.ObjectExists(obj) + if err != nil { + return ctrl.Result{}, err + } + if objectExistsInCache { + if err := r.Proxy.DeleteObject(obj); err != nil { + return ctrl.Result{}, err + } + return ctrl.Result{Requeue: true}, nil // wait until the object is no longer present in the cache + } + return ctrl.Result{}, nil + } + + // update the kong Admin API with the changes + if err := r.Proxy.UpdateObject(obj); err != nil { + return ctrl.Result{}, err + } + + return ctrl.Result{}, nil +} + // ----------------------------------------------------------------------------- // NetV1Beta1 Ingress // ----------------------------------------------------------------------------- diff --git a/internal/manager/config.go b/internal/manager/config.go index 9b8ce18b82..b75495d235 100644 --- a/internal/manager/config.go +++ b/internal/manager/config.go @@ -69,6 +69,7 @@ type Config struct { IngressExtV1beta1Enabled bool IngressNetV1beta1Enabled bool IngressNetV1Enabled bool + IngressClassNetV1Enabled bool UDPIngressEnabled bool TCPIngressEnabled bool KongIngressEnabled bool @@ -155,6 +156,7 @@ func (c *Config) FlagSet() *pflag.FlagSet { // Kubernetes API toggling flagSet.BoolVar(&c.IngressNetV1Enabled, "enable-controller-ingress-networkingv1", true, "Enable the networking.k8s.io/v1 Ingress controller.") + flagSet.BoolVar(&c.IngressClassNetV1Enabled, "enable-controller-ingress-class-networkingv1", true, "Enable the networking.k8s.io/v1 IngressClass controller.") flagSet.BoolVar(&c.IngressNetV1beta1Enabled, "enable-controller-ingress-networkingv1beta1", true, "Enable the networking.k8s.io/v1beta1 Ingress controller.") flagSet.BoolVar(&c.IngressExtV1beta1Enabled, "enable-controller-ingress-extensionsv1beta1", true, "Enable the extensions/v1beta1 Ingress controller.") flagSet.BoolVar(&c.UDPIngressEnabled, "enable-controller-udpingress", true, "Enable the UDPIngress controller.") diff --git a/internal/manager/controllerdef.go b/internal/manager/controllerdef.go index f4760e461a..1eb2c63f6d 100644 --- a/internal/manager/controllerdef.go +++ b/internal/manager/controllerdef.go @@ -83,6 +83,16 @@ func setupControllers(mgr manager.Manager, proxy proxy.Proxy, c *Config, feature IngressClassName: c.IngressClassName, }, }, + { + Enabled: c.IngressClassNetV1Enabled, + AutoHandler: ingressPicker.IsNetV1, + Controller: &configuration.NetV1IngressClassReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("IngressClass").WithName("netv1"), + Scheme: mgr.GetScheme(), + Proxy: proxy, + }, + }, { Enabled: c.IngressNetV1beta1Enabled, AutoHandler: ingressPicker.IsNetV1beta1, diff --git a/internal/store/fake_store.go b/internal/store/fake_store.go index f37b1bc3ce..04d2ab4dfe 100644 --- a/internal/store/fake_store.go +++ b/internal/store/fake_store.go @@ -31,6 +31,7 @@ func clusterResourceKeyFunc(obj interface{}) (string, error) { type FakeObjects struct { IngressesV1beta1 []*networkingv1beta1.Ingress IngressesV1 []*networkingv1.Ingress + IngressClassesV1 []*networkingv1.IngressClass HTTPRoute []*gatewayv1alpha2.HTTPRoute TCPIngresses []*configurationv1beta1.TCPIngress UDPIngresses []*configurationv1beta1.UDPIngress @@ -64,6 +65,13 @@ func NewFakeStore( return nil, err } } + ingressClassV1Store := cache.NewStore(keyFunc) + for _, ingress := range objects.IngressClassesV1 { + err := ingressClassV1Store.Add(ingress) + if err != nil { + return nil, err + } + } httprouteStore := cache.NewStore(keyFunc) for _, httproute := range objects.HTTPRoute { if err := httprouteStore.Add(httproute); err != nil { @@ -144,6 +152,7 @@ func NewFakeStore( stores: CacheStores{ IngressV1beta1: ingressV1beta1Store, IngressV1: ingressV1Store, + IngressClassV1: ingressClassV1Store, HTTPRoute: httprouteStore, TCPIngress: tcpIngressStore, UDPIngress: udpIngressStore, diff --git a/internal/store/fake_store_test.go b/internal/store/fake_store_test.go index 036f60256b..fe4e523482 100644 --- a/internal/store/fake_store_test.go +++ b/internal/store/fake_store_test.go @@ -263,6 +263,41 @@ func TestFakeStoreIngressV1(t *testing.T) { assert.Len(store.ListIngressesV1beta1(), 0) } +func TestFakeStoreIngressClassV1(t *testing.T) { + assert := assert.New(t) + + classes := []*networkingv1.IngressClass{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: networkingv1.IngressClassSpec{ + Controller: ingressClassKongController, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + }, + Spec: networkingv1.IngressClassSpec{ + Controller: ingressClassKongController, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: "baz", + }, + Spec: networkingv1.IngressClassSpec{ + Controller: "some-other-controller.example.com/controller", + }, + }, + } + store, err := NewFakeStore(FakeObjects{IngressClassesV1: classes}) + assert.Nil(err) + assert.NotNil(store) + assert.Len(store.ListIngressClassesV1(), 2) +} + func TestFakeStoreListTCPIngress(t *testing.T) { assert := assert.New(t) diff --git a/internal/store/store.go b/internal/store/store.go index 9b00acd535..82c6af07e9 100644 --- a/internal/store/store.go +++ b/internal/store/store.go @@ -48,8 +48,9 @@ import ( ) const ( - knativeIngressClassKey = "networking.knative.dev/ingress.class" - caCertKey = "konghq.com/ca-cert" + knativeIngressClassKey = "networking.knative.dev/ingress.class" + caCertKey = "konghq.com/ca-cert" + ingressClassKongController = "ingress-controllers.konghq.com/kong" ) // ErrNotFound error is returned when a lookup results in no resource. @@ -78,6 +79,7 @@ type Storer interface { ListIngressesV1beta1() []*networkingv1beta1.Ingress ListIngressesV1() []*networkingv1.Ingress + ListIngressClassesV1() []*networkingv1.IngressClass ListHTTPRoutes() ([]*gatewayv1alpha2.HTTPRoute, error) ListTCPIngresses() ([]*kongv1beta1.TCPIngress, error) ListUDPIngresses() ([]*kongv1beta1.UDPIngress, error) @@ -113,6 +115,7 @@ type CacheStores struct { // Core Kubernetes Stores IngressV1beta1 cache.Store IngressV1 cache.Store + IngressClassV1 cache.Store Service cache.Store Secret cache.Store Endpoint cache.Store @@ -140,6 +143,7 @@ func NewCacheStores() (c CacheStores) { c.Consumer = cache.NewStore(keyFunc) c.Endpoint = cache.NewStore(keyFunc) c.IngressV1 = cache.NewStore(keyFunc) + c.IngressClassV1 = cache.NewStore(keyFunc) c.IngressV1beta1 = cache.NewStore(keyFunc) c.HTTPRoute = cache.NewStore(keyFunc) c.KnativeIngress = cache.NewStore(keyFunc) @@ -210,6 +214,8 @@ func (c CacheStores) Get(obj runtime.Object) (item interface{}, exists bool, err return c.IngressV1beta1.Get(obj) case *networkingv1.Ingress: return c.IngressV1.Get(obj) + case *networkingv1.IngressClass: + return c.IngressClassV1.Get(obj) case *corev1.Service: return c.Service.Get(obj) case *corev1.Secret: @@ -261,6 +267,8 @@ func (c CacheStores) Add(obj runtime.Object) error { return c.IngressV1beta1.Add(obj) case *networkingv1.Ingress: return c.IngressV1.Add(obj) + case *networkingv1.IngressClass: + return c.IngressClassV1.Add(obj) case *corev1.Service: return c.Service.Add(obj) case *corev1.Secret: @@ -313,6 +321,8 @@ func (c CacheStores) Delete(obj runtime.Object) error { return c.IngressV1beta1.Delete(obj) case *networkingv1.Ingress: return c.IngressV1.Delete(obj) + case *networkingv1.IngressClass: + return c.IngressClassV1.Delete(obj) case *corev1.Service: return c.Service.Delete(obj) case *corev1.Secret: @@ -438,6 +448,29 @@ func (s Store) ListIngressesV1() []*networkingv1.Ingress { return ingresses } +// ListIngressClassesV1 returns the list of Ingresses in the Ingress v1 store. +func (s Store) ListIngressClassesV1() []*networkingv1.IngressClass { + // filter ingress rules + var classes []*networkingv1.IngressClass + for _, item := range s.stores.IngressClassV1.List() { + class, ok := item.(*networkingv1.IngressClass) + if !ok { + s.logger.Warnf("listIngressClassesV1: dropping object of unexpected type: %#v", item) + continue + } + if class.Spec.Controller != ingressClassKongController { + continue + } + classes = append(classes, class) + } + + sort.SliceStable(classes, func(i, j int) bool { + return strings.Compare(classes[i].Name, classes[j].Name) < 0 + }) + + return classes +} + // ListIngressesV1beta1 returns the list of Ingresses in the Ingress v1beta1 store. func (s Store) ListIngressesV1beta1() []*networkingv1beta1.Ingress { // filter ingress rules From f4e6738d09e0b9c92dd844c43269fdf32bb654c8 Mon Sep 17 00:00:00 2001 From: Travis Raines <571832+rainest@users.noreply.github.com> Date: Tue, 1 Mar 2022 11:33:43 -0800 Subject: [PATCH 2/2] chore(rbac) remove IngressClass status permissions Add a new NeedsStatusPermissions field to the controller generator configuration. When true, the controller will include status permission annotations. Set NeedsStatusPermissions to false for IngressClass. --- config/rbac/role.yaml | 8 -------- .../all-in-one-dbless-k4k8s-enterprise.yaml | 8 -------- deploy/single/all-in-one-dbless.yaml | 8 -------- .../all-in-one-postgres-enterprise.yaml | 8 -------- deploy/single/all-in-one-postgres.yaml | 8 -------- .../generators/controllers/networking/main.go | 20 +++++++++++++++++++ .../configuration/zz_generated_controllers.go | 1 - 7 files changed, 20 insertions(+), 41 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a0f27847c2..9ae73afb42 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -256,14 +256,6 @@ rules: - get - list - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: diff --git a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml index a4e43e6873..4a0d038c46 100644 --- a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml +++ b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml @@ -1206,14 +1206,6 @@ rules: - get - list - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: diff --git a/deploy/single/all-in-one-dbless.yaml b/deploy/single/all-in-one-dbless.yaml index c69687fdf1..40fe5bc301 100644 --- a/deploy/single/all-in-one-dbless.yaml +++ b/deploy/single/all-in-one-dbless.yaml @@ -1206,14 +1206,6 @@ rules: - get - list - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: diff --git a/deploy/single/all-in-one-postgres-enterprise.yaml b/deploy/single/all-in-one-postgres-enterprise.yaml index 6b89424468..4936fdd180 100644 --- a/deploy/single/all-in-one-postgres-enterprise.yaml +++ b/deploy/single/all-in-one-postgres-enterprise.yaml @@ -1206,14 +1206,6 @@ rules: - get - list - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: diff --git a/deploy/single/all-in-one-postgres.yaml b/deploy/single/all-in-one-postgres.yaml index 48de96a449..15665e56ba 100644 --- a/deploy/single/all-in-one-postgres.yaml +++ b/deploy/single/all-in-one-postgres.yaml @@ -1206,14 +1206,6 @@ rules: - get - list - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: diff --git a/hack/generators/controllers/networking/main.go b/hack/generators/controllers/networking/main.go index 37ce0be6b6..9d083a04a0 100644 --- a/hack/generators/controllers/networking/main.go +++ b/hack/generators/controllers/networking/main.go @@ -39,6 +39,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "services", URL: "\"\"", CacheType: "Service", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -51,6 +52,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "endpoints", URL: "\"\"", CacheType: "Endpoint", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"list", "watch"}, @@ -63,6 +65,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "secrets", URL: "\"\"", CacheType: "Secret", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"list", "watch"}, @@ -75,6 +78,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "ingresses", URL: "networking.k8s.io", CacheType: "IngressV1", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: true, RBACVerbs: []string{"get", "list", "watch"}, @@ -87,6 +91,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "ingressclasses", URL: "networking.k8s.io", CacheType: "IngressV1", + NeedsStatusPermissions: false, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -99,6 +104,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "ingresses", URL: "networking.k8s.io", CacheType: "IngressV1beta1", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: true, RBACVerbs: []string{"get", "list", "watch"}, @@ -111,6 +117,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "ingresses", URL: "extensions", CacheType: "IngressV1beta1", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: true, RBACVerbs: []string{"get", "list", "watch"}, @@ -123,6 +130,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "kongingresses", URL: "configuration.konghq.com", CacheType: "KongIngress", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -135,6 +143,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "kongplugins", URL: "configuration.konghq.com", CacheType: "Plugin", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: false, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -147,6 +156,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "kongclusterplugins", URL: "configuration.konghq.com", CacheType: "ClusterPlugin", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -159,6 +169,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "kongconsumers", URL: "configuration.konghq.com", CacheType: "Consumer", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -171,6 +182,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "tcpingresses", URL: "configuration.konghq.com", CacheType: "TCPIngress", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -183,6 +195,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "udpingresses", URL: "configuration.konghq.com", CacheType: "UDPIngress", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -195,6 +208,7 @@ var inputControllersNeeded = &typesNeeded{ Plural: "ingresses", URL: "networking.internal.knative.dev", CacheType: "KnativeIngress", + NeedsStatusPermissions: true, AcceptsIngressClassNameAnnotation: true, AcceptsIngressClassNameSpec: false, RBACVerbs: []string{"get", "list", "watch"}, @@ -311,6 +325,10 @@ type typeNeeded struct { // AcceptsIngressClassNameSpec indicates the the object indicates the ingress.class that should support it via // an attribute in its specification named .IngressClassName AcceptsIngressClassNameSpec bool + + // NeedsStatusPermissions indicates whether permissions for the object should also include permissions to update + // its status + NeedsStatusPermissions bool } func (t *typeNeeded) generate(contents *bytes.Buffer) error { @@ -406,7 +424,9 @@ func (r *{{.PackageAlias}}{{.Type}}Reconciler) SetupWithManager(mgr ctrl.Manager } //+kubebuilder:rbac:groups={{.URL}},resources={{.Plural}},verbs={{ .RBACVerbs | join ";" }} +{{- if .NeedsStatusPermissions}} //+kubebuilder:rbac:groups={{.URL}},resources={{.Plural}}/status,verbs=get;update;patch +{{- end}} // Reconcile processes the watched objects func (r *{{.PackageAlias}}{{.Type}}Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/internal/controllers/configuration/zz_generated_controllers.go b/internal/controllers/configuration/zz_generated_controllers.go index c43572b8d8..ebf31c976b 100644 --- a/internal/controllers/configuration/zz_generated_controllers.go +++ b/internal/controllers/configuration/zz_generated_controllers.go @@ -316,7 +316,6 @@ func (r *NetV1IngressClassReconciler) SetupWithManager(mgr ctrl.Manager) error { } //+kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses,verbs=get;list;watch -//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses/status,verbs=get;update;patch // Reconcile processes the watched objects func (r *NetV1IngressClassReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {