Merge pull request #331 from wallarm/DEVOPS-2370

DEVOPS-2370 Node 4.10 pre-release
wallarm · Jan 3, 2024 · fd43941 · fd43941
2 parents 456fe94 + 76ed0c9
commit fd43941
Show file tree

Hide file tree

Showing 23 changed files with 307 additions and 74 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -126,8 +126,14 @@ jobs:
           path: kubernetes-ci
           secrets: |
             kv-gitlab-ci/data/github/ingress api_token ;
+            kv-gitlab-ci/data/github/ingress api_host ;
+            kv-gitlab-ci/data/github/ingress api_preset ;
+            kv-gitlab-ci/data/github/ingress client_id ;
             kv-gitlab-ci/data/github/ingress user_secret ;
             kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/shared/allure allure_endpoint ;
+            kv-gitlab-ci/data/github/shared/allure allure_project_id ;
+            kv-gitlab-ci/data/github/shared/allure allure_token ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
 
@@ -150,17 +156,21 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
+          WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }}
+          CLIENT_ID: ${{ steps.secrets.outputs.client_id }}
           USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
           USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
           SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }}
           SMOKE_REGISTRY_SECRET: ${{ steps.secrets.outputs.token_secret }}
           ALLURE_UPLOAD_REPORT: true
           ALLURE_GENERATE_REPORT: true
-          ALLURE_TOKEN: ${{ secrets.ALLURE_SERVER_TOKEN }}
-          ALLURE_ENDPOINT: ${{ secrets.ALLURE_SERVER_URL }}
-          ALLURE_PROJECT_ID: ${{ secrets.ALLURE_PROJECT_ID }}
+          ALLURE_TOKEN: ${{ steps.secrets.outputs.allure_token }}
+          ALLURE_ENDPOINT: ${{ steps.secrets.outputs.allure_endpoint }}
+          ALLURE_PROJECT_ID: ${{ steps.secrets.outputs.allure_project_id }}
           ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }}
           ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }}
+          TEST_RC: true
         run: |
           make kind-smoke-test
 
@@ -263,7 +273,7 @@ jobs:
     env:
       ARCH: amd64
     strategy:
-      fail-fast: false # TODO: temporary for arm64 new arc testing
+      fail-fast: true
       matrix:
         k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1, v1.28.0]
 
@@ -277,7 +287,9 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/ingress api_token
+          secrets: |
+            kv-gitlab-ci/data/github/ingress api_token ;
+            kv-gitlab-ci/data/github/ingress api_host ;
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -301,9 +313,10 @@ jobs:
           SKIP_E2E_IMAGE_CREATION: true
           WALLARM_ENABLED: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make E2E_NODES=6 kind-e2e-test
+          make E2E_NODES=7 kind-e2e-test
 
   scan:
     name: Scan images

diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
@@ -12,7 +12,7 @@ jobs:
   release:
     runs-on: self-hosted-amd64-1cpu
     outputs:
-      chart_version: ${{ steps.extract_tag.outputs.tag }}
+      chart_version: ${{ steps.check_release.outputs.tag }}
       release_type: ${{ steps.check_release.outputs.type }}
     steps:
       - name: Import secrets
@@ -25,61 +25,37 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/shared/github_token token | GITHUB_TOKEN ;
+            kv-gitlab-ci/data/github/shared/github_token token ;
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
-      - name: Extract tag name
-        id: extract_tag
-        run: |
-          X_TAG=$(echo ${GITHUB_REF#refs/*/} | sed 's/[+-].*$//g')
-          echo "X_TAG=${X_TAG}" >> $GITHUB_ENV
-          echo "tag=${X_TAG}" >> $GITHUB_OUTPUT
-
       - name: Check release type
         id: check_release
         run: |
           TYPE="production"
+          TAG=$(echo ${GITHUB_REF#refs/*/} | sed 's/[+-].*$//g')
           if [[ ${GITHUB_REF#refs/*/} =~ "rc" ]]; then
             TYPE="release-candidate"
+            TAG=${GITHUB_REF#refs/*/}
           fi
-          echo "Release type: ${TYPE}"
+          echo -e "Type: ${TYPE} \nTag: ${TAG}"
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
 
-      - name: Publish Helm charts (Prod)
-        if: steps.check_release.outputs.type == 'production'
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
-        with:
-          token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
-          charts_dir: ./charts
-          charts_url: https://charts.wallarm.com
-          linting: off
-          repository: helm-charts
-          branch: main
-          target_dir: "wallarm-ingress"
-          index_dir: .
-          app_version: "${{ env.X_TAG }}"
-          chart_version: "${{ env.X_TAG }}"
-
-      - name: Update chart name for RC versions
+      - name: Publish Helm chart
         if: steps.check_release.outputs.type == 'release-candidate'
-        run: yq -y -i '.name = "wallarm-ingress-rc"' ./charts/ingress-nginx/Chart.yaml
-
-      - name: Publish Helm charts (RC)
-        if: steps.check_release.outputs.type == 'release-candidate'
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260
         with:
-          token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          token: ${{ steps.secrets.outputs.token }}
           charts_dir: ./charts
           charts_url: https://charts.wallarm.com
           linting: off
           repository: helm-charts
           branch: main
-          target_dir: "wallarm-ingress-rc"
+          target_dir: wallarm-ingress
           index_dir: .
-          app_version: "${{ env.X_TAG }}"
-          chart_version: "${{ env.X_TAG }}"
+          chart_version: ${{ steps.check_release.outputs.tag }}
 
   update_version:
     name: Update package version
@@ -88,7 +64,7 @@ jobs:
     needs: release
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74
         id: secrets
         with:
           exportEnv: true

diff --git a/.github/workflows/smoke-test.yaml b/.github/workflows/smoke-test.yaml
@@ -35,8 +35,14 @@ jobs:
           path: kubernetes-ci
           secrets: |
             kv-gitlab-ci/data/github/ingress api_token ;
+            kv-gitlab-ci/data/github/ingress api_host ;
+            kv-gitlab-ci/data/github/ingress api_preset ;
+            kv-gitlab-ci/data/github/ingress client_id ;
             kv-gitlab-ci/data/github/ingress user_secret ;
             kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/shared/allure allure_endpoint ;
+            kv-gitlab-ci/data/github/shared/allure allure_project_id ;
+            kv-gitlab-ci/data/github/shared/allure allure_token ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
 
@@ -53,16 +59,19 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
           SKIP_IMAGE_LOADING: true
-          ALLURE_UPLOAD_REPORT: true
-          ALLURE_GENERATE_REPORT: true
-          ALLURE_TOKEN: ${{ secrets.ALLURE_SERVER_TOKEN }}
-          ALLURE_ENDPOINT: ${{ secrets.ALLURE_SERVER_URL }}
-          ALLURE_PROJECT_ID: ${{ secrets.ALLURE_PROJECT_ID }}
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
+          WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }}
+          CLIENT_ID: ${{ steps.secrets.outputs.client_id }}
           USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
           USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
           SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }}
           SMOKE_REGISTRY_SECRET: ${{ steps.secrets.outputs.token_secret }}
+          ALLURE_UPLOAD_REPORT: true
+          ALLURE_GENERATE_REPORT: true
+          ALLURE_TOKEN: ${{ steps.secrets.outputs.allure_token }}
+          ALLURE_ENDPOINT: ${{ steps.secrets.outputs.allure_endpoint }}
+          ALLURE_PROJECT_ID: ${{ steps.secrets.outputs.allure_project_id }}
           ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }}
           ALLURE_ENVIRONMENT_ARCH: amd64
         run: |

diff --git a/AIO_BASE b/AIO_BASE
@@ -1 +1 @@
-4.8.4
+4.10.0-rc4
diff --git a/TAG b/TAG
@@ -1 +1 @@
-4.8.2-1
+4.10.0-rc4
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: wallarm-ingress
-version: 4.8.6
-appVersion: 4.8.2-1
+version: 4.10.0-rc4
+appVersion: 4.10.0-rc4
 home: https://github.com/wallarm/ingress
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer with Wallarm module
 icon: https://static.wallarm.com/wallarm-logo.svg

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
@@ -93,6 +93,14 @@ Get specific paths
 {{- end }}
 {{- end -}}
 
+{{- define "wallarm-apifw.path" -}}
+{{- if .Values.controller.image.chroot -}}
+{{- printf "/chroot/opt/wallarm/var/lib/wallarm-api" -}}
+{{- else -}}
+{{- printf "/opt/wallarm/var/lib/wallarm-api" -}}
+{{- end }}
+{{- end -}}
+
 {{/*
 Get specific image
 */}}
@@ -241,6 +249,8 @@ Create the name of the controller service account to use
     name: wallarm
   - mountPath: {{ include "wallarm-acl.path" . }}
     name: wallarm-acl
+  - mountPath: {{ include "wallarm-apifw.path" . }}
+    name: wallarm-apifw
   - mountPath: /secrets/wallarm/token
     name: wallarm-token
     subPath: token
@@ -274,6 +284,8 @@ Create the name of the controller service account to use
     name: wallarm
   - mountPath: {{ include "wallarm-acl.path" . }}
     name: wallarm-acl
+  - mountPath: {{ include "wallarm-apifw.path" . }}
+    name: wallarm-apifw
   - mountPath: /opt/cron/crontab
     name: wallarm-cron
     subPath: crontab
@@ -315,6 +327,54 @@ Create the name of the controller service account to use
 {{ toYaml .Values.controller.wallarm.collectd.resources | indent 4 }}
 {{- end -}}
 
+{{- define "ingress-nginx.wallarmapiFirewallContainer" -}}
+- name: api-firewall
+{{- if .Values.controller.wallarm.apiFirewall.image }}
+  {{- with .Values.controller.wallarm.apiFirewall.image }}
+  image: "{{ .repository }}:{{ .tag }}"
+  {{- end }}
+{{- else }}
+  image: "{{ .Values.controller.wallarm.helpers.image }}:{{ .Values.controller.wallarm.helpers.tag }}"
+{{- end }}
+  imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
+  args: ["api-firewall"]
+  env:
+    - name: APIFW_SPECIFICATION_UPDATE_PERIOD
+      value: "{{ .Values.controller.wallarm.apiFirewall.config.specificationUpdatePeriod }}"
+    - name: API_MODE_UNKNOWN_PARAMETERS_DETECTION
+      value: "{{ .Values.controller.wallarm.apiFirewall.config.unknownParametersDetection }}"
+    - name: APIFW_URL
+      value: "http://0.0.0.0:{{ .Values.controller.wallarm.apiFirewall.config.mainPort }}"
+    - name: APIFW_HEALTH_HOST
+      value: "0.0.0.0:{{ .Values.controller.wallarm.apiFirewall.config.healthPort }}"
+    - name: APIFW_LOG_LEVEL
+      value: "{{ .Values.controller.wallarm.apiFirewall.config.logLevel }}"
+    - name: APIFW_LOG_FORMAT
+      value: "{{ .Values.controller.wallarm.apiFirewall.config.logFormat }}"
+    - name: APIFW_MODE
+      value: api
+    - name: APIFW_READ_TIMEOUT
+      value: 5s
+    - name: APIFW_WRITE_TIMEOUT
+      value: 5s
+    - name: APIFW_API_MODE_DEBUG_PATH_DB
+      value: "{{ include "wallarm-apifw.path" . }}/1/wallarm_api.db"
+  volumeMounts:
+    - name: wallarm-apifw
+      mountPath: {{ include "wallarm-apifw.path" . }}
+  securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 4 }}
+  resources: {{ toYaml .Values.controller.wallarm.apiFirewall.resources | nindent 4 }}
+  ports:
+    - name: health
+      containerPort: {{ .Values.controller.wallarm.apiFirewall.config.healthPort }}
+{{- if .Values.controller.wallarm.apiFirewall.livenessProbeEnabled }}
+  livenessProbe: {{ toYaml .Values.controller.wallarm.apiFirewall.livenessProbe | nindent 4 }}
+{{- end }}
+{{- if .Values.controller.wallarm.apiFirewall.readinessProbeEnabled }}
+  readinessProbe: {{ toYaml .Values.controller.wallarm.apiFirewall.readinessProbe | nindent 4 }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create a default fully qualified admission webhook name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

diff --git a/charts/ingress-nginx/templates/controller-configmap-cron.yaml b/charts/ingress-nginx/templates/controller-configmap-cron.yaml
@@ -13,25 +13,32 @@ data:
   crontab: |
     {{- with .Values.controller.wallarm.cron.jobs.exportEnvironment }}
     # export-environment
-    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/export-environment -l STDOUT
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/export-environment -l STDOUT -L {{ .logLevel }}
     {{- end }}
 
     {{- with .Values.controller.wallarm.cron.jobs.syncIpLists }}
     # sync-ip-lists
-    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/sync-ip-lists -l STDOUT
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/sync-ip-lists -l STDOUT -L {{ .logLevel }}
     {{- end }}
 
     {{- with .Values.controller.wallarm.cron.jobs.exportMetrics }}
     # export-metrics
-    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/export-metrics -l STDOUT
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/export-metrics -l STDOUT -L {{ .logLevel }}
     {{- end }}
 
     {{- with .Values.controller.wallarm.cron.jobs.syncIpListsSource }}
     # sync-ip-lists-source
-    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/sync-ip-lists-source -l STDOUT
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/sync-ip-lists-source -l STDOUT -L {{ .logLevel }}
     {{- end }}
 
     {{- with .Values.controller.wallarm.cron.jobs.syncNode }}
     # sync-node
-    {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/syncnode -f -p -r 120 -l STDOUT -L DEBUG
+    {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/syncnode -f -p -r 120 -l STDOUT -L {{ .logLevel }}
+    {{- end }}
+
+    {{- if .Values.controller.wallarm.apiFirewall.enabled }}
+    {{- with .Values.controller.wallarm.cron.jobs.syncApiSpecs }}
+    # sync-api-specs
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/sync-api-specs -l STDOUT -L {{ .logLevel }}
+    {{- end }}
     {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -18,6 +18,8 @@ data:
   enable-wallarm: "{{ .Values.controller.wallarm.enabled }}"
   wallarm-upstream-service: "{{ include "ingress-nginx.controller.fullname" . }}-wallarm-tarantool"
   wallarm-metrics-port: "{{ .Values.controller.wallarm.metrics.port }}"
+  wallarm-apifw-enabled: "{{ .Values.controller.wallarm.apiFirewall.enabled }}"
+  wallarm-apifw-port: "{{ .Values.controller.wallarm.apiFirewall.config.mainPort }}"
 {{- if .Values.controller.wallarm.fallback }}
   wallarm-fallback: "{{ .Values.controller.wallarm.fallback }}"
 {{- end }}

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -83,7 +83,7 @@ spec:
       containers:
         - name: {{ .Values.controller.containerName }}
           {{- with .Values.controller.image }}
-          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
+          image: "{{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
           {{- end }}
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
         {{- if .Values.controller.lifecycle }}
@@ -197,6 +197,9 @@ spec:
       {{- if .Values.controller.wallarm.enabled }}
         {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }}
         {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }}
+        {{- if .Values.controller.wallarm.apiFirewall.enabled }}
+        {{ include "ingress-nginx.wallarmapiFirewallContainer" . | nindent 8 }}
+        {{- end }}
       {{- end }}
     {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }}
       initContainers:
@@ -249,6 +252,8 @@ spec:
           emptyDir: {}
         - name: wallarm-cache
           emptyDir: {}
+        - name: wallarm-apifw
+          emptyDir: {}
         - name: wallarm-cron
           configMap:
             name: {{ template "ingress-nginx.wallarmControllerCronConfig" . }}