From 83eedb354e8462685e7afa56592d1458ef602749 Mon Sep 17 00:00:00 2001 From: berg Date: Thu, 21 Dec 2023 15:23:02 +0800 Subject: [PATCH] rollout v0.5.0 changelog (#190) * rollout v0.5.0 changelog Signed-off-by: liheng.zms * modify rollout types description Signed-off-by: liheng.zms * limit secret & configmaps namespace rbac Signed-off-by: liheng.zms * modify rollout v0.5.0 changelog Signed-off-by: liheng.zms --------- Signed-off-by: liheng.zms --- CHANGELOG.md | 36 +++++++++++++++++++ Dockerfile_multiarch | 21 ++++++++--- api/v1beta1/rollout_types.go | 3 +- .../bases/rollouts.kruise.io_rollouts.yaml | 10 +++--- config/rbac/role.yaml | 33 ++++++++++------- config/rbac/role_binding.yaml | 14 ++++++++ go.mod | 2 +- pkg/webhook/server.go | 2 +- 8 files changed, 98 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bec3c6ad..47923fb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,41 @@ # Change Log +## v0.5.0 +### Resources Graduating to BETA + +After more than a year of development, we have now decided to upgrade the following resources to v1beta1, as follows: +- Rollout +- BatchRelease + +Please refer to the [community documentation](https://openkruise.io/rollouts/user-manuals/api-specifications) for detailed api definitions. + +**Note:** The v1alpha1 api is still available, and you can still use the v1alpha1 api in v0.5.0. +But we still recommend that you migrate to v1beta1 gradually, as some of the new features will only be available in v1beta1, +e.g., [Extensible Traffic Routing Based on Lua Script](https://openkruise.io/rollouts/developer-manuals/custom-network-provider/). + +### Bump To V1beta1 Gateway API +Support for GatewayAPI from v1alpha2 to v1beta1, you can use v1beta1 gateway API. + +### Extensible Traffic Routing Based on Lua Script + +The Gateway API is a standard gateway resource given by the K8S community, but there are still a large number of users in the community who are still using some customized gateway resources, such as VirtualService, Apisix, and so on. +In order to adapt to this behavior and meet the diverse demands of the community for gateway resources, we support a traffic routing scheme based on Lua scripts. + +Kruise Rollout utilizes a Lua-script-based customization approach for API Gateway resources (Istio VirtualService, Apisix ApisixRoute, Kuma TrafficRoute and etc.). +Kruise Rollout involves invoking Lua scripts to retrieve and update the desired configurations of resources based on release strategies and the original configurations of API Gateway resources (including spec, labels, and annotations). +It enables users to easily adapt and integrate various types of API Gateway resources without modifying existing code and configurations. + +By using Kruise Rollout, users can: +- Customize Lua scripts for handling API Gateway resources, allowing for flexible implementation of resource processing and providing support for a wider range of resources. +- Utilize a common Rollout configuration template to configure different resources, reducing configuration complexity and facilitating user configuration. + +### Traffic Routing with Istio +Based on the lua script approach, now we add built-in support for Istio resources VirtualService, +you can directly use Kruise Rollout to achieve Istio scenarios Canary, A/B Testing release. + +### Others +- Bug fix: wait grace period seconds after pod creation/upgrade. ([#185](https://github.com/openkruise/rollouts/pull/185), [@veophi](https://github.com/veophi)) + ## v0.4.0 ### Kruise-Rollout-Controller - Rollout Support Kruise Advanced DaemonSet. ([#134](https://github.com/openkruise/rollouts/pull/134), [@Yadan-Wei](https://github.com/Yadan-Wei)) diff --git a/Dockerfile_multiarch b/Dockerfile_multiarch index eb0b740e..fd200488 100644 --- a/Dockerfile_multiarch +++ b/Dockerfile_multiarch @@ -1,7 +1,7 @@ # Build the manager binary ARG BASE_IMAGE=alpine ARG BASE_IMAGE_VERION=3.17 -FROM --platform=$BUILDPLATFORM golang:1.18-alpine3.17 as builder +FROM --platform=$BUILDPLATFORM golang:1.19-alpine3.17 as builder WORKDIR /workspace @@ -23,12 +23,25 @@ ARG BASE_IMAGE ARG BASE_IMAGE_VERION FROM ${BASE_IMAGE}:${BASE_IMAGE_VERION} -RUN apk add --no-cache ca-certificates=~20220614-r4 bash=~5.2.15-r0 expat=~2.5.0-r0 \ - && rm -rf /var/cache/apk/* +RUN set -eux; \ + apk --no-cache --update upgrade && \ + apk --no-cache add ca-certificates && \ + apk --no-cache add tzdata && \ + rm -rf /var/cache/apk/* && \ + update-ca-certificates && \ + echo "only include root and nobody user" && \ + echo -e "root:x:0:0:root:/root:/bin/ash\nnobody:x:65534:65534:nobody:/:/sbin/nologin" | tee /etc/passwd && \ + echo -e "root:x:0:root\nnobody:x:65534:" | tee /etc/group && \ + rm -rf /usr/local/sbin/* && \ + rm -rf /usr/local/bin/* && \ + rm -rf /usr/sbin/* && \ + rm -rf /usr/bin/* && \ + rm -rf /sbin/* && \ + rm -rf /bin/* WORKDIR / COPY --from=builder /workspace/manager . COPY lua_configuration /lua_configuration -USER 1000 +USER 65534 ENTRYPOINT ["/manager"] diff --git a/api/v1beta1/rollout_types.go b/api/v1beta1/rollout_types.go index 9a40a22b..5287185b 100644 --- a/api/v1beta1/rollout_types.go +++ b/api/v1beta1/rollout_types.go @@ -82,7 +82,7 @@ type CanaryStrategy struct { // Steps define the order of phases to execute release in batches(20%, 40%, 60%, 80%, 100%) // +optional Steps []CanaryStep `json:"steps,omitempty"` - // TrafficRoutings hosts all the supported service meshes supported to enable more fine-grained traffic routing + // TrafficRoutings support ingress, gateway api and custom network resource(e.g. istio, apisix) to enable more fine-grained traffic routing // and current only support one TrafficRouting TrafficRoutings []TrafficRoutingRef `json:"trafficRoutings,omitempty"` // FailureThreshold indicates how many failed pods can be tolerated in all upgraded pods. @@ -123,6 +123,7 @@ type CanaryStep struct { type TrafficRoutingStrategy struct { // Traffic indicate how many percentage of traffic the canary pods should receive + // Value is of string type and is a percentage, e.g. 5%. // +optional Traffic *string `json:"traffic,omitempty"` // Set overwrites the request with the given header (name, value) diff --git a/config/crd/bases/rollouts.kruise.io_rollouts.yaml b/config/crd/bases/rollouts.kruise.io_rollouts.yaml index fef3a3c6..226cf5c7 100644 --- a/config/crd/bases/rollouts.kruise.io_rollouts.yaml +++ b/config/crd/bases/rollouts.kruise.io_rollouts.yaml @@ -808,7 +808,8 @@ spec: type: object traffic: description: Traffic indicate how many percentage of - traffic the canary pods should receive + traffic the canary pods should receive Value is of + string type and is a percentage, e.g. 5%. type: string type: object type: array @@ -816,9 +817,10 @@ spec: description: TrafficRoutingRef is TrafficRouting's Name type: string trafficRoutings: - description: TrafficRoutings hosts all the supported service - meshes supported to enable more fine-grained traffic routing - and current only support one TrafficRouting + description: TrafficRoutings support ingress, gateway api + and custom network resource(e.g. istio, apisix) to enable + more fine-grained traffic routing and current only support + one TrafficRouting items: description: TrafficRoutingRef hosts all the different configuration for supported service meshes to enable more fine-grained diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 085e944b..d5ed5866 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -196,18 +196,6 @@ rules: - get - patch - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: @@ -376,3 +364,24 @@ rules: - get - patch - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: manager-role + namespace: system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2070ede4..1abcb773 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -10,3 +10,17 @@ subjects: - kind: ServiceAccount name: controller-manager namespace: system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: manager-rolebinding + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/go.mod b/go.mod index 9c14fbd4..1f9b7683 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openkruise/rollouts -go 1.18 +go 1.19 require ( github.com/davecgh/go-spew v1.1.1 diff --git a/pkg/webhook/server.go b/pkg/webhook/server.go index 1d453be8..3a9c9e11 100644 --- a/pkg/webhook/server.go +++ b/pkg/webhook/server.go @@ -101,7 +101,7 @@ func SetupWithManager(mgr manager.Manager) error { return nil } -// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete,namespace=system // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;update;patch