replicatedhq · replicated-ci-kurl · Nov 11, 2024
@@ -0,0 +1,2 @@
+image envoy docker.io/envoyproxy/envoy:v1.31.3
+image contour ghcr.io/projectcontour/contour:v1.30.1
@@ -0,0 +1,46 @@
+
+function contour_pre_init() {
+    if [ -z "$CONTOUR_NAMESPACE" ]; then
+        CONTOUR_NAMESPACE=projectcontour
+    fi
+
+    if [ -z "$CONTOUR_TLS_MINIMUM_PROTOCOL_VERSION" ]; then
+        CONTOUR_TLS_MINIMUM_PROTOCOL_VERSION="1.2"
+    fi
+
+    if [ -z "$CONTOUR_HTTP_PORT" ]; then
+        CONTOUR_HTTP_PORT="80"
+    fi
+
+    if [ -z "$CONTOUR_HTTPS_PORT" ]; then
+        CONTOUR_HTTPS_PORT="443"
+    fi
+}
+
+function contour() {
+    local src="$DIR/addons/contour/1.30.1"
+    local dst="$DIR/kustomize/contour"
+
+    cp "$src/contour.yaml" "$dst/"
+    cp "$src/patches/job-image.yaml" "$dst/"
+    cp "$src/patches/resource-limits.yaml" "$dst/"
+
+    render_yaml_file "$src/tmpl-configmap.yaml" > "$dst/configmap.yaml"
+    render_yaml_file "$src/tmpl-kustomization.yaml" > "$dst/kustomization.yaml"
+    render_yaml_file "$src/tmpl-namespace.yaml" > "$dst/namespace.yaml"
+    render_yaml_file "$src/tmpl-service-patch.yaml" > "$dst/service-patch.yaml"
+
+    # NodePort services in old namespace conflict
+    if kubectl get namespace heptio-contour &>/dev/null && [ "$CONTOUR_NAMESPACE" != heptio-contour ]; then
+        kubectl delete namespace heptio-contour
+    fi
+
+    kubectl create --save-config namespace "$CONTOUR_NAMESPACE" 2>/dev/null || true
+
+    kubectl apply -k "$dst/"
+
+    printf "awaiting contour deployment\n"
+    spinner_until 300 deployment_fully_updated projectcontour contour
+    printf "awaiting envoy daemonset\n"
+    spinner_until 300 daemonset_fully_updated projectcontour envoy
+}
@@ -0,0 +1,12 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: contour-certgen-v1-30-1
+  namespace: projectcontour
+spec:
+  template:
+    spec:
+      containers:
+      - name: contour
+        imagePullPolicy: IfNotPresent
@@ -0,0 +1,16 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: envoy
+  namespace: projectcontour
+spec:
+  template:
+    spec:
+      containers:
+      - name: envoy
+        resources:
+          limits:
+            cpu: "0.4"
+          requests:
+            cpu: "0.03"
@@ -0,0 +1,187 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: contour
+  namespace: projectcontour
+data:
+  contour.yaml: |
+    #
+    # server:
+    #   determine which XDS Server implementation to utilize in Contour.
+    #   xds-server-type: envoy
+    #
+    # Specify the Gateway API configuration.
+    # gateway:
+    #   namespace: projectcontour
+    #   name: contour
+    #
+    # should contour expect to be running inside a k8s cluster
+    # incluster: true
+    #
+    # path to kubeconfig (if not running inside a k8s cluster)
+    # kubeconfig: /path/to/.kube/config
+    #
+    # Disable RFC-compliant behavior to strip "Content-Length" header if
+    # "Tranfer-Encoding: chunked" is also set.
+    # disableAllowChunkedLength: false
+    #
+    # Disable Envoy's non-standard merge_slashes path transformation option
+    # that strips duplicate slashes from request URLs.
+    # disableMergeSlashes: false
+    #
+    # Disable HTTPProxy permitInsecure field
+    disablePermitInsecure: false
+    tls:
+    # minimum TLS version that Contour will negotiate
+      minimum-protocol-version: "$CONTOUR_TLS_MINIMUM_PROTOCOL_VERSION"
+    # TLS ciphers to be supported by Envoy TLS listeners when negotiating
+    # TLS 1.2.
+    # cipher-suites:
+    # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
+    # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
+    # - 'ECDHE-ECDSA-AES256-GCM-SHA384'
+    # - 'ECDHE-RSA-AES256-GCM-SHA384'
+    # Defines the Kubernetes name/namespace matching a secret to use
+    # as the fallback certificate when requests which don't match the
+    # SNI defined for a vhost.
+      fallback-certificate:
+    #   name: fallback-secret-name
+    #   namespace: projectcontour
+      envoy-client-certificate:
+    #   name: envoy-client-cert-secret-name
+    #   namespace: projectcontour
+    ####
+    # ExternalName Services are disabled by default due to CVE-2021-XXXXX
+    # You can re-enable them by setting this setting to `true`.
+    # This is not recommended without understanding the security implications.
+    # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details.
+    # enableExternalNameService: false
+    ##
+    # Address to be placed in status.loadbalancer field of Ingress objects.
+    # May be either a literal IP address or a host name.
+    # The value will be placed directly into the relevant field inside the status.loadBalancer struct.
+    # ingress-status-address: local.projectcontour.io
+    ### Logging options
+    # Default setting
+    accesslog-format: envoy
+    # The default access log format is defined by Envoy but it can be customized by setting following variable.
+    # accesslog-format-string: "...\n"
+    # To enable JSON logging in Envoy
+    # accesslog-format: json
+    # accesslog-level: info
+    # The default fields that will be logged are specified below.
+    # To customise this list, just add or remove entries.
+    # The canonical list is available at
+    # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
+    # json-fields:
+    #   - "@timestamp"
+    #   - "authority"
+    #   - "bytes_received"
+    #   - "bytes_sent"
+    #   - "downstream_local_address"
+    #   - "downstream_remote_address"
+    #   - "duration"
+    #   - "method"
+    #   - "path"
+    #   - "protocol"
+    #   - "request_id"
+    #   - "requested_server_name"
+    #   - "response_code"
+    #   - "response_flags"
+    #   - "uber_trace_id"
+    #   - "upstream_cluster"
+    #   - "upstream_host"
+    #   - "upstream_local_address"
+    #   - "upstream_service_time"
+    #   - "user_agent"
+    #   - "x_forwarded_for"
+    #   - "grpc_status"
+    #   - "grpc_status_number"
+    #
+    # default-http-versions:
+    # - "HTTP/2"
+    # - "HTTP/1.1"
+    #
+    # The following shows the default proxy timeout settings.
+    # timeouts:
+    #   request-timeout: infinity
+    #   connection-idle-timeout: 60s
+    #   stream-idle-timeout: 5m
+    #   max-connection-duration: infinity
+    #   delayed-close-timeout: 1s
+    #   connection-shutdown-grace-period: 5s
+    #   connect-timeout: 2s
+    #
+    # Envoy cluster settings.
+    # cluster:
+    #   configure the cluster dns lookup family
+    #   valid options are: auto (default), v4, v6
+    #   dns-lookup-family: auto
+    #
+    # Envoy network settings.
+    # network:
+    #   Configure the number of additional ingress proxy hops from the
+    #   right side of the x-forwarded-for HTTP header to trust.
+    #   num-trusted-hops: 0
+    #   Configure the port used to access the Envoy Admin interface.
+    #   admin-port: 9001
+    #
+    # Configure an optional global rate limit service.
+    # rateLimitService:
+    #   Identifies the extension service defining the rate limit service,
+    #   formatted as <namespace>/<name>.
+    #   extensionService: projectcontour/ratelimit
+    #   Defines the rate limit domain to pass to the rate limit service.
+    #   Acts as a container for a set of rate limit definitions within
+    #   the RLS.
+    #   domain: contour
+    #   Defines whether to allow requests to proceed when the rate limit
+    #   service fails to respond with a valid rate limit decision within
+    #   the timeout defined on the extension service.
+    #   failOpen: false
+    #   Defines whether to include the X-RateLimit headers X-RateLimit-Limit,
+    #   X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF
+    #   Internet-Draft linked below), on responses to clients when the Rate
+    #   Limit Service is consulted for a request.
+    #   ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
+    #   enableXRateLimitHeaders: false
+    #   Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
+    #   instead of the default UNAVAILABLE
+    #   enableResourceExhaustedCode: false
+    #
+    # Global Policy settings.
+    # policy:
+    #   # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself)
+    #   request-headers:
+    #     set:
+    #       # example: the hostname of the Envoy instance that proxied the request
+    #       X-Envoy-Hostname: %HOSTNAME%
+    #       # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for
+    #       l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%
+    #   # default headers to set on all responses (unless set/removed on the HTTPProxy object itself)
+    #   response-headers:
+    #     set:
+    #       # example: Envoy flags that provide additional details about the response or connection
+    #       X-Envoy-Response-Flags: %RESPONSE_FLAGS%
+    #
+    # metrics:
+    #  contour:
+    #    address: 0.0.0.0
+    #    port: 8000
+    #    server-certificate-path: /path/to/server-cert.pem
+    #    server-key-path: /path/to/server-private-key.pem
+    #    ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+    #  envoy:
+    #    address: 0.0.0.0
+    #    port: 8002
+    #    server-certificate-path: /path/to/server-cert.pem
+    #    server-key-path: /path/to/server-private-key.pem
+    #    ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+    #
+    # listener:
+    #  connection-balancer: exact
+    #  socket-options:
+    #    tos: 64
+    #    traffic-class: 64
+
@@ -0,0 +1,11 @@
+namespace: $CONTOUR_NAMESPACE
+
+resources:
+- namespace.yaml
+- contour.yaml
+- configmap.yaml
+
+patchesStrategicMerge:
+- service-patch.yaml
+- job-image.yaml
+- resource-limits.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: $CONTOUR_NAMESPACE
@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy
+  namespace: projectcontour
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    nodePort: $CONTOUR_HTTP_PORT
+    name: http
+    protocol: TCP
+    targetPort: 8080
+  - port: 443
+    nodePort: $CONTOUR_HTTPS_PORT
+    name: https
+    protocol: TCP
+    targetPort: 8443
@@ -283,7 +283,7 @@ module.exports.InstallerVersions = {
     "1.4.3",
     "1.0.4-14.2.21",
   ],
-  contour: ["1.30.0", "1.29.0", "1.28.3", "1.28.2", "1.27.0", "1.26.1", "1.26.0", "1.25.2", "1.25.0", "1.24.4", "1.24.3", "1.24.2", "1.24.1", "1.24.0", "1.23.2", "1.23.1", "1.23.0", "1.22.1", "1.22.0", "1.21.1", "1.21.0", "1.20.1", "1.20.0", "1.19.1", "1.18.0", "1.16.0", "1.15.1", "1.14.1", "1.14.0", "1.13.1", "1.13.0", "1.12.0", "1.11.0", "1.10.1", "1.7.0", "1.0.1", "0.14.0"], // cron-contour-update
+  contour: ["1.30.1", "1.30.0", "1.29.0", "1.28.3", "1.28.2", "1.27.0", "1.26.1", "1.26.0", "1.25.2", "1.25.0", "1.24.4", "1.24.3", "1.24.2", "1.24.1", "1.24.0", "1.23.2", "1.23.1", "1.23.0", "1.22.1", "1.22.0", "1.21.1", "1.21.0", "1.20.1", "1.20.0", "1.19.1", "1.18.0", "1.16.0", "1.15.1", "1.14.1", "1.14.0", "1.13.1", "1.13.0", "1.12.0", "1.11.0", "1.10.1", "1.7.0", "1.0.1", "0.14.0"], // cron-contour-update
   registry: [
     // cron-registry-update
     "2.8.3",