From a7f089b64c130a7215f87af99a5ee7713bb68043 Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Thu, 25 Apr 2024 16:52:14 +0100 Subject: [PATCH] feat: graduate gateway-api to beta and enable by default Signed-off-by: Adam Talbot --- cmd/controller/app/controller.go | 6 +++++- cmd/controller/app/options/options.go | 5 ++++- internal/apis/config/controller/types.go | 5 +++++ .../apis/config/controller/v1alpha1/defaults.go | 5 +++++ .../controller/v1alpha1/testdata/defaults.json | 1 + .../controller/v1alpha1/zz_generated.conversion.go | 6 ++++++ internal/controller/feature/features.go | 3 ++- make/e2e-setup.mk | 4 ++-- pkg/apis/config/controller/v1alpha1/types.go | 5 +++++ .../controller/v1alpha1/zz_generated.deepcopy.go | 5 +++++ pkg/controller/context.go | 14 ++++++++++---- 11 files changed, 50 insertions(+), 9 deletions(-) diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go index 1788ae70f0b..e45f320e9c1 100644 --- a/cmd/controller/app/controller.go +++ b/cmd/controller/app/controller.go @@ -259,7 +259,7 @@ func Run(rootCtx context.Context, opts *config.ControllerConfiguration) error { ctx.KubeSharedInformerFactory.Start(rootCtx.Done()) ctx.HTTP01ResourceMetadataInformersFactory.Start(rootCtx.Done()) - if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) { + if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) && opts.EnableGatewayAPI { ctx.GWShared.Start(rootCtx.Done()) } @@ -358,6 +358,10 @@ func buildControllerContextFactory(ctx context.Context, opts *config.ControllerC EnableOwnerRef: opts.EnableCertificateOwnerRef, CopiedAnnotationPrefixes: opts.CopiedAnnotationPrefixes, }, + + ConfigOptions: controller.ConfigOptions{ + EnableGatewayAPI: opts.EnableGatewayAPI, + }, }) if err != nil { return nil, err diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 8fa78c1395e..f98500787e9 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -170,6 +170,9 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.ControllerConfiguration) { fs.BoolVar(&c.EnableCertificateOwnerRef, "enable-certificate-owner-ref", c.EnableCertificateOwnerRef, ""+ "Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+ "When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.") + fs.BoolVar(&c.EnableGatewayAPI, "enable-gateway-api", c.EnableGatewayAPI, ""+ + "Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport "+ + "feature gate must also be enabled (default as of 1.15).") fs.StringSliceVar(&c.CopiedAnnotationPrefixes, "copied-annotation-prefixes", c.CopiedAnnotationPrefixes, "Specify which annotations should/shouldn't be copied"+ "from Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes."+ "A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kuberenetes.io/'- all annotations"+ @@ -249,7 +252,7 @@ func EnabledControllers(o *config.ControllerConfiguration) sets.Set[string] { enabled = enabled.Insert(defaults.ExperimentalCertificateSigningRequestControllers...) } - if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) { + if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) && o.EnableGatewayAPI { logf.Log.Info("enabling the sig-network Gateway API certificate-shim and HTTP-01 solver") enabled = enabled.Insert(shimgatewaycontroller.ControllerName) } diff --git a/internal/apis/config/controller/types.go b/internal/apis/config/controller/types.go index a9f7f0e1835..8f46c03d9ae 100644 --- a/internal/apis/config/controller/types.go +++ b/internal/apis/config/controller/types.go @@ -79,6 +79,11 @@ type ControllerConfiguration struct { // automatically removed when the certificate resource is deleted. EnableCertificateOwnerRef bool + // Whether gateway API integration is enabled within cert-manager. The + // ExperimentalGatewayAPISupport feature gate must also be enabled (default + // as of 1.15). + EnableGatewayAPI bool + // Specify which annotations should/shouldn't be copied from Certificate to // CertificateRequest and Order, as well as from CertificateSigningRequest to // Order, by passing a list of annotation key prefixes. A prefix starting with diff --git a/internal/apis/config/controller/v1alpha1/defaults.go b/internal/apis/config/controller/v1alpha1/defaults.go index 7384cef6385..a7741ca014c 100644 --- a/internal/apis/config/controller/v1alpha1/defaults.go +++ b/internal/apis/config/controller/v1alpha1/defaults.go @@ -78,6 +78,7 @@ var ( defaultTLSACMEIssuerKind = "Issuer" defaultTLSACMEIssuerGroup = cm.GroupName defaultEnableCertificateOwnerRef = false + defaultEnableGatewayAPI = false defaultDNS01RecursiveNameserversOnly = false defaultDNS01RecursiveNameservers = []string{} @@ -213,6 +214,10 @@ func SetDefaults_ControllerConfiguration(obj *v1alpha1.ControllerConfiguration) obj.EnableCertificateOwnerRef = &defaultEnableCertificateOwnerRef } + if obj.EnableGatewayAPI == nil { + obj.EnableGatewayAPI = &defaultEnableGatewayAPI + } + if len(obj.CopiedAnnotationPrefixes) == 0 { obj.CopiedAnnotationPrefixes = defaultCopiedAnnotationPrefixes } diff --git a/internal/apis/config/controller/v1alpha1/testdata/defaults.json b/internal/apis/config/controller/v1alpha1/testdata/defaults.json index 1004ab5d9e1..00931d0630c 100644 --- a/internal/apis/config/controller/v1alpha1/testdata/defaults.json +++ b/internal/apis/config/controller/v1alpha1/testdata/defaults.json @@ -16,6 +16,7 @@ "issuerAmbientCredentials": false, "clusterIssuerAmbientCredentials": true, "enableCertificateOwnerRef": false, + "enableGatewayAPI": false, "copiedAnnotationPrefixes": [ "*", "-kubectl.kubernetes.io/", diff --git a/internal/apis/config/controller/v1alpha1/zz_generated.conversion.go b/internal/apis/config/controller/v1alpha1/zz_generated.conversion.go index 382d3c4089c..ba253403258 100644 --- a/internal/apis/config/controller/v1alpha1/zz_generated.conversion.go +++ b/internal/apis/config/controller/v1alpha1/zz_generated.conversion.go @@ -230,6 +230,9 @@ func autoConvert_v1alpha1_ControllerConfiguration_To_controller_ControllerConfig if err := v1.Convert_Pointer_bool_To_bool(&in.EnableCertificateOwnerRef, &out.EnableCertificateOwnerRef, s); err != nil { return err } + if err := v1.Convert_Pointer_bool_To_bool(&in.EnableGatewayAPI, &out.EnableGatewayAPI, s); err != nil { + return err + } out.CopiedAnnotationPrefixes = *(*[]string)(unsafe.Pointer(&in.CopiedAnnotationPrefixes)) if err := Convert_Pointer_int32_To_int(&in.NumberOfConcurrentWorkers, &out.NumberOfConcurrentWorkers, s); err != nil { return err @@ -289,6 +292,9 @@ func autoConvert_controller_ControllerConfiguration_To_v1alpha1_ControllerConfig if err := v1.Convert_bool_To_Pointer_bool(&in.EnableCertificateOwnerRef, &out.EnableCertificateOwnerRef, s); err != nil { return err } + if err := v1.Convert_bool_To_Pointer_bool(&in.EnableGatewayAPI, &out.EnableGatewayAPI, s); err != nil { + return err + } out.CopiedAnnotationPrefixes = *(*[]string)(unsafe.Pointer(&in.CopiedAnnotationPrefixes)) if err := Convert_int_To_Pointer_int32(&in.NumberOfConcurrentWorkers, &out.NumberOfConcurrentWorkers, s); err != nil { return err diff --git a/internal/controller/feature/features.go b/internal/controller/feature/features.go index dcaa66de577..52650700602 100644 --- a/internal/controller/feature/features.go +++ b/internal/controller/feature/features.go @@ -56,6 +56,7 @@ const ( // Owner: N/A // Alpha: v1.5 + // Beta: v1.15 // // ExperimentalGatewayAPISupport enables the gateway-shim controller and adds support for // the Gateway API to the HTTP-01 challenge solver. @@ -150,7 +151,7 @@ var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.Feature ValidateCAA: {Default: false, PreRelease: featuregate.Alpha}, ExperimentalCertificateSigningRequestControllers: {Default: false, PreRelease: featuregate.Alpha}, - ExperimentalGatewayAPISupport: {Default: false, PreRelease: featuregate.Alpha}, + ExperimentalGatewayAPISupport: {Default: true, PreRelease: featuregate.Beta}, AdditionalCertificateOutputFormats: {Default: false, PreRelease: featuregate.Alpha}, ServerSideApply: {Default: false, PreRelease: featuregate.Alpha}, LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 206167ad36e..e51ded52d93 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -306,7 +306,7 @@ e2e-setup-certmanager: e2e-setup-gatewayapi $(E2E_SETUP_OPTION_DEPENDENCIES) $(b $(addprefix --version,$(E2E_CERT_MANAGER_VERSION)) \ --set crds.enabled=true \ --set featureGates="$(feature_gates_controller)" \ - --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ + --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200,--enable-gateway-api}" \ --set webhook.featureGates="$(feature_gates_webhook)" \ --set "cainjector.extraArgs={--feature-gates=$(feature_gates_cainjector)}" \ --set "dns01RecursiveNameservers=$(SERVICE_IP_PREFIX).16:53" \ @@ -334,7 +334,7 @@ e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controll --set startupapicheck.image.tag="$(TAG)" \ --set crds.enabled=true \ --set featureGates="$(feature_gates_controller)" \ - --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ + --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200,--enable-gateway-api}" \ --set webhook.featureGates="$(feature_gates_webhook)" \ --set "cainjector.extraArgs={--feature-gates=$(feature_gates_cainjector)}" \ --set "dns01RecursiveNameservers=$(SERVICE_IP_PREFIX).16:53" \ diff --git a/pkg/apis/config/controller/v1alpha1/types.go b/pkg/apis/config/controller/v1alpha1/types.go index 6884af223af..718dceac524 100644 --- a/pkg/apis/config/controller/v1alpha1/types.go +++ b/pkg/apis/config/controller/v1alpha1/types.go @@ -81,6 +81,11 @@ type ControllerConfiguration struct { // automatically removed when the certificate resource is deleted. EnableCertificateOwnerRef *bool `json:"enableCertificateOwnerRef,omitempty"` + // Whether gateway API integration is enabled within cert-manager. The + // ExperimentalGatewayAPISupport feature gate must also be enabled (default + // as of 1.15). + EnableGatewayAPI *bool `json:"enableGatewayAPI,omitempty"` + // Specify which annotations should/shouldn't be copied from Certificate to // CertificateRequest and Order, as well as from CertificateSigningRequest to // Order, by passing a list of annotation key prefixes. A prefix starting with diff --git a/pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go index 5745d606307..dea240802a8 100644 --- a/pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go @@ -112,6 +112,11 @@ func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) { *out = new(bool) **out = **in } + if in.EnableGatewayAPI != nil { + in, out := &in.EnableGatewayAPI, &out.EnableGatewayAPI + *out = new(bool) + **out = **in + } if in.CopiedAnnotationPrefixes != nil { in, out := &in.CopiedAnnotationPrefixes, &out.CopiedAnnotationPrefixes *out = make([]string, len(*in)) diff --git a/pkg/controller/context.go b/pkg/controller/context.go index ae22bc4dc3f..bb76b295c10 100644 --- a/pkg/controller/context.go +++ b/pkg/controller/context.go @@ -153,6 +153,12 @@ type ContextOptions struct { IngressShimOptions CertificateOptions SchedulerOptions + ConfigOptions +} + +type ConfigOptions struct { + // EnableGatewayAPI indicates if the user has enabled GatewayAPI support. + EnableGatewayAPI bool } type IssuerOptions struct { @@ -275,7 +281,7 @@ func NewContextFactory(ctx context.Context, opts ContextOptions) (*ContextFactor restConfig.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(restConfig.QPS, restConfig.Burst) } - clients, err := buildClients(restConfig) + clients, err := buildClients(restConfig, opts) if err != nil { return nil, err } @@ -331,7 +337,7 @@ func (c *ContextFactory) Build(component ...string) (*Context, error) { cmscheme.AddToScheme(scheme) gwscheme.AddToScheme(scheme) - clients, err := buildClients(restConfig) + clients, err := buildClients(restConfig, c.ctx.ContextOptions) if err != nil { return nil, err } @@ -371,7 +377,7 @@ type contextClients struct { // buildClients builds all required clients for the context using the given // REST config. -func buildClients(restConfig *rest.Config) (contextClients, error) { +func buildClients(restConfig *rest.Config, opts ContextOptions) (contextClients, error) { httpClient, err := rest.HTTPClientFor(restConfig) if err != nil { return contextClients{}, fmt.Errorf("error creating HTTP client: %w", err) @@ -397,7 +403,7 @@ func buildClients(restConfig *rest.Config) (contextClients, error) { var gatewayAvailable bool // Check if the Gateway API feature gate was enabled - if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) { + if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) && opts.EnableGatewayAPI { // Check if the gateway API CRDs are available. If they are not found // return an error which will cause cert-manager to crashloopbackoff. d := kubeClient.Discovery()