diff --git a/changelog/v1.16.0-beta25/disable-extauth-sidecar.yaml b/changelog/v1.16.0-beta25/disable-extauth-sidecar.yaml new file mode 100644 index 00000000000..9caac15ea6d --- /dev/null +++ b/changelog/v1.16.0-beta25/disable-extauth-sidecar.yaml @@ -0,0 +1,6 @@ +changelog: +- type: HELM + issueLink: https://github.com/solo-io/gloo/issues/8430 + resolvesIssue: false + description: Adds the new helm value `gatewayproxy.proxyName.disableExtauthSidecar` to disable the extauth sidecar on a given gateway proxy when `global.extensions.extAuth.envoySidecar` is set. Defaults to false. This is used with enterprise extauth deployments. + diff --git a/docs/content/reference/values.txt b/docs/content/reference/values.txt index 8cc0cd319b3..d06b6223c83 100644 --- a/docs/content/reference/values.txt +++ b/docs/content/reference/values.txt @@ -707,6 +707,7 @@ |gatewayProxies.NAME.xdsServicePort|uint32||The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.| |gatewayProxies.NAME.tcpKeepaliveTimeSeconds|uint32||The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive| |gatewayProxies.NAME.disableCoreDumps|bool||If set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false| +|gatewayProxies.NAME.disableExtauthSidecar|bool||If set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false| |gatewayProxies.NAME.kubeResourceOverride.NAME|interface||override fields in the generated resource by specifying the yaml structure to override under the top-level key.| |gatewayProxies.gatewayProxy.kind.deployment.replicas|int|1|number of instances to deploy| |gatewayProxies.gatewayProxy.kind.deployment.customEnv[].name|string||| @@ -956,6 +957,7 @@ |gatewayProxies.gatewayProxy.xdsServicePort|uint32||The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.| |gatewayProxies.gatewayProxy.tcpKeepaliveTimeSeconds|uint32|60|The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive| |gatewayProxies.gatewayProxy.disableCoreDumps|bool|false|If set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false| +|gatewayProxies.gatewayProxy.disableExtauthSidecar|bool|false|If set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false| |gatewayProxies.gatewayProxy.kubeResourceOverride.NAME|interface||override fields in the generated resource by specifying the yaml structure to override under the top-level key.| |ingress.enabled|bool|false|| |ingress.deployment.image.tag|string||The image tag for the container.| diff --git a/install/helm/gloo/generate/values.go b/install/helm/gloo/generate/values.go index 5e83c4555ee..2cf856f5c93 100644 --- a/install/helm/gloo/generate/values.go +++ b/install/helm/gloo/generate/values.go @@ -505,6 +505,7 @@ type GatewayProxy struct { XdsServicePort *uint32 `json:"xdsServicePort,omitempty" desc:"The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay."` TcpKeepaliveTimeSeconds *uint32 `json:"tcpKeepaliveTimeSeconds,omitempty" desc:"The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive"` DisableCoreDumps *bool `json:"disableCoreDumps,omitempty" desc:"If set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false"` + DisableExtauthSidecar *bool `json:"disableExtauthSidecar,omitempty" desc:"If set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false"` *KubeResourceOverride } diff --git a/install/helm/gloo/templates/7-gateway-proxy-deployment.yaml b/install/helm/gloo/templates/7-gateway-proxy-deployment.yaml index 89d9cd5b4df..a95f0bf0688 100644 --- a/install/helm/gloo/templates/7-gateway-proxy-deployment.yaml +++ b/install/helm/gloo/templates/7-gateway-proxy-deployment.yaml @@ -9,7 +9,7 @@ {{- $settings := .Values.settings }} {{- $isUpgrade := .Values.gateway.upgrade }} {{- $gatewayProxy := .Values.gatewayProxies.gatewayProxy -}} -{{- $spec := deepCopy $gatewaySpec | mergeOverwrite (deepCopy $gatewayProxy) -}} +{{- $spec := include "gloo.util.mergeOverwriteWithOmit" (list $gatewaySpec $gatewayProxy) | fromJson }} {{- $ports := list }} {{- if not (empty $spec.podTemplate) }} {{- $ports = (list $spec.podTemplate.httpPort $spec.podTemplate.httpsPort $spec.podTemplate.extraPorts) }} diff --git a/install/helm/gloo/templates/8-gateway-proxy-horizontal-pod-autoscaler.yaml b/install/helm/gloo/templates/8-gateway-proxy-horizontal-pod-autoscaler.yaml index aa3e70ff1c1..7b88052cc8b 100644 --- a/install/helm/gloo/templates/8-gateway-proxy-horizontal-pod-autoscaler.yaml +++ b/install/helm/gloo/templates/8-gateway-proxy-horizontal-pod-autoscaler.yaml @@ -3,7 +3,7 @@ {{- $gatewaySpec := (index . 2) }} {{- with (first .) }} {{- $gatewayProxy := .Values.gatewayProxies.gatewayProxy -}} -{{- $spec := deepCopy $gatewaySpec | mergeOverwrite (deepCopy $gatewayProxy) -}} +{{- $spec := include "gloo.util.mergeOverwriteWithOmit" (list $gatewaySpec $gatewayProxy) | fromJson }} {{- if $spec.kind.deployment }} {{- if $spec.horizontalPodAutoscaler }} apiVersion: {{ $spec.horizontalPodAutoscaler.apiVersion }} diff --git a/install/helm/gloo/templates/8-gateway-proxy-pod-disruption-budget.yaml b/install/helm/gloo/templates/8-gateway-proxy-pod-disruption-budget.yaml index d582e66688f..a580b65e7f1 100644 --- a/install/helm/gloo/templates/8-gateway-proxy-pod-disruption-budget.yaml +++ b/install/helm/gloo/templates/8-gateway-proxy-pod-disruption-budget.yaml @@ -3,7 +3,7 @@ {{- $gatewaySpec := (index . 2) }} {{- with (first .) }} {{- $gatewayProxy := .Values.gatewayProxies.gatewayProxy -}} -{{- $spec := deepCopy $gatewaySpec | mergeOverwrite (deepCopy $gatewayProxy) -}} +{{- $spec := include "gloo.util.mergeOverwriteWithOmit" (list $gatewaySpec $gatewayProxy) | fromJson }} {{- if $spec.kind.deployment}} {{- if $spec.podDisruptionBudget }} apiVersion: policy/v1 diff --git a/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml b/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml index fa8fbd86bdc..45422af3745 100644 --- a/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml +++ b/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml @@ -7,7 +7,7 @@ {{- with (first .) }} {{- $global := .Values.global }} {{- $gatewayProxy := .Values.gatewayProxies.gatewayProxy -}} -{{- $spec := deepCopy $gatewaySpec | mergeOverwrite (deepCopy $gatewayProxy) -}} +{{- $spec := include "gloo.util.mergeOverwriteWithOmit" (list $gatewaySpec $gatewayProxy) | fromJson }} {{- if not $spec.disabled }} {{- $statsConfig := coalesce $spec.stats $global.glooStats }} # config_map diff --git a/install/helm/gloo/templates/_8-default-gateways.tpl b/install/helm/gloo/templates/_8-default-gateways.tpl index 39a94ba24af..6e6e532644a 100644 --- a/install/helm/gloo/templates/_8-default-gateways.tpl +++ b/install/helm/gloo/templates/_8-default-gateways.tpl @@ -147,7 +147,7 @@ spec: {{- define "gloo.customResources.defaultGateways" -}} {{- $gatewayProxy := .Values.gatewayProxies.gatewayProxy }} {{- range $name, $gatewaySpec := .Values.gatewayProxies }} -{{- $spec := deepCopy $gatewaySpec | mergeOverwrite (deepCopy $gatewayProxy) }} +{{- $spec := include "gloo.util.mergeOverwriteWithOmit" (list $gatewaySpec $gatewayProxy) | fromJson }} {{- $gatewaySettings := $spec.gatewaySettings }} {{- if and $spec.gatewaySettings (not $gatewaySpec.disabled) }} {{- $ctx := (list $ $name $spec) }} diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index e324e13d98a..bf27a595921 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -1,5 +1,14 @@ {{/* vim: set filetype=mustache: */}} +{{- /* +There can be cases when we do not want to overwrite an empty value on a resource when merged. +Eg. To generate a proxy config, we mergeOverwrite it with the default gateway-proxy config. +If we want to preserve the empty value of the gateway and not have them overwritten, we set it to `gloo.omitOverwrite` +and call `gloo.util.mergeOverwriteWithOmit` when merging. This sets all fields with values equal to this back to empty after the overwrite +*/ -}} +{{- define "gloo.omitOverwrite" }} +{{ printf "\n" }}{{/* This template is set to a new line. There may be scenarios where a field is initailly set to this value and the same field is appended to later on. Since this is just a new line, it won't cause rendering issues */}} +{{ end -}} {{- define "gloo.roleKind" -}} {{- if .Values.global.glooRbac.namespaced -}} Role @@ -112,7 +121,7 @@ ttlSecondsAfterFinished: {{ . }} {{- end -}} {{- end -}} -{{- /* +{{- /* This template is used to generate the gloo pod or container security context. It takes 2 values: .values - the securityContext passed from the user in values.yaml @@ -209,7 +218,7 @@ Returns the unique Gateway namespaces as defined by the helm values. {{- end -}} -{{/* +{{/* Generated the "operations" array for a resource for the ValidatingWebhookConfiguration Arguments are a resource name, and a list of resources for which to skip webhook validation for DELETEs This list is expected to come from `gateway.validation.webhook.skipDeleteValidationResources` @@ -225,3 +234,15 @@ Otherwise it will generate ["Create", "Update", "Delete"] {{- end -}} {{ toJson $operations -}} {{- end -}} + +{{- define "gloo.util.mergeOverwriteWithOmit" -}} +{{- $resource := first . -}} +{{- $overwrite := index . 1 -}} +{{- $result := deepCopy $resource | mergeOverwrite (deepCopy $overwrite) -}} +{{- range $key, $value := $result }} + {{- if eq (toString $value) "gloo.omitOverwrite" -}} + {{- $_ := unset $result $key }} + {{- end -}} +{{- end -}} +{{ toJson $result }} +{{- end -}} diff --git a/install/helm/gloo/values-template.yaml b/install/helm/gloo/values-template.yaml index 01817c377bb..f66399b62c1 100644 --- a/install/helm/gloo/values-template.yaml +++ b/install/helm/gloo/values-template.yaml @@ -167,6 +167,7 @@ gatewayProxies: healthyPanicThreshold: 50 tcpKeepaliveTimeSeconds: 60 disableCoreDumps: false + disableExtauthSidecar: false # intentionally unset, so we default to the gloo service address. if set, this overrides the derived gloo service address # xdsServiceAddress: xds-relay.default.svc.cluster.local # intentionally unset, so we default to the gloo service port. if set, this overrides .Values.gloo.deployment.xdsPort