diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml index f2498cadd..30b893c1f 100644 --- a/deploy/concierge/deployment.yaml +++ b/deploy/concierge/deployment.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -96,14 +96,11 @@ data: imagePullSecrets: - image-pull-secret (@ end @) - (@ if data.values.log_level or data.values.deprecated_log_format: @) + (@ if data.values.log_level: @) log: (@ if data.values.log_level: @) level: (@= getAndValidateLogLevel() @) (@ end @) - (@ if data.values.deprecated_log_format: @) - format: (@= data.values.deprecated_log_format @) - (@ end @) (@ end @) --- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 582641b80..0e5708956 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -124,17 +124,6 @@ api_serving_certificate_renew_before_seconds: 2160000 #@schema/validation one_of=["info", "debug", "trace", "all"] log_level: "" -#@schema/title "Log format" -#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \ -#@ By default, when this value is left unset, logs are formatted in json. \ -#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json." -#@schema/desc deprecated_log_format_desc -#@schema/examples ("Set logs to JSON format","json") -#@schema/nullable -#@schema/validation one_of=["json", "text"] -#@schema/deprecated "This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json." -deprecated_log_format: "" - #@schema/title "Run as user" #@schema/desc "The user ID that will own the process." #! See the Dockerfile for the reasoning behind this default value. diff --git a/deploy/supervisor/helpers.lib.yaml b/deploy/supervisor/helpers.lib.yaml index fbb60a2d9..818b673a8 100644 --- a/deploy/supervisor/helpers.lib.yaml +++ b/deploy/supervisor/helpers.lib.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -53,17 +53,11 @@ _: #@ template.replace(data.values.custom_labels) #@ "apiService": defaultResourceNameWithSuffix("api"), #@ }, #@ "labels": labels(), -#@ "insecureAcceptExternalUnencryptedHttpRequests": data.values.deprecated_insecure_accept_external_unencrypted_http_requests #@ } -#@ if data.values.log_level or data.values.deprecated_log_format: -#@ config["log"] = {} -#@ end #@ if data.values.log_level: +#@ config["log"] = {} #@ config["log"]["level"] = getAndValidateLogLevel() #@ end -#@ if data.values.deprecated_log_format: -#@ config["log"]["format"] = data.values.deprecated_log_format -#@ end #@ if data.values.endpoints: #@ config["endpoints"] = data.values.endpoints #@ end diff --git a/deploy/supervisor/service.yaml b/deploy/supervisor/service.yaml index fd6b96232..fe8a0f34d 100644 --- a/deploy/supervisor/service.yaml +++ b/deploy/supervisor/service.yaml @@ -1,24 +1,10 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") -#@ load("@ytt:assert", "assert") #@ load("helpers.lib.yaml", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix") -#@ if hasattr(data.values, "service_http_nodeport_port"): -#@ assert.fail('value "service_http_nodeport_port" has been renamed to "deprecated_service_http_nodeport_port" and will be removed in a future release') -#@ end -#@ if hasattr(data.values, "service_http_nodeport_nodeport"): -#@ assert.fail('value "service_http_nodeport_nodeport" has been renamed to "deprecated_service_http_nodeport_nodeport" and will be removed in a future release') -#@ end -#@ if hasattr(data.values, "service_http_loadbalancer_port"): -#@ assert.fail('value "service_http_loadbalancer_port" has been renamed to "deprecated_service_http_loadbalancer_port" and will be removed in a future release') -#@ end -#@ if hasattr(data.values, "service_http_clusterip_port"): -#@ assert.fail('value "service_http_clusterip_port" has been renamed to "deprecated_service_http_clusterip_port" and will be removed in a future release') -#@ end - -#@ if data.values.deprecated_service_http_nodeport_port or data.values.service_https_nodeport_port: +#@ if data.values.service_https_nodeport_port: --- apiVersion: v1 kind: Service @@ -33,15 +19,6 @@ spec: type: NodePort selector: #@ deploymentPodLabel() ports: - #@ if data.values.deprecated_service_http_nodeport_port: - - name: http - protocol: TCP - port: #@ data.values.deprecated_service_http_nodeport_port - targetPort: 8080 - #@ if data.values.deprecated_service_http_nodeport_nodeport: - nodePort: #@ data.values.deprecated_service_http_nodeport_nodeport - #@ end - #@ end #@ if data.values.service_https_nodeport_port: - name: https protocol: TCP @@ -53,7 +30,7 @@ spec: #@ end #@ end -#@ if data.values.deprecated_service_http_clusterip_port or data.values.service_https_clusterip_port: +#@ if data.values.service_https_clusterip_port: --- apiVersion: v1 kind: Service @@ -68,12 +45,6 @@ spec: type: ClusterIP selector: #@ deploymentPodLabel() ports: - #@ if data.values.deprecated_service_http_clusterip_port: - - name: http - protocol: TCP - port: #@ data.values.deprecated_service_http_clusterip_port - targetPort: 8080 - #@ end #@ if data.values.service_https_clusterip_port: - name: https protocol: TCP @@ -82,7 +53,7 @@ spec: #@ end #@ end -#@ if data.values.deprecated_service_http_loadbalancer_port or data.values.service_https_loadbalancer_port: +#@ if data.values.service_https_loadbalancer_port: --- apiVersion: v1 kind: Service @@ -100,12 +71,6 @@ spec: loadBalancerIP: #@ data.values.service_loadbalancer_ip #@ end ports: - #@ if data.values.deprecated_service_http_loadbalancer_port: - - name: http - protocol: TCP - port: #@ data.values.deprecated_service_http_loadbalancer_port - targetPort: 8080 - #@ end #@ if data.values.service_https_loadbalancer_port: - name: https protocol: TCP diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml index e3c31a5b3..2ae58e421 100644 --- a/deploy/supervisor/values.yaml +++ b/deploy/supervisor/values.yaml @@ -79,34 +79,6 @@ image_tag: latest #@schema/validation min_len=1 image_pull_dockerconfigjson: "" -#@schema/title "Deprecated service HTTP nodeport port" -#@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port",31234) -#@schema/nullable -#@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_nodeport_port: 0 - -#@schema/title "Deprecated service http nodeport nodeport" -#@schema/desc "The `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified" -#@schema/examples ("Specify port",31234) -#@schema/nullable -#@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_nodeport_nodeport: 0 - -#@schema/title "Deprecated service http loadbalancer port" -#@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port",8443) -#@schema/nullable -#@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_loadbalancer_port: 0 - -#@schema/title "Deprecated service http clusterip port" -#@schema/desc "Creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port",8443) -#@schema/nullable -#@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_clusterip_port: 0 - #@schema/title "Service https nodeport port" #@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`" #@schema/examples ("Specify port",31243) @@ -147,17 +119,6 @@ service_loadbalancer_ip: "" #@schema/validation one_of=["info", "debug", "trace", "all"] log_level: "" -#@schema/title "Log format" -#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \ -#@ By default, when this value is left unset, logs are formatted in json. \ -#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json." -#@schema/desc deprecated_log_format_desc -#@schema/examples ("Set logs to JSON format","json") -#@schema/nullable -#@schema/validation one_of=["json", "text"] -#@schema/deprecated "This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json." -deprecated_log_format: "" - #@schema/title "Run as user" #@schema/desc "The user ID that will own the process." #! See the Dockerfile for the reasoning behind this default value. @@ -195,39 +156,28 @@ https_proxy: "" no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #@schema/title "Endpoints" -#@ endpoints_desc = "Control the HTTP and HTTPS listeners of the Supervisor. The current defaults are: \ -#@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"},\"http\":\"disabled\"}. \ -#@ These defaults mean: 1.) for HTTPS listening, bind to all interfaces using TCP on port 8443 and \ -#@ 2.) disable HTTP listening by default. \ +#@ endpoints_desc = "Control the HTTPS listener of the Supervisor. The current defaults are: \ +#@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"}}. \ +#@ These defaults mean: Tor HTTPS listening, bind to all interfaces using TCP on port 8443. \ #@ The schema of this config is as follows: \ -#@ {\"https\":{\"network\":\"tcp | unix | disabled\",\"address\":\"host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix\"},\"http\":{\"network\":\"tcp | unix | disabled\",\"address\":\"same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces\"}} \ -#@ The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept \ -#@ traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be \ -#@ used to accept traffic from outside the pod, since that would mean that the network traffic could be \ -#@ transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod. \ -#@ Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic \ -#@ to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes. \ +#@ {\"https\":{\"network\":\"tcp\",\"address\":\"{host}:{port}\"}} \ +#@ The HTTPS listener must be used to accept all traffic from outside the pod. \ +#@ Ingresses and load balancers that terminate TLS connections must re-encrypt the data and route traffic \ +#@ to the HTTPS listener, or provide TLS passthrough. \ #@ Changing the HTTPS port number must be accompanied by matching changes to the service and deployment \ #@ manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks." #@schema/desc endpoints_desc -#@schema/examples ("Example matching default settings", '{"https":{"network":"tcp","address":":8443"},"http":"disabled"}') +#@schema/examples ("Example matching default settings", '{"https":{"network":"tcp","address":":8443"}}') #@schema/type any=True #@ def validate_endpoint(endpoint): -#@ if(type(endpoint) not in ["yamlfragment", "string"]): +#@ if (type(endpoint) != "yamlfragment"): #@ return False #@ end -#@ if(type(endpoint) in ["string"]): -#@ if (endpoint != "disabled"): -#@ return False -#@ end +#@ if (endpoint["network"] != "tcp"): +#@ return False #@ end -#@ if(type(endpoint) in ["yamlfragment"]): -#@ if (endpoint["network"] not in ["tcp", "unix", "disabled"]): -#@ return False -#@ end -#@ if (type(endpoint["address"]) not in ["string"]): -#@ return False -#@ end +#@ if (type(endpoint["address"]) != "string"): +#@ return False #@ end #@ return True #@ end @@ -235,26 +185,11 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,. #@ """ #@ Returns True if endpoints fulfill the expected structure #@ """ -#@ http_val = endpoints["http"] -#@ https_val = endpoints["https"] -#@ return validate_endpoint(http_val) and validate_endpoint(https_val) +#@ if (type(endpoints) != "yamlfragment"): +#@ return False +#@ end +#@ return validate_endpoint(endpoints["https"]) #@ end #@schema/nullable -#@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints) +#@schema/validation ("a map with key 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints) endpoints: { } - -#@ deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints.http \ -#@ value which checks that only loopback interfaces are used. \ -#@ When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \ -#@ interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \ -#@ to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \ -#@ to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \ -#@ This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \ -#@ traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \ -#@ Allowed values are true (boolean), 'true' (string), false (boolean), and 'false' (string). The default is false." -#@schema/desc deprecated_insecure_accept_external_unencrypted_http_requests_desc -#@schema/type any=True -#@schema/validation ("a boolean or string version of boolean", lambda v: type(v) in ["string", "boolean"]) -#@schema/validation one_of=["true", "false", True, False] -#@schema/deprecated "This data value will be removed in a future release" -deprecated_insecure_accept_external_unencrypted_http_requests: false