[1.17] feat: Watch Namespaces based on labels and label selectors (#1…

…0066)

.github/workflows/pr-kubernetes-tests.yaml

@@ -51,26 +51,31 @@ jobs:
         # If tests are exceeding the 25-minute limit, please see:
         # /test/kubernetes/e2e/load_balancing_tests.md
         test:
-        # May 14th: ~ minutes execution time (see load_balancing_tests.md)
+        # September 19, 2024: 22 minutes
         - cluster-name: 'cluster-one'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestGloomtlsGatewayEdgeGateway$$|^TestK8sGateway$$/^RouteDelegation$$|^TestK8sGateway$$/^Services$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
+          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestK8sGateway$$/^Services$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
 
-        # May 14th: ~ minutes execution time (see load_balancing_tests.md)
+        # September 19, 2024: 16 minutes
         - cluster-name: 'cluster-two'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$|^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$'
+          go-test-run-regex: '^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$'
 
-        # May 14th: ~ minutes execution time (see load_balancing_tests.md)
+        # September 19, 2024: 22 minutes
         - cluster-name: 'cluster-three'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '(^TestK8sGatewayIstioAutoMtls$$|^TestAutomtlsIstioEdgeApisGateway$$|^TestIstioEdgeApiGateway$$|^TestIstioRegression$$)'
 
-        # May 14th: ~ minutes execution time (see load_balancing_tests.md)
+        # September 19, 2024: 22 minutes
         - cluster-name: 'cluster-four'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '(^TestK8sGatewayIstio$$|^TestGlooGatewayEdgeGateway$$|^TestGlooctlIstioInjectEdgeApiGateway$$|^TestK8sGatewayNoValidation$$)'
 
+        # September 19, 2024: 22 minutes
+        - cluster-name: 'cluster-five'
+          go-test-args: '-v -timeout=25m'
+          go-test-run-regex: '^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$|^TestGloomtlsGatewayEdgeGateway$$|^TestWatchNamespaceSelector$$'
+
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/
         version-files:

changelog/v1.17.9/watch-namespace-selectors.yaml

@@ -0,0 +1,14 @@
+changelog:
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/9274
+  resolvesIssue: false
+  description: Adds a new field `watchNamespaceSelectors` to the settings CR. This allows users to specify namespaces to watch based on label selectors. The `watchNamespaces` field will override this if specified.
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/9274
+  resolvesIssue: false
+  description: Adds a new helm value `settings.watchNamespaceSelectors`. This allows users to specify namespaces to watch based on label selectors that can be specified via `settings.watchNamespaceSelectors.matchLabels` for an exact label match and `settings.watchNamespaceSelectors.matchExpressions` for more generic requirements.  The `settings.watchNamespaces` field will override this if specified.
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: solo-kit
+  dependencyTag: v0.35.4
+  issueLink: https://github.com/solo-io/gloo/issues/9274

docs/content/reference/values.txt

@@ -113,7 +113,11 @@
 |kubeGateway.gatewayParameters.glooGateway.stats.enableStatsRoute|bool|true|Enable the stats endpoint|
 |kubeGateway.gatewayParameters.glooGateway.stats.statsRoutePrefixRewrite|string|/stats|Set the prefix rewrite used for the stats endpoint|
 |kubeGateway.gatewayParameters.glooGateway.floatingUserId|bool||If true, allows the cluster to dynamically assign a user ID for the processes running in the container. Default is false.|
-|settings.watchNamespaces[]|string||whitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces|
+|settings.watchNamespaces[]|string||whitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces. If this and WatchNamespaceSelectors are specified, this takes precedence and WatchNamespaceSelectors is ignored|
+|settings.watchNamespaceSelectors[].match_labels.NAME|string|||
+|settings.watchNamespaceSelectors[].match_expressions[].key|string|||
+|settings.watchNamespaceSelectors[].match_expressions[].operator|string|||
+|settings.watchNamespaceSelectors[].match_expressions[].values[]|string|||
 |settings.writeNamespace|string||namespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Edge Discovery.|
 |settings.integrations.knative.enabled|bool|false|enabled knative components|
 |settings.integrations.knative.version|string|0.10.0|the version of knative installed to the cluster. if using version < 0.8.0, Gloo Edge will use Knative's ClusterIngress API for configuration rather than the namespace-scoped Ingress|

docs/data/ProtoMap.yaml

@@ -830,6 +830,12 @@ apis:
   gloo.solo.io.KubernetesServiceDestination:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk/#KubernetesServiceDestination
     package: gloo.solo.io
+  gloo.solo.io.LabelSelector:
+    relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk/#LabelSelector
+    package: gloo.solo.io
+  gloo.solo.io.LabelSelectorRequirement:
+    relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk/#LabelSelectorRequirement
+    package: gloo.solo.io
   gloo.solo.io.LbEndpoint:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/failover.proto.sk/#LbEndpoint
     package: gloo.solo.io

go.mod

@@ -51,14 +51,14 @@ require (
 	github.com/solo-io/go-utils v0.25.3
 	github.com/solo-io/k8s-utils v0.7.2
 	github.com/solo-io/protoc-gen-ext v0.0.18
-	github.com/solo-io/protoc-gen-openapi v0.2.2
+	github.com/solo-io/protoc-gen-openapi v0.2.4
 	github.com/solo-io/skv2 v0.39.1
 
 	// Pinned to the `sa-k8s-1.29-bump` tag of solo-apis on `gloo-main` branch
 	// Ref: https://github.com/solo-io/gloo/pull/9463/files#r1594409655 && https://solo-io-corp.slack.com/archives/C03MFATU265/p1716913420716729?thread_ts=1716476992.938679&cid=C03MFATU265
 	// as to why it is now based off `gloo-main` and not `gloo-repo-branch`
 	github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9
-	github.com/solo-io/solo-kit v0.35.0
+	github.com/solo-io/solo-kit v0.35.4
 	github.com/spf13/afero v1.9.2
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -2006,14 +2006,14 @@ github.com/solo-io/k8s-utils v0.7.2 h1:pIRiTOpwymdCHUOSjzKDi/Ay16FNtF7JV7NIRlC2Z
 github.com/solo-io/k8s-utils v0.7.2/go.mod h1:RrT6PVTSD1X0vteKCQmGzoAAfjI1U5oV/wA+T3T+NoM=
 github.com/solo-io/protoc-gen-ext v0.0.18 h1:zSAL8NzWpJUGYoA5IyjHiKASNyHjR0uxBQ7eQS94i3A=
 github.com/solo-io/protoc-gen-ext v0.0.18/go.mod h1:iGyCvmKmhJNXs5MgBcYFBF0om7LDnCVD2WwhOZGnqeA=
-github.com/solo-io/protoc-gen-openapi v0.2.2 h1:OzyOAxiZuMAaLYWMNoTl2v9E7IXcl7UEeiTeCSwvCJ0=
-github.com/solo-io/protoc-gen-openapi v0.2.2/go.mod h1:osEjRl1miHqlq4Wl/8SEqHFoyydptPL1EzEdM9c4vfE=
+github.com/solo-io/protoc-gen-openapi v0.2.4 h1:9tqGhCAq83IRSzHhKDzpWnPlbPPORTM2izVxjLk0Ftw=
+github.com/solo-io/protoc-gen-openapi v0.2.4/go.mod h1:osEjRl1miHqlq4Wl/8SEqHFoyydptPL1EzEdM9c4vfE=
 github.com/solo-io/skv2 v0.39.1 h1:dWaZTWgntAsvh4lTlojd3xE+g7NF4oYNonfcdpy0nXE=
 github.com/solo-io/skv2 v0.39.1/go.mod h1:Zsnl+OYmOkj+6KeaMfkzYIxHTVMC0w2gVApzNJRadM8=
 github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9 h1:4DNulNBJdaVz+fOaMQes1MqVCIO/db2vmwz7bVe3iIU=
 github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9/go.mod h1:fA+jJC7TXNM+i3uXvq7fpVrJ6JpNu1BgBxc4U9ntUW0=
-github.com/solo-io/solo-kit v0.35.0 h1:iX7Wl9h59M7sPAH+fLVdjalY+nAfeG2ry+zrXYuyXTo=
-github.com/solo-io/solo-kit v0.35.0/go.mod h1:fxakm2fhYzT3UNsM4baURVz19wCa75sv/KBNi4lwv6Q=
+github.com/solo-io/solo-kit v0.35.4 h1:Q6Iai6Us4JYF6fGxED797ygVlytk1uufrSQsPw3bWHk=
+github.com/solo-io/solo-kit v0.35.4/go.mod h1:KBCEfl59/wE0K68s90aDcrTc36gKR5L97TbVelwL8n4=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=

install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml

@@ -1054,6 +1054,28 @@ spec:
                   token:
                     type: string
                 type: object
+              watchNamespaceSelectors:
+                items:
+                  properties:
+                    matchExpressions:
+                      items:
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                          values:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
               watchNamespaces:
                 items:
                   type: string

install/helm/gloo/generate/values.go

@@ -1,6 +1,7 @@
 package generate
 
 import (
+	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -214,7 +215,8 @@ type KnativeProxyInternal struct {
 }
 
 type Settings struct {
-	WatchNamespaces               []string                `json:"watchNamespaces,omitempty" desc:"whitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces"`
+	WatchNamespaces               []string                `json:"watchNamespaces,omitempty" desc:"whitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces. If this and WatchNamespaceSelectors are specified, this takes precedence and WatchNamespaceSelectors is ignored"`
+	WatchNamespaceSelectors       []*v1.LabelSelector     `json:"watchNamespaceSelectors,omitempty" desc:"A list of Kubernetes selectors that specify the set of namespaces to restrict the namespaces that Gloo controllers take into consideration when watching for resources. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. An empty list means all namespaces. If this and WatchNamespaces are specified, WatchNamespaces takes precedence and this is ignored"`
 	WriteNamespace                *string                 `json:"writeNamespace,omitempty" desc:"namespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Edge Discovery."`
 	Integrations                  *Integrations           `json:"integrations,omitempty"`
 	Create                        *bool                   `json:"create,omitempty" desc:"create a Settings CRD which provides bootstrap configuration to Gloo Edge controllers"`

install/helm/gloo/templates/18-settings.yaml

@@ -192,8 +192,13 @@ spec:
   {{- range . }}
   - {{ . }}
   {{- end }}
-{{- end }}
-{{- end }}
+{{- end }} {{/* with .Values.settings.watchNamespaces */}}
+{{- end }} {{/* if .Values.settings.singleNamespace */}}
+
+{{- if .Values.settings.watchNamespaceSelectors }}
+  watchNamespaceSelectors:
+  {{ toYaml .Values.settings.watchNamespaceSelectors | nindent 4 }}
+{{- end }} {{/* if .Values.settings.watchNamespaceSelectors */}}
 
 {{- end }} {{/* if .Values.settings.create  */}}
 {{- end }} {{/* define "settings.settingsSpec" */}}

install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml

@@ -58,6 +58,13 @@ specific resources, we will manage the resources that the webhook receives via t
     apiGroups: [""]{{/* We do not have internal secret CRDs. We want to validate the deletion of secrets such as TLS, so we add "" which refers to Kubernetes' core APIs. */}}
     apiVersions: ["v1"]
     resources: ["secrets"]
+{{- end }}
+{{- if and (not (has "*" .Values.gateway.validation.webhook.skipDeleteValidationResources)) (not (has "namespaces" .Values.gateway.validation.webhook.skipDeleteValidationResources)) }}
+{{- /* A namespace with an updated to a label can cause it to no longer be watched, equivalent to deleting it from the controller's perspective */}}
+  - operations: [ "UPDATE", "DELETE"]
+    apiGroups: [""]{{/* We do not have internal namespace CRDs. We want to validate the updation and deletion of namespaces that are watched. */}}
+    apiVersions: ["v1"]
+    resources: ["namespaces"]
 {{- end }}
   - operations: {{ include "gloo.webhookvalidation.operationsForResource" (list "ratelimitconfigs" .Values.gateway.validation.webhook.skipDeleteValidationResources) }}
     apiGroups: ["ratelimit.solo.io"]