releaseUpdates (#188)

* releaseUpdates

* nits

Author: davidhadas

hack/generate-yamls.sh

@@ -51,13 +51,16 @@ rm -fr ${YAML_OUTPUT_DIR}/*.yaml
 # Generated Knative component YAML files
 readonly SECURED_HELLO_YAML=${YAML_OUTPUT_DIR}/secured-helloworld.yaml
 readonly SECURED_LAYERED_MYAPP_YAML=${YAML_OUTPUT_DIR}/secured-layered-myapp.yaml
+readonly TESTSRV_YAML=${YAML_OUTPUT_DIR}/testsrv.yaml
 readonly CREATE_SECRETS_YAML=${YAML_OUTPUT_DIR}/create-secrets.yaml
 readonly CONFIG_FEATURES_YAML=${YAML_OUTPUT_DIR}/config-features.yaml
 readonly GUARD_SERVICE_YAML=${YAML_OUTPUT_DIR}/guard-service.yaml
 readonly QUEUE_PROXY_YAML=${YAML_OUTPUT_DIR}/queue-proxy.yaml
 readonly GATE_ACCOUNT_YAML=${YAML_OUTPUT_DIR}/gate-account.yaml
 readonly SERVICE_ACCOUNT_YAML=${YAML_OUTPUT_DIR}/service-account.yaml
 readonly GUARDIAN_CRD_YAML=${YAML_OUTPUT_DIR}/guardian-crd.yaml
+readonly DEPLOY_KIND=${YAML_OUTPUT_DIR}/deploy-kind.sh
+readonly DEPLOY_KNATIVE_KIND=${YAML_OUTPUT_DIR}/deploy-knative-kind.sh
 
 # Flags for all ko commands
 KO_YAML_FLAGS="-P"
@@ -85,38 +88,46 @@ echo "Building Knative Secuity-Guard"
 echo KO_YAML_FLAGS: ${KO_YAML_FLAGS}
 ko resolve ${KO_YAML_FLAGS} -f config-kubernetes/deploy/secured-helloworld.yaml | "${LABEL_YAML_CMD[@]}" > "${SECURED_HELLO_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config-kubernetes/deploy/secured-layered-myapp.yaml | "${LABEL_YAML_CMD[@]}" > "${SECURED_LAYERED_MYAPP_YAML}"
+ko resolve ${KO_YAML_FLAGS} -f test/e2e/services/httptest/deploy.yaml | "${LABEL_YAML_CMD[@]}" > "${TESTSRV_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config-kubernetes/deploy/create-secrets.yaml | "${LABEL_YAML_CMD[@]}" > "${CREATE_SECRETS_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/deploy/config-features.yaml | "${LABEL_YAML_CMD[@]}" > "${CONFIG_FEATURES_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/deploy/guard-service.yaml | "${LABEL_YAML_CMD[@]}" > "${GUARD_SERVICE_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/deploy/queue-proxy.yaml | "${LABEL_YAML_CMD[@]}" > "${QUEUE_PROXY_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/resources/gateAccount.yaml | "${LABEL_YAML_CMD[@]}" > "${GATE_ACCOUNT_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/resources/serviceAccount.yaml | "${LABEL_YAML_CMD[@]}" > "${SERVICE_ACCOUNT_YAML}"
 ko resolve ${KO_YAML_FLAGS} -f config/resources/guardiansCrd.yaml | "${LABEL_YAML_CMD[@]}" > "${GUARDIAN_CRD_YAML}"
+cp hack/kind/deployKind.sh "${DEPLOY_KIND}"
+cp hack/kind/deployKnativeKind.sh "${DEPLOY_KNATIVE_KIND}"
 echo "All manifests generated"
 
 # List generated YAML files
 
 cat << EOF > ${YAML_LIST_FILE}
 ${SECURED_HELLO_YAML}
 ${SECURED_LAYERED_MYAPP_YAML}
+${TESTSRV_YAML}
 ${CREATE_SECRETS_YAML}
 ${CONFIG_FEATURES_YAML}
 ${GUARD_SERVICE_YAML}
 ${QUEUE_PROXY_YAML}
 ${GATE_ACCOUNT_YAML}
 ${SERVICE_ACCOUNT_YAML}
 ${GUARDIAN_CRD_YAML}
-
+${DEPLOY_KIND}
+${DEPLOY_KNATIVE_KIND}
 EOF
 
 cat << EOF > "${YAML_ENV_FILE}"
 export SECURED_HELLO_YAML=${SECURED_HELLO_YAML}
 export SECURED_LAYERED_MYAPP_YAML=${SECURED_LAYERED_MYAPP_YAML}
+export TESTSRV_YAML=${TESTSRV_YAML}
 export CREATE_SECRETS_YAML=${CREATE_SECRETS_YAML}
 export CONFIG_FEATURES_YAML=${CONFIG_FEATURES_YAML}
 export GUARD_SERVICE_YAML=${GUARD_SERVICE_YAML}
 export QUEUE_PROXY_YAML=${QUEUE_PROXY_YAML}
 export GATE_ACCOUNT_YAML=${GATE_ACCOUNT_YAML}
 export SERVICE_ACCOUNT_YAML=${SERVICE_ACCOUNT_YAML}
 export GUARDIAN_CRD_YAML=${GUARDIAN_CRD_YAML}
+export DEPLOY_KIND=${DEPLOY_KIND}
+export DEPLOY_KNATIVE_KIND=${DEPLOY_KNATIVE_KIND}
 EOF

hack/kind/deployKind.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Create Kind cluster
+kind delete cluster --name k8s
+kind create cluster --config ./hack/kind/kind-config.yaml
+kubectl cluster-info --context kind-k8s
+kubectl create namespace knative-serving
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+
+#Create K8s resources CRD, ServiceAccounts etc.
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/gateAccount.yaml
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/serviceAccount.yaml
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/guardiansCrd.yaml
+
+# start create-secrets
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/create-secrets.yaml
+
+# start guard-service
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/guard-service.yaml
+
+# wait for keys to be ready
+kubectl wait --namespace knative-serving --for=condition=complete job/create-knative-secrets --timeout=120s
+
+# wait for ingress to be ready
+kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller  --timeout=120s
+
+# Copying secert to namespace: \"default\"
+REPLACE_NS="s/ namespace: .*/ namespace: default/"
+REPLACE_NAME="s/ name: knative-serving-certs/ name: default-serving-certs/"
+kubectl get secret knative-serving-certs --namespace=knative-serving -o yaml |sed "${REPLACE_NS}" |sed "${REPLACE_NAME}" |sed  "s/ selfLink: .*/ /"|sed  "s/ uid: .*/ /" |sed  "s/ resourceVersion: .*/ /" |kubectl apply -f -
+
+#add hellowworld - protected using a guard sidecar  (the recommended pattern)
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/secured-helloworld.yaml
+
+#add myapp - protected using a separate guard pod (non-recommended pattern)
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/secured-layered-myapp.yaml

hack/kind/deployKnativeKind.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+export KO_DOCKER_REPO=ko.local
+
+# Knative install using quickstart
+kn quickstart kind -n k8s --install-serving
+
+#Create K8s resources CRD, ServiceAccounts etc.
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/gateAccount.yaml
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/serviceAccount.yaml
+kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/guardiansCrd.yaml
+
+# Kind seem to sometime need some extra time
+sleep 10
+
+# adjust knative to use guard
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/queue-proxy.yaml
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/config-features.yaml
+
+# start guard-service
+kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/guard-service.yaml
+
+# Activate internal encryption
+kubectl patch configmap config-network -n knative-serving --type=merge -p '{"data": {"internal-encryption": "true"}}'
+
+# Restart activator pod
+kubectl rollout restart deployment activator -n knative-serving

test/e2e/services/httptest/deploy.yaml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testsrv
+  labels:
+    app: testsrv
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: testsrv
+  template:
+    metadata:
+      labels:
+        app: testsrv
+    spec:
+      containers:
+      - name: testsrv
+        image: ko://knative.dev/security-guard/test/e2e/services/httptest
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: testsrv
+  namespace: knative-serving
+spec:
+  selector:
+    app: testsrv
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080