Allow configuration of supervisor endpoints

This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2026-01-05 21:15:26 +00:00 · 2021-12-15 15:48:55 -05:00
parent 01a7978387
commit 1e1789f6d1
20 changed files with 705 additions and 177 deletions
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -289,6 +289,9 @@ ytt --file . \
  --data-value-yaml 'service_https_nodeport_nodeport=31243' \
  --data-value-yaml 'service_https_clusterip_port=443' \
  >"$manifest"
+  # example of how to disable the http endpoint
+  # this is left enabled for now because our integration tests still rely on it
+  # --data-value-yaml 'endpoints={"http": {"network": "disabled"}}' \

 kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
 kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.