Update serving and kourier to reference 0.19 images (#751)

* Update to 0.19 image This patch changes to: - Update serving 0.19.0 & kourier 0.19.1 in `olm-catalog/serverless-operator/project.yaml`. - Remove `001-liveness.patch`. - Add webhook pdb patch to `003-serving-pdb.patch`. - Add domainmapping resource yaml. * IMAGE_ variable for domainmapping * Fix validation error * Update maistra to 2.0.0 * Scale up nodes before running upgrade test * Fix rebase mistake * Finish prober test
openshift-knative · Dec 15, 2020 · 2b2020c · 2b2020c
1 parent 86b91f0
commit 2b2020c
Show file tree

Hide file tree

Showing 17 changed files with 1,148 additions and 431 deletions.
diff --git a/hack/generate/csv.sh b/hack/generate/csv.sh
@@ -41,6 +41,8 @@ image "autoscaler"     "${serving}-autoscaler"
 image "autoscaler-hpa" "${serving}-autoscaler-hpa"
 image "controller"     "${serving}-controller"
 image "webhook"        "${serving}-webhook"
+image "domain-mapping" "${serving}-domain-mapping"
+image "domainmapping-webhook" "${serving}-domain-mapping-webhook"
 image "storage-version-migration-serving-serving-$(metadata.get dependencies.serving)__migrate" "${serving}-storage-version-migration"
 
 image "3scale-kourier-gateway" "docker.io/maistra/proxyv2-ubi8:$(metadata.get dependencies.maistra)"

diff --git a/knative-operator/deploy/resources/kourier/kourier-latest.yaml b/knative-operator/deploy/resources/kourier/kourier-latest.yaml
@@ -1,31 +1,183 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: Namespace
 metadata:
   name: kourier-system
   labels:
     networking.knative.dev/ingress-provider: kourier
+
+---
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: 3scale-kourier
+  namespace: knative-serving
+  labels:
+    networking.knative.dev/ingress-provider: kourier
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: 3scale-kourier
+  namespace: knative-serving
+  labels:
+    networking.knative.dev/ingress-provider: kourier
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["pods", "endpoints", "services", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["networking.internal.knative.dev"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["networking.internal.knative.dev"]
+    resources: ["ingresses/status"]
+    verbs: ["update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: 3scale-kourier
+  labels:
+    networking.knative.dev/ingress-provider: kourier
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 3scale-kourier
+subjects:
+  - kind: ServiceAccount
+    name: 3scale-kourier
+    namespace: knative-serving
+
+---
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: 3scale-kourier-control
+  namespace: knative-serving
+  labels:
+    networking.knative.dev/ingress-provider: kourier
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: 3scale-kourier-control
+  template:
+    metadata:
+      labels:
+        app: 3scale-kourier-control
+    spec:
+      containers:
+        - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:072e2bb12eae88d5fde8b2fa77d20542ce0f4708d9e09a59c3b65c499462a8fc
+          name: kourier-control
+          env:
+            - name: CERTS_SECRET_NAMESPACE
+              value: ""
+            - name: CERTS_SECRET_NAME
+              value: ""
+            - name: SYSTEM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: METRICS_DOMAIN
+              value: "knative.dev/samples"
+            - name: KOURIER_GATEWAY_NAMESPACE
+              value: "kourier-system"
+          ports:
+            - name: http2-xds
+              containerPort: 18000
+              protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - all
+      restartPolicy: Always
+      serviceAccountName: 3scale-kourier
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: kourier
-  namespace: kourier-system
+  name: kourier-control
+  namespace: knative-serving
   labels:
     networking.knative.dev/ingress-provider: kourier
 spec:
   ports:
-    - name: http2
-      port: 80
-      protocol: TCP
-      targetPort: 8080
-    - name: https
-      port: 443
+    - name: grpc-xds
+      port: 18000
       protocol: TCP
-      targetPort: 8443
+      targetPort: 18000
   selector:
-    app: 3scale-kourier-gateway
-  type: LoadBalancer
+    app: 3scale-kourier-control
+  type: ClusterIP
+
 ---
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -49,8 +201,7 @@ spec:
             - --log-level info
           command:
             - /usr/local/bin/envoy
-          image: docker.io/maistra/proxyv2-ubi8:1.1.5
-          imagePullPolicy: Always
+          image: docker.io/maistra/proxyv2-ubi8:2.0.0
           name: kourier-gateway
           ports:
             - name: http2-external
@@ -62,6 +213,13 @@ spec:
             - name: https-external
               containerPort: 8443
               protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: false
+            capabilities:
+              drop:
+                - all
           volumeMounts:
             - name: config-volume
               mountPath: /tmp/config
@@ -85,102 +243,10 @@ spec:
             name: kourier-bootstrap
       restartPolicy: Always
 ---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: 3scale-kourier-control
-  namespace: knative-serving
-  labels:
-    networking.knative.dev/ingress-provider: kourier
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: 3scale-kourier-control
-  template:
-    metadata:
-      labels:
-        app: 3scale-kourier-control
-    spec:
-      containers:
-        - image: gcr.io/knative-releases/knative.dev/net-kourier/cmd/kourier@sha256:24bd7446e1ce05a09c839deb4e40dbe9c41887d8021dff022ae646ac240e320b
-          imagePullPolicy: Always
-          name: kourier-control
-          env:
-            - name: CERTS_SECRET_NAMESPACE
-              value: ""
-            - name: CERTS_SECRET_NAME
-              value: ""
-            - name: SYSTEM_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: KOURIER_GATEWAY_NAMESPACE
-              value: "kourier-system"
-          ports:
-            - name: http2-xds
-              containerPort: 18000
-              protocol: TCP
-      restartPolicy: Always
-      serviceAccountName: 3scale-kourier
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: 3scale-kourier
-  namespace: knative-serving
-  labels:
-    networking.knative.dev/ingress-provider: kourier
-rules:
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["pods", "endpoints", "namespaces", "services", "secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "watch", "update", "create"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["networking.internal.knative.dev"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch", "patch"]
-  - apiGroups: ["networking.internal.knative.dev"]
-    resources: ["ingresses/status"]
-    verbs: ["update"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: 3scale-kourier
-  namespace: knative-serving
-  labels:
-    networking.knative.dev/ingress-provider: kourier
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: 3scale-kourier
-  labels:
-    networking.knative.dev/ingress-provider: kourier
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 3scale-kourier
-subjects:
-  - kind: ServiceAccount
-    name: 3scale-kourier
-    namespace: knative-serving
----
 apiVersion: v1
 kind: Service
 metadata:
-  name: kourier-internal
+  name: kourier
   namespace: kourier-system
   labels:
     networking.knative.dev/ingress-provider: kourier
@@ -189,26 +255,30 @@ spec:
     - name: http2
       port: 80
       protocol: TCP
-      targetPort: 8081
+      targetPort: 8080
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
   selector:
     app: 3scale-kourier-gateway
-  type: ClusterIP
+  type: LoadBalancer
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: kourier-control
-  namespace: knative-serving
+  name: kourier-internal
+  namespace: kourier-system
   labels:
     networking.knative.dev/ingress-provider: kourier
 spec:
   ports:
-    - name: grpc-xds
-      port: 18000
+    - name: http2
+      port: 80
       protocol: TCP
-      targetPort: 18000
+      targetPort: 8081
   selector:
-    app: 3scale-kourier-control
+    app: 3scale-kourier-gateway
   type: ClusterIP
 ---
 apiVersion: v1
@@ -252,7 +322,9 @@ data:
                             - "*"
                           routes:
                             - match:
-                                regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?'
+                                safe_regex:
+                                  google_re2: {}
+                                  regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?'
                                 headers:
                                   - name: ':method'
                                     exact_match: GET