feat(k8s): opt-in to support tls for GAPI in other namespaces than sy…

…stem Signed-off-by: Jakub Dyszkiewicz <[email protected]>
kumahq · Apr 19, 2024 · 34c2b77 · 34c2b77
1 parent 4eb5103
commit 34c2b77
Show file tree

Hide file tree

Showing 33 changed files with 206 additions and 30 deletions.
diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.cni-enabled.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.cni-enabled.golden.yaml
@@ -103,11 +103,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml
@@ -7907,11 +7907,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml
@@ -321,6 +321,10 @@ controlPlane:
   containerSecurityContext:
     readOnlyRootFilesystem: true
 
+  # -- If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
+  # The downside is that control plane requires permission to read Secrets in all namespaces.
+  supportAllGatewaySecrets: false
+
 cni:
   # -- Install Kuma with CNI instead of proxy init container
   enabled: false

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml
@@ -7907,11 +7907,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.global.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.global.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.override-env-vars.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.override-env-vars.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.overrides.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.overrides.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.registry.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.registry.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/...l/cmd/install/testdata/install-control-plane.tproxy-ebpf-experimental-enabled.golden.yaml b/...l/cmd/install/testdata/install-control-plane.tproxy-ebpf-experimental-enabled.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml
@@ -58,11 +58,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml
@@ -7927,11 +7927,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-values.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-values.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml
@@ -58,11 +58,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.zone.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.zone.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/doNotChangeTlsChecksum.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/doNotChangeTlsChecksum.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/empty.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/empty.golden.yaml
@@ -48,11 +48,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4485.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4485.golden.yaml
@@ -65,11 +65,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml
@@ -62,11 +62,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml
@@ -123,11 +123,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml
@@ -68,11 +68,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources:

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix7724.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix7724.golden.yaml
@@ -51,11 +51,17 @@ rules:
       - pods
       - configmaps
       - nodes
-      - secrets
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+    - ""
+    resources:
+      - secret
+    verbs:
+    - list
+    - watch
   - apiGroups:
       - "apps"
     resources: