diff --git a/RELEASE.md b/RELEASE.md index af6899bca0..639d4106ae 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -110,7 +110,9 @@ The following steps must be done by one of the [Gateway API maintainers][gateway in the upcoming steps. - Use `git` to cherry-pick all relevant PRs into your branch. - Update `pkg/consts/consts.go` with the new semver tag and any updates to the API review URL. -- Update regex spec.validations.expression in `config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml` to match older versions. (Look for a regex like `v1.[0-3].`, and replace the `3` with the new minor version number -1). +- Update `config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml` + - Update the `gateway.networking.k8s.io/bundle-version`. + - Update regex `spec.validations.expression` to match older versions. (Look for a regex like `v1.[0-3].`, and replace the `3` with the new minor version number -1). - Run the following command `BASE_REF=vmajor.minor.patch make generate` which will update generated docs with the correct version info. (Note that you can't test with these YAMLs yet as they contain references to elements which wont @@ -129,7 +131,9 @@ The following steps must be done by one of the [Gateway API maintainers][gateway - Cut a `release-major.minor` branch that we can tag things in as needed. - Check out the `release-major.minor` release branch locally. - Update `pkg/consts/consts.go` with the new semver tag and any updates to the API review URL. -- Update regex spec.validations.expression in `config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml` to match older versions. +- Update `config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml` + - Update the `gateway.networking.k8s.io/bundle-version`. + - Update regex `spec.validations.expression` to match older versions. (Look for a regex like `v1.[0-3].`, and replace the `3` with the new minor version number -1). - Run the following command `BASE_REF=vmajor.minor.patch make generate` which will update generated docs with the correct version info. (Note that you can't test with these YAMLs yet as they contain references to elements which wont diff --git a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml index 60aa677c2a..7706fcdfec 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct diff --git a/config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml b/config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml index f6aa3839c8..17d6609de7 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml index 42d5659a9a..ca60163036 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml index 3386eff429..b4245f821b 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index 5612342160..457cac8d66 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml b/config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml index f01e1b0cea..82d49b3710 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: listenersets.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml index 1cb1f611b4..5a5f9ed797 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index 0ba0f7a8c8..c7b17a6545 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index 0095d38cee..cfbd8266a8 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index fc30bdd278..ef3fdc96b0 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml b/config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml index 51141b0d87..6a655059a3 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: annotations: - gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: "safe-upgrades.gateway.networking.k8s.io" spec: @@ -21,11 +21,13 @@ spec: oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )" message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." reason: Invalid - - expression: "object.spec.group != 'gateway.networking.k8s.io' || - (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && - !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-3].\\\\d+') && - !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library - message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + - expression: | + object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + (object.metadata.annotations['gateway.networking.k8s.io/bundle-version'] == 'v0.0.0-dev' || + (object.metadata.annotations['gateway.networking.k8s.io/bundle-version'].startsWith('v1.') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], '^v1\\.[0-4](\\.|$)')))) + message: "Installing CRDs with version other than v0.0.0-dev or v1.5+ is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install other versions." reason: Invalid --- @@ -34,7 +36,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: annotations: - gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: safe-upgrades.gateway.networking.k8s.io spec: diff --git a/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml b/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml index 5aa763b7bd..19f3293ab1 100644 --- a/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml +++ b/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct diff --git a/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml b/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml index 7136ccaca2..229db165a0 100644 --- a/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml +++ b/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml b/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml index 3288b72f5b..1476c051da 100644 --- a/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard labels: gateway.networking.k8s.io/policy: Direct diff --git a/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml b/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml index 49892669df..9325569eaf 100644 --- a/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: gatewayclasses.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_gateways.yaml b/config/crd/standard/gateway.networking.k8s.io_gateways.yaml index 770c697210..aba7378f57 100644 --- a/config/crd/standard/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_gateways.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: gateways.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml b/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml index 249a59f010..ae38994b88 100644 --- a/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: grpcroutes.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml index 7b87e6cdc5..0f428ca049 100644 --- a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: httproutes.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml b/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml index 18e996ef8d..b01680363f 100644 --- a/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: listenersets.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml index 1ef248ff2d..6ae47cec34 100644 --- a/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: referencegrants.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml index 8d8167c3cb..df919fa7cd 100644 --- a/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: tlsroutes.gateway.networking.k8s.io spec: diff --git a/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml b/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml index 51141b0d87..ed133715ab 100644 --- a/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: annotations: - gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: "safe-upgrades.gateway.networking.k8s.io" spec: @@ -21,8 +21,8 @@ spec: oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )" message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." reason: Invalid - - expression: "object.spec.group != 'gateway.networking.k8s.io' || - (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-3].\\\\d+') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." @@ -34,7 +34,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: annotations: - gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/bundle-version: v0.0.0-dev gateway.networking.k8s.io/channel: standard name: safe-upgrades.gateway.networking.k8s.io spec: diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index 3f09fa9c6a..42383a230d 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -27,7 +27,7 @@ const ( // BundleVersion is the value used for the "gateway.networking.k8s.io/bundle-version" annotation. // These value must be updated during the release process. - BundleVersion = "v1.4.1" + BundleVersion = "v0.0.0-dev" // ApprovalLink is the value used for the "api-approved.kubernetes.io" annotation. // These value must be updated during the release process. diff --git a/tests/vap/vap_test.go b/tests/vap/vap_test.go index e463015d5f..086c63e4e0 100644 --- a/tests/vap/vap_test.go +++ b/tests/vap/vap_test.go @@ -67,6 +67,7 @@ func TestVAPValidation(t *testing.T) { if requestedCRDChannel, ok := os.LookupEnv("CRD_CHANNEL"); ok { crdChannel = requestedCRDChannel } + t.Logf("Testing with CRD channel: %s", crdChannel) testEnv = &envtest.Environment{ Scheme: scheme, @@ -115,49 +116,101 @@ func TestVAPValidation(t *testing.T) { }) t.Run("should be able to install standard CRDs", func(t *testing.T) { - output, err := executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, - []string{"apply", "--server-side", "--force-conflicts", "--wait", "-f", filepath.Join("..", "..", "config", "crd", "standard")}) + files, err := filepath.Glob(filepath.Join("..", "..", "config", "crd", "standard", "*.yaml")) + require.NoError(t, err) + args := []string{"apply", "--server-side", "--force-conflicts", "--wait"} + for _, f := range files { + if !regexp.MustCompile(`vap_safeupgrades`).MatchString(f) { + args = append(args, "-f", f) + } + } + output, err := executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, args) require.NoError(t, err, "output", output) }) + + t.Run("should not be able to install CRDs with an older version", func(t *testing.T) { + versions := []struct { + version string + fail bool + }{ + {"v1.0.0", true}, + {"v1.1.0", true}, + {"v1.3.0", true}, + {"v1.4.0", true}, + {"v0.0.0-dev", false}, + {"v1.5.0", false}, + } + + for _, v := range versions { + t.Run(v.version, func(t *testing.T) { + t.Cleanup(func() { + _, _ = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, + []string{"delete", "--wait", "--ignore-not-found", "-f", filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")}) + }) + + // Read test crd into []byte + httpCrd, err := os.ReadFile(filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")) + require.NoError(t, err) + + // do replace on gateway.networking.k8s.io/bundle-version: v1.x.0 + re := regexp.MustCompile(`gateway\.networking\.k8s\.io\/bundle-version: \S*`) + sub := []byte(fmt.Sprintf("gateway.networking.k8s.io/bundle-version: %s", v.version)) + oldCrd := re.ReplaceAll(httpCrd, sub) + + // supply crd to stdin of cmd and kubectl apply -f - + output, err := executeKubectlCommandStdin(t, kubectlLocation, kubeconfigLocation, bytes.NewReader(oldCrd), []string{"apply", "--server-side", "--force-conflicts", "-f", "-"}) + + if v.fail { + require.Error(t, err, "version %s should be blocked", v.version) + assert.Contains(t, output, "ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding 'safe-upgrades.gateway.networking.k8s.io' denied request") + assert.Contains(t, output, "Installing CRDs with version other than v0.0.0-dev or v1.5+ is prohibited by default") + } else { + require.NoError(t, err, "output", output) + } + }) + } + }) case "standard": - t.Run("should be able to install standard CRDs", func(t *testing.T) { + t.Run("should not be able to install standard CRDs", func(t *testing.T) { output, err := executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, []string{"apply", "--server-side", "--wait", "-f", filepath.Join("..", "..", "config", "crd", "standard")}) - require.NoError(t, err, "output", output) + + require.Error(t, err) + assert.Contains(t, output, "ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding 'safe-upgrades.gateway.networking.k8s.io' denied request") + assert.Contains(t, output, "Installing CRDs with version before v1.5.0 is prohibited by default") }) t.Run("should not be able to install k8s.io experimental CRDs", func(t *testing.T) { t.Cleanup(func() { - _, _ = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, - []string{"delete", "--wait", "-f", filepath.Join("..", "..", "config", "crd", "experimental", "*k8s.*")}) + files, _ := filepath.Glob(filepath.Join("..", "..", "config", "crd", "experimental", "*.yaml")) + args := []string{"delete", "--wait"} + for _, f := range files { + if !regexp.MustCompile(`vap_safeupgrades`).MatchString(f) && !regexp.MustCompile(`kustomization`).MatchString(f) { + args = append(args, "-f", f) + } + } + _, _ = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, args) }) - output, err := executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, - []string{"apply", "--server-side", "--force-conflicts", "--wait", "-f", filepath.Join("..", "..", "config", "crd", "experimental", "*k8s.*")}) + files, err := filepath.Glob(filepath.Join("..", "..", "config", "crd", "experimental", "*.yaml")) + require.NoError(t, err) + args := []string{"apply", "--server-side", "--force-conflicts", "--wait"} + for _, f := range files { + if !regexp.MustCompile(`vap_safeupgrades`).MatchString(f) && !regexp.MustCompile(`kustomization`).MatchString(f) { + args = append(args, "-f", f) + } + } + output, err := executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, args) require.Error(t, err) assert.Contains(t, output, "Error from server (Invalid)") assert.Contains(t, output, "ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding 'safe-upgrades.gateway.networking.k8s.io' denied request") - // Check exact CRD channel output. output, err = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, []string{ "get", "crd", "-o", "template", "--template", `{{range .items}}{{.metadata.name}}: {{index .metadata.annotations "gateway.networking.k8s.io/channel"}}{{"\n"}}{{end}}`, }) - require.NoError(t, err) - assert.Equal(t, `backendtlspolicies.gateway.networking.k8s.io: standard -gatewayclasses.gateway.networking.k8s.io: standard -gateways.gateway.networking.k8s.io: standard -grpcroutes.gateway.networking.k8s.io: standard -httproutes.gateway.networking.k8s.io: standard -listenersets.gateway.networking.k8s.io: standard -referencegrants.gateway.networking.k8s.io: standard -tcproutes.gateway.networking.k8s.io: experimental -tlsroutes.gateway.networking.k8s.io: standard -udproutes.gateway.networking.k8s.io: experimental -xbackendtrafficpolicies.gateway.networking.x-k8s.io: experimental -xmeshes.gateway.networking.x-k8s.io: experimental -`, output) + require.NoError(t, err, "output", output) }) t.Run("should be able to install x-k8s.io experimental CRDs", func(t *testing.T) { @@ -172,25 +225,43 @@ xmeshes.gateway.networking.x-k8s.io: experimental }) t.Run("should not be able to install CRDs with an older version", func(t *testing.T) { - t.Cleanup(func() { - _, _ = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, - []string{"delete", "--wait", "-f", filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")}) - }) - - // Read test crd into []byte - httpCrd, err := os.ReadFile(filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")) - require.NoError(t, err) - - // do replace on gateway.networking.k8s.io/bundle-version: v1.x.0 - re := regexp.MustCompile(`gateway\.networking\.k8s\.io\/bundle-version: \S*`) - sub := []byte("gateway.networking.k8s.io/bundle-version: v1.3.0") - oldCrd := re.ReplaceAll(httpCrd, sub) - - // supply crd to stdin of cmd and kubectl apply -f - - output, err := executeKubectlCommandStdin(t, kubectlLocation, kubeconfigLocation, bytes.NewReader(oldCrd), []string{"apply", "-f", "-"}) - - require.Error(t, err) - assert.Contains(t, output, "ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding 'safe-upgrades.gateway.networking.k8s.io' denied request") + versions := []struct { + version string + fail bool + }{ + {"v1.0.0", true}, + {"v1.1.0", true}, + {"v1.3.0", true}, + {"v0.0.0-dev", true}, + {"v1.4.0", false}, + {"v1.5.0", false}, + } + + for _, v := range versions { + t.Run(v.version, func(t *testing.T) { + t.Cleanup(func() { + _, _ = executeKubectlCommand(t, kubectlLocation, kubeconfigLocation, + []string{"delete", "--wait", "--ignore-not-found", "-f", filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")}) + }) + + httpCrd, err := os.ReadFile(filepath.Join("..", "..", "config", "crd", "standard", "gateway.networking.k8s.io_httproutes.yaml")) + require.NoError(t, err) + + re := regexp.MustCompile(`gateway\.networking\.k8s\.io\/bundle-version: \S*`) + sub := []byte(fmt.Sprintf("gateway.networking.k8s.io/bundle-version: %s", v.version)) + oldCrd := re.ReplaceAll(httpCrd, sub) + + output, err := executeKubectlCommandStdin(t, kubectlLocation, kubeconfigLocation, bytes.NewReader(oldCrd), []string{"apply", "--server-side", "--force-conflicts", "-f", "-"}) + + if v.fail { + require.Error(t, err, "version %s should be blocked", v.version) + assert.Contains(t, output, "ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding 'safe-upgrades.gateway.networking.k8s.io' denied request") + assert.Contains(t, output, "Installing CRDs with version before v1.5.0 is prohibited by default") + } else { + require.NoError(t, err, "output", output) + } + }) + } }) default: t.Fatalf("invalid CRD channel: %s", crdChannel)