Release v0.17.3 (#768)

* Add BackendConfig crd to provider cluster wide and namespace wide configs (#734)

* Add MeshConfig crd

* Reconcile objects automatically when MeshConfig is updated

* Add testcases

* Fix charts

* Use Watches

* Add rbac

* Fix ci

* Fix CVE

* Rename MeshConfig to BackendConfig

* fix ci

* Fix env test

* Fix ci

* Fix ci

* Add liveness in backend config (#767)

* Add liveness config in backendconfig

* Add ci

* Add pod field

* release v0.17.3

.ci/clusters/global_backend_config.yaml

@@ -0,0 +1,12 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+ name: global-backend-config
+spec:
+ env:
+ global1: globalvalue1
+ shared1: fromglobal
+ pod:
+ liveness:
+ initialDelaySeconds: 10
+ periodSeconds: 30

.ci/helm.sh

@@ -596,3 +596,26 @@ function ci::verify_log_topic_with_auth() {
  fi
  return 1
 }
+
+function ci::verify_env() {
+ pod="$1-function-0"
+ key=$2
+ expect=$3
+ result=$(kubectl exec -n ${NAMESPACE} ${pod} -- env | grep "${key}")
+ echo "$result"
+ echo "$expect"
+ if [[ "$result" = "$expect" ]]; then
+ return 0
+ fi
+ return 1
+}
+
+function ci::verify_liveness_probe() {
+ pod=$1
+ expected=$2
+ result=$(kubectl get pod $pod -o jsonpath='{.spec.containers[*].livenessProbe}')
+ echo "liveness probe is $result"
+ if [[ "$result" != "$expected" ]]; then
+ return 1
+ fi
+}

.ci/olm-tests/catalog.yml

@@ -5,4 +5,4 @@ metadata:
  namespace: olm
 spec:
  sourceType: grpc
- image: kind-registry:5000/streamnativeio/function-mesh-catalog:v0.17.2
+ image: kind-registry:5000/streamnativeio/function-mesh-catalog:v0.17.3

.ci/olm-tests/subs.yml

@@ -6,6 +6,6 @@ metadata:
 spec:
  channel: alpha
  name: function-mesh
- startingCSV: function-mesh.v0.17.2
+ startingCSV: function-mesh.v0.17.3
  source: my-test-catalog
  sourceNamespace: olm

.ci/tests/integration/cases/crypto-function/manifests.yaml

@@ -9,7 +9,6 @@ spec:
  forwardSourceMessageProperty: true
  maxPendingAsyncRequests: 1000
  replicas: 1
- maxReplicas: 5
  logTopic: persistent://public/default/logging-function-logs
  input:
  topics:

.ci/tests/integration/cases/global-and-namespaced-config/manifests.yaml

@@ -0,0 +1,77 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: Function
+metadata:
+ name: function-sample-env
+ namespace: default
+spec:
+ image: streamnative/pulsar-functions-java-sample:2.9.2.23
+ className: org.apache.pulsar.functions.api.examples.ExclamationFunction
+ forwardSourceMessageProperty: true
+ maxPendingAsyncRequests: 1000
+ replicas: 1
+ maxReplicas: 5
+ logTopic: persistent://public/default/logging-function-logs
+ input:
+ topics:
+ - persistent://public/default/input-java-topic
+ typeClassName: java.lang.String
+ output:
+ topic: persistent://public/default/output-java-topic
+ typeClassName: java.lang.String
+ resources:
+ requests:
+ cpu: 50m
+ memory: 1G
+ limits:
+ memory: 1.1G
+ # each secret will be loaded ad an env variable from the `path` secret with the `key` in that secret in the name of `name`
+ secretsMap:
+ "name":
+ path: "test-secret"
+ key: "username"
+ "pwd":
+ path: "test-secret"
+ key: "password"
+ pulsar:
+ pulsarConfig: "test-pulsar"
+ tlsConfig:
+ enabled: false
+ allowInsecure: false
+ hostnameVerification: true
+ certSecretName: sn-platform-tls-broker
+ certSecretKey: ""
+ #authConfig: "test-auth"
+ java:
+ jar: /pulsar/examples/api-examples.jar
+ # to be delete & use admission hook
+ clusterName: test
+ autoAck: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: test-pulsar
+data:
+ webServiceURL: http://sn-platform-pulsar-broker.default.svc.cluster.local:8080
+ brokerServiceURL: pulsar://sn-platform-pulsar-broker.default.svc.cluster.local:6650
+#---
+#apiVersion: v1
+#kind: ConfigMap
+#metadata:
+# name: test-auth
+#data:
+# clientAuthenticationPlugin: "abc"
+# clientAuthenticationParameters: "xyz"
+# tlsTrustCertsFilePath: "uvw"
+# useTls: "true"
+# tlsAllowInsecureConnection: "false"
+# tlsHostnameVerificationEnable: "true"
+---
+apiVersion: v1
+data:
+ username: YWRtaW4=
+ password: MWYyZDFlMmU2N2Rm
+kind: Secret
+metadata:
+ name: test-secret
+type: Opaque

.ci/tests/integration/cases/global-and-namespaced-config/mesh-config-kube-system.yaml

@@ -0,0 +1,13 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+ name: backend-config
+ namespace: kube-system
+spec:
+ env:
+ namespaced1: namespacedvalue1
+ shared1: fromnamespace
+ pod:
+ liveness:
+ initialDelaySeconds: 50
+ periodSeconds: 60

.ci/tests/integration/cases/global-and-namespaced-config/mesh-config.yaml

@@ -0,0 +1,13 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+ name: backend-config
+ namespace: default
+spec:
+ env:
+ namespaced1: namespacedvalue1
+ shared1: fromnamespace
+ pod:
+ liveness:
+ initialDelaySeconds: 30
+ periodSeconds: 10

.ci/tests/integration/cases/global-and-namespaced-config/verify.sh

@@ -0,0 +1,179 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+E2E_DIR=$(dirname "$0")
+BASE_DIR=$(cd "${E2E_DIR}"/../../../../..;pwd)
+PULSAR_NAMESPACE=${PULSAR_NAMESPACE:-"default"}
+PULSAR_RELEASE_NAME=${PULSAR_RELEASE_NAME:-"sn-platform"}
+E2E_KUBECONFIG=${E2E_KUBECONFIG:-"/tmp/e2e-k8s.config"}
+
+source "${BASE_DIR}"/.ci/helm.sh
+
+if [ ! "$KUBECONFIG" ]; then
+ export KUBECONFIG=${E2E_KUBECONFIG}
+fi
+
+manifests_file="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/manifests.yaml
+mesh_config_file="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/mesh-config.yaml
+mesh_config_file_in_kube_system="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/mesh-config-kube-system.yaml
+global_mesh_config_file="${BASE_DIR}"/.ci/clusters/global_backend_config.yaml
+
+
+kubectl apply -f "${mesh_config_file}" > /dev/null 2>&1
+kubectl apply -f "${manifests_file}" > /dev/null 2>&1
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_fm_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 global1=globalvalue1 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 namespaced1=namespacedvalue1 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# if global and namespaced config has same key, the value from namespace should be used
+verify_env_result=$(ci::verify_env "function-sample-env" shared1 shared1=fromnamespace 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# verify liveness config
+verify_liveness_result=$(ci::verify_liveness_probe function-sample-env-function-0 '{"failureThreshold":3,"httpGet":{"path":"/","port":9094,"scheme":"HTTP"},"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10}' 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_liveness_result"
+ kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# delete the namespaced config, the function should be reconciled without namespaced env injected
+kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_fm_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 global1=globalvalue1 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" shared1 shared1=fromglobal 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 "" 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# it should use liveness config from global config
+verify_liveness_result=$(ci::verify_liveness_probe function-sample-env-function-0 '{"failureThreshold":3,"httpGet":{"path":"/","port":9094,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":30,"successThreshold":1,"timeoutSeconds":30}' 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_liveness_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# delete the global config, the function should be reconciled without global env injected
+kubectl delete -f "${global_mesh_config_file}" -n $FUNCTION_MESH_NAMESPACE > /dev/null 2>&1 || true
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_fm_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 "" 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_env_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# it should has no liveness config
+verify_liveness_result=$(ci::verify_liveness_probe function-sample-env-function-0 "" 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_liveness_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# config created in an another namespace should not affect functions in other namespaces
+kubectl apply -f "${mesh_config_file_in_kube_system}" > /dev/null 2>&1
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_fm_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+# it should has no liveness config
+verify_liveness_result=$(ci::verify_liveness_probe function-sample-env-function-0 "" 2>&1)
+if [ $? -ne 0 ]; then
+ echo "$verify_liveness_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 "" 2>&1)
+if [ $? -eq 0 ]; then
+ echo "e2e-test: ok" | yq eval -
+else
+ echo "$verify_env_result"
+ kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+ exit 1
+fi
+
+kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true

.ci/tests/integration/e2e_with_tls.yaml

@@ -87,12 +87,17 @@ setup:
  image="function-mesh-operator:latest"
  IMG=${image} make docker-build-skip-test
  kind load docker-image ${image}
- helm install ${FUNCTION_MESH_RELEASE_NAME} -n ${FUNCTION_MESH_NAMESPACE} --set operatorImage=${image} --create-namespace charts/function-mesh-operator
+ helm install ${FUNCTION_MESH_RELEASE_NAME} -n ${FUNCTION_MESH_NAMESPACE} --set operatorImage=${image} --set controllerManager.globalBackendConfig=global-backend-config --set controllerManager.globalBackendConfigNamespace=${FUNCTION_MESH_NAMESPACE} --set controllerManager.namespacedBackendConfig=backend-config --create-namespace charts/function-mesh-operator
  wait:
  - namespace: function-mesh
  resource: pod
  label-selector: app.kubernetes.io/name=function-mesh-operator
  for: condition=Ready
+
+ - name: apply global env config map
+ command: |
+ kubectl create -n ${FUNCTION_MESH_NAMESPACE} -f .ci/clusters/global_backend_config.yaml
+
  timeout: 60m
 
 cleanup:
@@ -124,3 +129,5 @@ verify:
  expected: expected.data.yaml
  - query: bash .ci/tests/integration/cases/crypto-function/verify.sh
  expected: expected.data.yaml
+ - query: timeout 5m bash .ci/tests/integration/cases/global-and-namespaced-config/verify.sh
+ expected: expected.data.yaml

.github/workflows/olm-verify.yml

@@ -27,7 +27,7 @@ jobs:
  - name: checkout
  uses: actions/checkout@v2
 
- - name: Set up GO 1.20.4
+ - name: Set up GO 1.22.4
  uses: actions/setup-go@v1
  with:
  go-version: 1.22.4

.github/workflows/trivy.yml

@@ -23,7 +23,7 @@ jobs:
  repository: ${{github.event.pull_request.head.repo.full_name}}
  ref: ${{ github.event.pull_request.head.sha }}
 
- - name: Set up GO 1.20.4
+ - name: Set up GO 1.22.4
  uses: actions/setup-go@v1
  with:
  go-version: 1.22.4