Migrate to kyma 2.1.3 (#2545)

* Migrate to kyma 2.1.3 * remove certificate component from kyma installation * fix kyma components and overrides * fix istio overrides * update full installation config * update envoy buffer extension name * fix internal auth * remove certificate component from kyma installation * update docs * add monitors patches * remove monitoring-node-exporter service monitor * return the certificate component * return the certificate component for full installation
kyma-incubator · Aug 29, 2022 · 7ce0863 · 7ce0863
1 parent cd8797a
commit 7ce0863
Show file tree

Hide file tree

Showing 15 changed files with 43 additions and 94 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ For more information about the Compass architecture, technical details, and comp
 - [Docker](https://www.docker.com/get-started)
 - [k3d](https://github.com/k3d-io/k3d) v5.2.2+
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 1.23.0+
-- [Kyma CLI](https://github.com/kyma-project/cli) stable
+- [Kyma CLI](https://github.com/kyma-project/cli) 2.1.3
 - [helm](https://github.com/helm/helm) v3.8.0+
 - [yq](https://github.com/mikefarah/yq) v4+
 

diff --git a/chart/compass/templates/filters/request-limit-filter-2mb.yaml b/chart/compass/templates/filters/request-limit-filter-2mb.yaml
@@ -20,11 +20,11 @@ spec:
       patch:
         operation: INSERT_BEFORE
         value:
-          name: envoy.buffer
+          name: envoy.filters.http.buffer
           typed_config:
             '@type': type.googleapis.com/udpa.type.v1.TypedStruct
             value:
               maxRequestBytes: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit2MB }}
   workloadSelector:
     labels:
-      reqlimit: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit2MBLabel }}
+      reqlimit: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit2MBLabel }}
diff --git a/chart/compass/templates/filters/request-limit-filter-5mb.yaml b/chart/compass/templates/filters/request-limit-filter-5mb.yaml
@@ -20,11 +20,11 @@ spec:
       patch:
         operation: INSERT_BEFORE
         value:
-          name: envoy.buffer
+          name: envoy.filters.http.buffer
           typed_config:
             '@type': type.googleapis.com/udpa.type.v1.TypedStruct
             value:
               maxRequestBytes: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit5MB }}
   workloadSelector:
     labels:
-      reqlimit: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit5MBLabel }}
+      reqlimit: {{ .Values.global.istio.ingressgateway.requestPayloadSizeLimit5MBLabel }}
diff --git a/chart/compass/templates/internal-communication-policies.yaml b/chart/compass/templates/internal-communication-policies.yaml
@@ -5,12 +5,6 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   jwtRules:
-    - issuer: kubernetes/serviceaccount
-      jwksUri: {{ .Values.global.kubernetes.serviceAccountTokenJWKS }}
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: X-Authorization
-          prefix: "Bearer "
     - issuer: {{ .Values.global.kubernetes.serviceAccountTokenIssuer }}
       jwksUri: {{ .Values.global.kubernetes.serviceAccountTokenJWKS }}
       forwardOriginalToken: true
@@ -90,12 +84,6 @@ spec:
     matchLabels:
       app.kubernetes.io/name: hydra
   jwtRules:
-    - issuer: kubernetes/serviceaccount
-      jwksUri: {{ .Values.global.kubernetes.serviceAccountTokenJWKS }}
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: X-Authorization
-          prefix: "Bearer "
     - issuer: {{ .Values.global.kubernetes.serviceAccountTokenIssuer }}
       jwksUri: {{ .Values.global.kubernetes.serviceAccountTokenJWKS }}
       forwardOriginalToken: true
@@ -124,4 +112,4 @@ spec:
               - /.well-known/*
     - from: # or anything other only if the request is authenticated via RequestAuthentication
         - source:
-            requestPrincipals: ['*']
+            requestPrincipals: ['*']
diff --git a/chart/compass/values.yaml b/chart/compass/values.yaml
@@ -410,7 +410,7 @@ global:
           - "x-vcap-request-id"
           - "x-broker-api-request-identity"
   kubernetes:
-    serviceAccountTokenIssuer: kubernetes/serviceaccount
+    serviceAccountTokenIssuer: https://kubernetes.default.svc.cluster.local
     serviceAccountTokenJWKS: https://kubernetes.default.svc.cluster.local/openid/v1/jwks
   ingress:
     domainName: "local.kyma.dev"

diff --git a/components/schema-migrator/Dockerfile b/components/schema-migrator/Dockerfile
@@ -9,7 +9,7 @@ RUN wget https://github.com/golang-migrate/migrate/releases/download/v${MIGRATE_
 RUN mv migrate /usr/local/bin/migrate
 
 # kubectl is supported within one minor version (older or newer) of kube-apiserver
-ENV CLUSTER_VERSION=1.20.14
+ENV CLUSTER_VERSION=1.21.12
 
 RUN apk add --update ca-certificates \
  && apk add -t deps \

diff --git a/docs/compass/04-01-installation.md b/docs/compass/04-01-installation.md
@@ -61,7 +61,7 @@ ory:
             config:
               jwks_urls:
                 -  ${IDP_JWKS_URL}
-istio-configuration:
+istio:
    components:
       ingressGateways:
          config:
@@ -102,7 +102,7 @@ global:
       pvc:
          storageClass: ${ANY_SUPPORTED_STORAGE_CLASS}
    kubernetes:
-      serviceAccountTokenIssuer: ${TOKEN_ISSUER} # Default is kubernetes/serviceaccount 
+      serviceAccountTokenIssuer: ${TOKEN_ISSUER} # Default is https://kubernetes.default.svc.cluster.local
       serviceAccountTokenJWKS: ${JWKS_ENDPOINT} # Default is https://kubernetes.default.svc.cluster.local/openid/v1/jwks
    loadBalancerIP: ${LOAD_BALANCER_SERVICE_EXTERNAL_IP}
    cockpit:
@@ -323,7 +323,7 @@ ory:
             config:
               jwks_urls:
                 -  ${IDP_JWKS_URL}
-istio-configuration:
+istio:
    components:
       ingressGateways:
          config:
@@ -364,7 +364,7 @@ global:
       pvc:
          storageClass: ${ANY_SUPPORTED_STORAGE_CLASS}
    kubernetes:
-     serviceAccountTokenIssuer: ${TOKEN_ISSUER} # Default is kubernetes/serviceaccount 
+     serviceAccountTokenIssuer: ${TOKEN_ISSUER} # Default is https://kubernetes.default.svc.cluster.local
      serviceAccountTokenJWKS: ${JWKS_ENDPOINT} # Default is https://kubernetes.default.svc.cluster.local/openid/v1/jwks
    loadBalancerIP: ${LOAD_BALANCER_SERVICE_EXTERNAL_IP}
    cockpit:

diff --git a/installation/cmd/run.sh b/installation/cmd/run.sh
@@ -25,7 +25,7 @@ RESET_VALUES_YAML=true
 
 K3D_MEMORY=8192MB
 K3D_TIMEOUT=10m0s
-APISERVER_VERSION=1.20.11
+APISERVER_VERSION=1.21.12
 
 POSITIONAL=()
 while [[ $# -gt 0 ]]

diff --git a/installation/resources/KYMA_VERSION b/installation/resources/KYMA_VERSION
@@ -1 +1 @@
-2.0.4
+2.1.3
diff --git a/installation/resources/kyma/kyma-components-full.yaml b/installation/resources/kyma/kyma-components-full.yaml
@@ -1,11 +1,12 @@
 defaultNamespace: kyma-system
 prerequisites:
   - name: "cluster-essentials"
-  - name: "istio-configuration"
+  - name: "istio"
     namespace: "istio-system"
   - name: "certificates"
     namespace: "istio-system"
 components:
+  - name: "istio-resources"
   - name: "logging"
   - name: "tracing"
   - name: "kiali"

diff --git a/installation/resources/kyma/kyma-components-minimal.yaml b/installation/resources/kyma/kyma-components-minimal.yaml
@@ -1,13 +1,14 @@
 defaultNamespace: kyma-system
 prerequisites:
   - name: "cluster-essentials"
-  - name: "istio-configuration"
+  - name: "istio"
     namespace: "istio-system"
   - name: "certificates"
     namespace: "istio-system"
 components:
+  - name: "istio-resources"
+  - name: "ory"
   - name: "logging"
   - name: "tracing"
   - name: "kiali"
   - name: "monitoring"
-  - name: "ory"
diff --git a/installation/resources/kyma/kyma-overrides-full.yaml b/installation/resources/kyma/kyma-overrides-full.yaml
@@ -25,7 +25,7 @@ cluster-essentials:
         requests:
           cpu: 25m
           memory: 36Mi
-istio-configuration:
+istio:
   components:
     egressGateways:
       enabled: false
@@ -102,7 +102,6 @@ istio-configuration:
       enabled: true
   helmValues:
     global:
-      jwtPolicy: first-party-jwt
       proxy:
         holdApplicationUntilProxyStarts: true
         resources:
@@ -341,4 +340,4 @@ tracing:
       limits:
         memory: 256Mi
       requests:
-        memory: 32Mi
+        memory: 32Mi
diff --git a/installation/resources/kyma/kyma-overrides-minimal.yaml b/installation/resources/kyma/kyma-overrides-minimal.yaml
@@ -29,7 +29,7 @@ helm-broker:
     resources:
       limits:
         memory: 256Mi
-istio-configuration:
+istio:
   components:
     egressGateways:
       enabled: false
@@ -106,7 +106,6 @@ istio-configuration:
       enabled: true
   helmValues:
     global:
-      jwtPolicy: first-party-jwt
       proxy:
         resources:
           limits:
@@ -311,4 +310,4 @@ tracing:
       limits:
         memory: 256Mi
       requests:
-        memory: 32Mi
+        memory: 32Mi
diff --git a/installation/scripts/install-kyma.sh b/installation/scripts/install-kyma.sh
@@ -59,14 +59,17 @@ KYMA_OVERRIDES_MINIMAL="${ROOT_PATH}"/installation/resources/kyma/kyma-overrides
 MINIMAL_OVERRIDES_TEMP=overrides-minimal.yaml
 cp ${KYMA_OVERRIDES_MINIMAL} ${MINIMAL_OVERRIDES_TEMP}
 
-yq -i ".istio-configuration.helmValues.pilot.jwksResolverExtraRootCA = \"$CERT\"" "${MINIMAL_OVERRIDES_TEMP}"
+yq -i ".istio.helmValues.pilot.jwksResolverExtraRootCA = \"$CERT\"" "${MINIMAL_OVERRIDES_TEMP}"
 yq -i ".ory.oathkeeper.oathkeeper.config.authenticators.jwt.config.jwks_urls |= . + [\"$JWKS_URL\"]" "${MINIMAL_OVERRIDES_TEMP}"
 
 if [[ $(uname -m) == 'arm64' ]]; then
-  yq -i ".istio-configuration.global.containerRegistry.path = \"europe-west1-docker.pkg.dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.directory = \"sap-cp-cmp-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.name = \"ucl-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.version = \"1.11.4-distroless\"" "${MINIMAL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${MINIMAL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.version = \"1.12.3-distroless\"" "${MINIMAL_OVERRIDES_TEMP}"
+
+  yq -i ".istio.global.images.istio_pilot.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${MINIMAL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_pilot.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_pilot.version = \"1.12.3-distroless\"" "${MINIMAL_OVERRIDES_TEMP}"
 fi
 
 KYMA_COMPONENTS_FULL="${ROOT_PATH}"/installation/resources/kyma/kyma-components-full.yaml
@@ -75,14 +78,17 @@ KYMA_OVERRIDES_FULL="${ROOT_PATH}"/installation/resources/kyma/kyma-overrides-fu
 FULL_OVERRIDES_TEMP=overrides-full.yaml
 cp ${KYMA_OVERRIDES_FULL} ${FULL_OVERRIDES_TEMP}
 
-yq -i ".istio-configuration.helmValues.pilot.jwksResolverExtraRootCA = \"$CERT\"" "${FULL_OVERRIDES_TEMP}"
+yq -i ".istio.helmValues.pilot.jwksResolverExtraRootCA = \"$CERT\"" "${FULL_OVERRIDES_TEMP}"
 yq -i ".ory.oathkeeper.oathkeeper.config.authenticators.jwt.config.jwks_urls |= . + [\"$JWKS_URL\"]" "${FULL_OVERRIDES_TEMP}"
 
 if [[ $(uname -m) == 'arm64' ]]; then
-  yq -i ".istio-configuration.global.containerRegistry.path = \"europe-west1-docker.pkg.dev\"" "${FULL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.directory = \"sap-cp-cmp-dev\"" "${FULL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.name = \"ucl-dev\"" "${FULL_OVERRIDES_TEMP}"
-  yq -i ".istio-configuration.global.images.istio.version = \"1.11.4-distroless\"" "${FULL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${FULL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${FULL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_proxyv2.version = \"1.12.3-distroless\"" "${FULL_OVERRIDES_TEMP}"
+
+  yq -i ".istio.global.images.istio_pilot.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${FULL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_pilot.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${FULL_OVERRIDES_TEMP}"
+  yq -i ".istio.global.images.istio_pilot.version = \"1.12.3-distroless\"" "${FULL_OVERRIDES_TEMP}"
 fi
 
 trap "rm -f ${MINIMAL_OVERRIDES_TEMP} ${FULL_OVERRIDES_TEMP}" EXIT INT TERM
@@ -97,4 +103,4 @@ if [[ $KYMA_INSTALLATION == *full* ]]; then
 else
   echo "Installing minimal Kyma"
   kyma deploy --components-file $KYMA_COMPONENTS_MINIMAL  --values-file $MINIMAL_OVERRIDES_TEMP --source $KYMA_SOURCE
-fi
+fi
diff --git a/installation/scripts/prom-mtls-patch.sh b/installation/scripts/prom-mtls-patch.sh
@@ -100,51 +100,6 @@ function patchDeploymentsToInjectSidecar() {
 }
 
 function enableNodeExporterMTLS() {
-  # Note: The two CRDs described in the two variables below are left as they are with all their properties
-  # since it's risky to omit some properties due to different strategic merge patch strategies.
-  # https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch
-
-  monitor=$(cat <<"EOF"
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  annotations:
-    meta.helm.sh/release-name: monitoring
-    meta.helm.sh/release-namespace: kyma-system
-  labels:
-    app: monitoring-node-exporter
-    app.kubernetes.io/instance: monitoring
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: monitoring
-    chart: monitoring-1.0.0
-    helm.sh/chart: monitoring-1.0.0
-    release: monitoring
-  name: monitoring-node-exporter
-  namespace: kyma-system
-spec:
-  endpoints:
-  - metricRelabelings:
-    - action: keep
-      regex: ^(go_goroutines|go_memstats_alloc_bytes|go_memstats_heap_alloc_bytes|go_memstats_heap_inuse_bytes|go_memstats_heap_sys_bytes|go_memstats_stack_inuse_bytes|node_.*|process_cpu_seconds_total|process_max_fds|process_open_fds|process_resident_memory_bytes|process_start_time_seconds|process_virtual_memory_bytes)$
-      sourceLabels:
-      - __name__
-    port: metrics
-    scheme: https
-    tlsConfig:
-      caFile: /etc/prometheus/secrets/istio.default/root-cert.pem
-      certFile: /etc/prometheus/secrets/istio.default/cert-chain.pem
-      keyFile: /etc/prometheus/secrets/istio.default/key.pem
-      insecureSkipVerify: true
-  jobLabel: jobLabel
-  selector:
-    matchLabels:
-      app: prometheus-node-exporter
-      release: monitoring
-
-EOF
-  )
-  echo "$monitor" > monitor.yaml
-
   # The patches around the DaemonSet involve an addition of two init containers that together setup certificates
   # for the node-exporter application to use. There are also two new mounts - a shared directory (node-certs)
   # and the Istio CA secret (istio-certs).
@@ -295,22 +250,23 @@ EOF
 
   kubectl get secret istio-ca-secret --namespace=istio-system -o yaml | grep -v '^\s*namespace:\s' | kubectl replace --force --namespace=kyma-system -f -
 
-  kubectl apply -f monitor.yaml
   kubectl apply -f daemonset.yaml
 
-  rm monitor.yaml
   rm daemonset.yaml
 } 
 
 function patchKymaServiceMonitorsForMTLS() {
   kymaSvcMonitors=(
     istio-component-monitor
+    monitoring-alertmanager
     monitoring-kube-state-metrics
     monitoring-operator
     monitoring-prometheus
     monitoring-prometheus-istio-server-server
+    monitoring-prometheus-node-exporter
     monitoring-prometheus-pushgateway
     tracing-metrics
+    ory-oathkeeper-maester
   )
 
   crd="servicemonitors.monitoring.coreos.com"
@@ -359,4 +315,3 @@ function removeKymaPeerAuthsForPrometheus() {
     kubectl delete ${crd} -n ${namespace} "${pa}" || true
   done
 }
-