diff --git a/Makefile b/Makefile index 25b738e59e..eb14417b9d 100644 --- a/Makefile +++ b/Makefile @@ -412,6 +412,7 @@ deploy-crds: kubectl $(BINDIR)/kubectl apply -f pkg/imports/crds/calico/policy.networking.k8s.io/ && \ $(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/v1.crd.projectcalico.org/ && \ $(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/policy.networking.k8s.io/ && \ + $(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/ && \ $(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml && \ $(BINDIR)/kubectl create -f deploy/crds/prometheus @@ -634,6 +635,7 @@ define prep_local_crds mkdir -p pkg/imports/crds/$(product)/v1.crd.projectcalico.org/ mkdir -p pkg/imports/crds/$(product)/v3.projectcalico.org/ mkdir -p pkg/imports/crds/$(product)/policy.networking.k8s.io/ + mkdir -p pkg/imports/crds/$(product)/applicationlayer.projectcalico.org/ mkdir -p pkg/imports/admission/$(product) mkdir -p .crds/$(product) endef @@ -663,6 +665,11 @@ define copy_k8s_policy_crds @mv pkg/imports/crds/$(product)/v1.crd.projectcalico.org/policy.networking.k8s.io_* pkg/imports/crds/$(product)/policy.networking.k8s.io/ 2>/dev/null; true @echo "Moved $(product) K8s policy CRDs to dedicated directory" endef +define copy_applicationlayer_crds + $(eval product := $(1)) + @mv pkg/imports/crds/$(product)/v3.projectcalico.org/applicationlayer.projectcalico.org_* pkg/imports/crds/$(product)/applicationlayer.projectcalico.org/ 2>/dev/null; true + @echo "Moved $(product) ApplicationLayer CRDs to dedicated directory" +endef define copy_eck_crds $(eval dir := $(1)) $(eval product := $(2)) @@ -713,6 +720,7 @@ update-enterprise-crds: fetch-enterprise-crds $(call copy_v1_crds,$(ENTERPRISE_CRDS_DIR),"enterprise") $(call copy_v3_crds, $(ENTERPRISE_CRDS_DIR),"enterprise") $(call copy_k8s_policy_crds,"enterprise") + $(call copy_applicationlayer_crds,"enterprise") $(call copy_eck_crds,$(ENTERPRISE_CRDS_DIR),"enterprise") $(call copy_admission_policies,$(ENTERPRISE_CRDS_DIR),"enterprise") diff --git a/pkg/imports/crds/crds.go b/pkg/imports/crds/crds.go index 8f86dd2e91..255626f62a 100644 --- a/pkg/imports/crds/crds.go +++ b/pkg/imports/crds/crds.go @@ -147,6 +147,34 @@ func getK8sPolicyCRDSource(variant opv1.ProductVariant) map[string][]byte { return ret } +// getApplicationLayerCRDSource returns the applicationlayer.projectcalico.org CRDs +// (the gateway WAF kinds). This is a distinct, CRD-only API group that is not served +// by the aggregated apiserver and has a single v3 schema, so - unlike the +// projectcalico.org datastore CRDs - it is installed in both v1-CRD and v3-CRD modes. +// Enterprise only. +func getApplicationLayerCRDSource() map[string][]byte { + ret := map[string][]byte{} + dir := "enterprise/applicationlayer.projectcalico.org" + entries, err := enterpriseCRDFiles.ReadDir(dir) + if err != nil { + panic(fmt.Sprintf("Failed to read ApplicationLayer CRDs: %v", err)) + } + + for _, entry := range entries { + b, err := enterpriseCRDFiles.ReadFile(path.Join(dir, entry.Name())) + if err != nil { + panic(fmt.Sprintf("Failed to read ApplicationLayer CRD %s: %v", entry.Name(), err)) + } + + crds := bytes.Split(b, []byte("\n---")) + for i, crd := range crds { + ret[fmt.Sprintf("%s_%d", entry.Name(), i)] = crd + } + } + + return ret +} + func getOperatorCRDSource(variant opv1.ProductVariant) map[string][]byte { ret := map[string][]byte{} entries, err := operatorCRDFiles.ReadDir("operator") @@ -204,7 +232,7 @@ func GetCRDs(variant opv1.ProductVariant, v3 bool) []*apiextenv1.CustomResourceD crds = calicoCRDs } else { if len(enterpriseCRDs) == 0 { - enterpriseCRDs = convertYamlsToCRDs(getEnterpriseCRDSource(v3), getK8sPolicyCRDSource(variant), getOperatorCRDSource(variant)) + enterpriseCRDs = convertYamlsToCRDs(getEnterpriseCRDSource(v3), getK8sPolicyCRDSource(variant), getOperatorCRDSource(variant), getApplicationLayerCRDSource()) } crds = enterpriseCRDs } diff --git a/pkg/imports/crds/crds_test.go b/pkg/imports/crds/crds_test.go index b258ba0d77..083b3efb2a 100644 --- a/pkg/imports/crds/crds_test.go +++ b/pkg/imports/crds/crds_test.go @@ -63,6 +63,25 @@ var _ = Describe("test crds pkg", func() { Expect(crdNames).To(HaveKey("adminnetworkpolicies.policy.networking.k8s.io")) Expect(crdNames).To(HaveKey("baselineadminnetworkpolicies.policy.networking.k8s.io")) }) + + It(fmt.Sprintf("includes applicationlayer WAF CRDs for Enterprise in both CRD modes (v3=%t)", v3), func() { + enterpriseCRDs = nil + crds := GetCRDs(opv1.CalicoEnterprise, v3) + crdNames := map[string]bool{} + for _, crd := range crds { + crdNames[crd.Name] = true + } + // The applicationlayer.projectcalico.org group is CRD-only (not served by the + // aggregated apiserver) and has a single v3 schema, so its CRDs must install in + // both v1-CRD and v3-CRD modes - otherwise gateway WAF is unusable on standard + // apiserver-backed installs. + Expect(crdNames).To(HaveKey("wafpolicies.applicationlayer.projectcalico.org")) + Expect(crdNames).To(HaveKey("globalwafpolicies.applicationlayer.projectcalico.org")) + Expect(crdNames).To(HaveKey("wafplugins.applicationlayer.projectcalico.org")) + Expect(crdNames).To(HaveKey("globalwafplugins.applicationlayer.projectcalico.org")) + Expect(crdNames).To(HaveKey("wafvalidationpolicies.applicationlayer.projectcalico.org")) + Expect(crdNames).To(HaveKey("globalwafvalidationpolicies.applicationlayer.projectcalico.org")) + }) } It("can parse Operator CRDs used with calico", func() { diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml b/pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml similarity index 100% rename from pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml rename to pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml