update codegen

Signed-off-by: Karol Szwaj <[email protected]>

Author: cnvergence

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml

@@ -46,12 +46,15 @@ spec:
         - envoy
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -123,22 +126,22 @@ spec:
           readOnly: true
         - mountPath: /sds
           name: sds
-        - mountPath: /var/run/secrets/token
-          name: sa-token
-          readOnly: true
       - args:
         - envoy
         - shutdown-manager
         command:
         - envoy-gateway
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -204,27 +207,17 @@ spec:
       serviceAccountName: envoy-default-37a8eec1
       terminationGracePeriodSeconds: 360
       volumes:
-      - name: sa-token
-        projected:
-          defaultMode: 420
-          sources:
-          - serviceAccountToken:
-              audience: envoy-gateway.envoy-gateway-system.svc.cluster.local
-              expirationSeconds: 3600
-              path: sa-token
-      - configMap:
+      - name: certs
+        secret:
           defaultMode: 420
-          items:
-          - key: ca.crt
-            path: ca.crt
-          name: envoy-default-37a8eec1
-          optional: false
-        name: certs
+          secretName: envoy
       - configMap:
           defaultMode: 420
           items:
           - key: xds-trusted-ca.json
             path: xds-trusted-ca.json
+          - key: xds-certificate.json
+            path: xds-certificate.json
           name: envoy-default-37a8eec1
           optional: false
         name: sds

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml

@@ -160,20 +160,6 @@ spec:
                       connection_keepalive:
                         interval: 30s
                         timeout: 5s
-                  http_filters:
-                  - name: envoy.filters.http.credential_injector
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
-                      credential:
-                        name: envoy.http.injected_credentials.generic
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
-                          credential:
-                            name: jwt-sa-bearer
-                      overwrite: true
-                  - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
               name: xds_cluster
               type: STRICT_DNS
               transport_socket:
@@ -183,6 +169,12 @@ spec:
                   common_tls_context:
                     tls_params:
                       tls_maximum_protocol_version: TLSv1_3
+                    tls_certificate_sds_secret_configs:
+                    - name: xds_certificate
+                      sds_config:
+                        path_config_source:
+                          path: /sds/xds-certificate.json
+                        resource_api_version: V3
                     validation_context_sds_secret_config:
                       name: xds_trusted_ca
                       sds_config:
@@ -208,38 +200,25 @@ spec:
                   "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
                   explicit_http_config:
                     http2_protocol_options: {}
-                  http_filters:
-                  - name: envoy.filters.http.credential_injector
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
-                      credential:
-                        name: envoy.http.injected_credentials.generic
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
-                          credential:
-                            name: jwt-sa-bearer
-                      overwrite: true
-                  - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
               transport_socket:
                 name: envoy.transport_sockets.tls
                 typed_config:
                   "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
                   common_tls_context:
                     tls_params:
                       tls_maximum_protocol_version: TLSv1_3
+                    tls_certificate_sds_secret_configs:
+                    - name: xds_certificate
+                      sds_config:
+                        path_config_source:
+                          path: /sds/xds-certificate.json
+                        resource_api_version: V3
                     validation_context_sds_secret_config:
                       name: xds_trusted_ca
                       sds_config:
                         path_config_source:
                           path: /sds/xds-trusted-ca.json
                         resource_api_version: V3
-            secrets:
-            - name: jwt-sa-bearer
-              generic_secret:
-                secret:
-                  filename: "/var/run/secrets/token/sa-token"
           overload_manager:
             refresh_interval: 0.25s
             resource_monitors:
@@ -270,12 +249,15 @@ spec:
         - envoy
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -341,22 +323,22 @@ spec:
           readOnly: true
         - mountPath: /sds
           name: sds
-        - mountPath: /var/run/secrets/token
-          name: sa-token
-          readOnly: true
       - args:
         - envoy
         - shutdown-manager
         command:
         - envoy-gateway
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -415,27 +397,17 @@ spec:
       serviceAccountName: envoy-default-37a8eec1
       terminationGracePeriodSeconds: 360
       volumes:
-      - name: sa-token
-        projected:
+      - name: certs
+        secret:
           defaultMode: 420
-          sources:
-          - serviceAccountToken:
-              audience: envoy-gateway.envoy-gateway-system.svc.cluster.local
-              expirationSeconds: 3600
-              path: sa-token
-      - configMap:
-          defaultMode: 420
-          items:
-          - key: ca.crt
-            path: ca.crt
-          name: envoy-default-37a8eec1
-          optional: false
-        name: certs
+          secretName: envoy
       - configMap:
           defaultMode: 420
           items:
           - key: xds-trusted-ca.json
             path: xds-trusted-ca.json
+          - key: xds-certificate.json
+            path: xds-certificate.json
           name: envoy-default-37a8eec1
           optional: false
         name: sds

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml

@@ -159,20 +159,6 @@ spec:
                       connection_keepalive:
                         interval: 30s
                         timeout: 5s
-                  http_filters:
-                  - name: envoy.filters.http.credential_injector
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
-                      credential:
-                        name: envoy.http.injected_credentials.generic
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
-                          credential:
-                            name: jwt-sa-bearer
-                      overwrite: true
-                  - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
               name: xds_cluster
               type: STRICT_DNS
               transport_socket:
@@ -182,6 +168,12 @@ spec:
                   common_tls_context:
                     tls_params:
                       tls_maximum_protocol_version: TLSv1_3
+                    tls_certificate_sds_secret_configs:
+                    - name: xds_certificate
+                      sds_config:
+                        path_config_source:
+                          path: /sds/xds-certificate.json
+                        resource_api_version: V3
                     validation_context_sds_secret_config:
                       name: xds_trusted_ca
                       sds_config:
@@ -207,38 +199,25 @@ spec:
                   "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
                   explicit_http_config:
                     http2_protocol_options: {}
-                  http_filters:
-                  - name: envoy.filters.http.credential_injector
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
-                      credential:
-                        name: envoy.http.injected_credentials.generic
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
-                          credential:
-                            name: jwt-sa-bearer
-                      overwrite: true
-                  - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
               transport_socket:
                 name: envoy.transport_sockets.tls
                 typed_config:
                   "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
                   common_tls_context:
                     tls_params:
                       tls_maximum_protocol_version: TLSv1_3
+                    tls_certificate_sds_secret_configs:
+                    - name: xds_certificate
+                      sds_config:
+                        path_config_source:
+                          path: /sds/xds-certificate.json
+                        resource_api_version: V3
                     validation_context_sds_secret_config:
                       name: xds_trusted_ca
                       sds_config:
                         path_config_source:
                           path: /sds/xds-trusted-ca.json
                         resource_api_version: V3
-            secrets:
-            - name: jwt-sa-bearer
-              generic_secret:
-                secret:
-                  filename: "/var/run/secrets/token/sa-token"
           overload_manager:
             refresh_interval: 0.25s
             resource_monitors:
@@ -269,12 +248,15 @@ spec:
         - envoy
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -340,22 +322,22 @@ spec:
           readOnly: true
         - mountPath: /sds
           name: sds
-        - mountPath: /var/run/secrets/token
-          name: sa-token
-          readOnly: true
       - args:
         - envoy
         - shutdown-manager
         command:
         - envoy-gateway
         env:
         - name: ENVOY_GATEWAY_NAMESPACE
-          value: envoy-gateway-system
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
         - name: ENVOY_SERVICE_ZONE
           valueFrom:
             fieldRef:
               apiVersion: v1
-              fieldPath: metadata.labels['topology.kubernetes.io/zone']
+              fieldPath: metadata.annotations['topology.kubernetes.io/zone']
         - name: ENVOY_POD_NAME
           valueFrom:
             fieldRef:
@@ -414,27 +396,17 @@ spec:
       serviceAccountName: envoy-default-37a8eec1
       terminationGracePeriodSeconds: 360
       volumes:
-      - name: sa-token
-        projected:
+      - name: certs
+        secret:
           defaultMode: 420
-          sources:
-          - serviceAccountToken:
-              audience: envoy-gateway.envoy-gateway-system.svc.cluster.local
-              expirationSeconds: 3600
-              path: sa-token
-      - configMap:
-          defaultMode: 420
-          items:
-          - key: ca.crt
-            path: ca.crt
-          name: envoy-default-37a8eec1
-          optional: false
-        name: certs
+          secretName: envoy
       - configMap:
           defaultMode: 420
           items:
           - key: xds-trusted-ca.json
             path: xds-trusted-ca.json
+          - key: xds-certificate.json
+            path: xds-certificate.json
           name: envoy-default-37a8eec1
           optional: false
         name: sds