diff --git a/charts/kong/templates/deployment.yaml b/charts/kong/jail/deployment.yaml similarity index 99% rename from charts/kong/templates/deployment.yaml rename to charts/kong/jail/deployment.yaml index 0aa46ceea..3ab1fb8c5 100644 --- a/charts/kong/templates/deployment.yaml +++ b/charts/kong/jail/deployment.yaml @@ -1,3 +1,4 @@ +{{/* {{- if or .Values.deployment.kong.enabled .Values.ingressController.enabled }} apiVersion: apps/v1 {{- if .Values.deployment.daemonset }} @@ -303,3 +304,4 @@ spec: {{- include "kong.volumes" . | nindent 8 -}} {{- include "kong.userDefinedVolumes" . | nindent 8 -}} {{- end }} +*/}} diff --git a/charts/kong/jail/tmp-container-block.yaml b/charts/kong/jail/tmp-container-block.yaml new file mode 100644 index 000000000..4fc36bef7 --- /dev/null +++ b/charts/kong/jail/tmp-container-block.yaml @@ -0,0 +1,172 @@ + # TODO 921 all sorts of fun stuff in this section. .pod.container + # contains generic configuration, but in practice this needs to be + # combined with a bunch of app-specific config that lives elsewhere, and + # not just in env. a generic function in context is probably quite + # difficult, though doable if you provide pass-in points for everything + # (mounts, env, god knows what else) and assign a var at the beginning. + # probably just use dedicated functions for kong and controller + # containers for now, with a TODO to genericize further + {{- if .Values.ingressController.enabled }} + {{- include "kong.controller-container" . | nindent 6 }} + {{ end }} + {{- if .Values.deployment.sidecarContainers }} + {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} + {{- end }} + # TODO 921 this presumably goes away + {{- if .Values.deployment.kong.enabled }} + - name: "proxy" + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + lifecycle: + {{- toYaml .Values.lifecycle | nindent 10 }} + ports: + {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} + - name: admin + containerPort: {{ .Values.admin.http.containerPort }} + {{- if .Values.admin.http.hostPort }} + hostPort: {{ .Values.admin.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} + - name: admin-tls + containerPort: {{ .Values.admin.tls.containerPort }} + {{- if .Values.admin.tls.hostPort }} + hostPort: {{ .Values.admin.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} + - name: proxy + containerPort: {{ .Values.proxy.http.containerPort }} + {{- if .Values.proxy.http.hostPort }} + hostPort: {{ .Values.proxy.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} + - name: proxy-tls + containerPort: {{ .Values.proxy.tls.containerPort }} + {{- if .Values.proxy.tls.hostPort }} + hostPort: {{ .Values.proxy.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- range .Values.proxy.stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- range .Values.udpProxy.stream }} + - name: streamudp-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- if (and .Values.status.http.enabled .Values.status.enabled)}} + - name: status + containerPort: {{ .Values.status.http.containerPort }} + {{- if .Values.status.http.hostPort }} + hostPort: {{ .Values.status.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.status.tls.enabled .Values.status.enabled) }} + - name: status-tls + containerPort: {{ .Values.status.tls.containerPort }} + {{- if .Values.status.tls.hostPort }} + hostPort: {{ .Values.status.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} + - name: cluster-tls + containerPort: {{ .Values.cluster.tls.containerPort }} + {{- if .Values.cluster.tls.hostPort }} + hostPort: {{ .Values.cluster.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if .Values.enterprise.enabled }} + {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} + - name: manager + containerPort: {{ .Values.manager.http.containerPort }} + {{- if .Values.manager.http.hostPort }} + hostPort: {{ .Values.manager.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} + - name: manager-tls + containerPort: {{ .Values.manager.tls.containerPort }} + {{- if .Values.manager.tls.hostPort }} + hostPort: {{ .Values.manager.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} + - name: portal + containerPort: {{ .Values.portal.http.containerPort }} + {{- if .Values.portal.http.hostPort }} + hostPort: {{ .Values.portal.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} + - name: portal-tls + containerPort: {{ .Values.portal.tls.containerPort }} + {{- if .Values.portal.tls.hostPort }} + hostPort: {{ .Values.portal.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} + - name: portalapi + containerPort: {{ .Values.portalapi.http.containerPort }} + {{- if .Values.portalapi.http.hostPort }} + hostPort: {{ .Values.portalapi.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} + - name: portalapi-tls + containerPort: {{ .Values.portalapi.tls.containerPort }} + {{- if .Values.portalapi.tls.hostPort }} + hostPort: {{ .Values.portalapi.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} + - name: clustert-tls + containerPort: {{ .Values.clustertelemetry.tls.containerPort }} + {{- if .Values.clustertelemetry.tls.hostPort }} + hostPort: {{ .Values.clustertelemetry.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- end }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 10 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} + readinessProbe: +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 10 }} + {{- if .Values.startupProbe }} + startupProbe: +{{ toYaml .Values.startupProbe | indent 10 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- end }} {{/* TODO 921 End of Kong container spec */}} +CONTAINERS CURRENTLY DISABLED */}} + diff --git a/charts/kong/jail/tmp-extra-deploy.yaml b/charts/kong/jail/tmp-extra-deploy.yaml new file mode 100644 index 000000000..f35c1a385 --- /dev/null +++ b/charts/kong/jail/tmp-extra-deploy.yaml @@ -0,0 +1,307 @@ +{{/* TODO 921 replace this with a template invocation +{{- if .Values.deployment.controller.enabled }} +apiVersion: apps/v1 +{{- if .Values.deployment.daemonset }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: app + {{- if .Values.deploymentAnnotations }} + annotations: + {{- range $key, $value := .Values.deploymentAnnotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if not .Values.deployment.daemonset }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- include "kong.selectorLabels" . | nindent 6 }} + {{- if .Values.updateStrategy }} + {{- if .Values.deployment.daemonset }} + updateStrategy: + {{- else }} + strategy: + {{- end }} +{{ toYaml .Values.updateStrategy | indent 4 }} + {{- end }} + {{- if .Values.deployment.minReadySeconds }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- end }} + + template: + metadata: + annotations: + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} + {{- if .Values.dblessConfig.config }} + checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} + {{- end }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: app + app: {{ template "kong.fullname" . }} + version: {{ .Chart.AppVersion | quote }} + {{- if .Values.podLabels }} + {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.deployment.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.kong.enabled }} + initContainers: + - name: clear-stale-pid + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + {{- include "kong.env" . | nindent 8 }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-db" . | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.hostAliases }} + hostAliases: + {{- toYaml .Values.deployment.hostAliases | nindent 6 }} + {{- end}} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: +{{ toYaml .Values.dnsConfig | indent 8 }} + {{- end }} + containers: + {{- if .Values.ingressController.enabled }} + {{- include "kong.controller-container" . | nindent 6 }} + {{ end }} + {{- if .Values.deployment.sidecarContainers }} + {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} + {{- end }} + {{- if .Values.deployment.kong.enabled }} + - name: "proxy" + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + lifecycle: + {{- toYaml .Values.lifecycle | nindent 10 }} + ports: + {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} + - name: admin + containerPort: {{ .Values.admin.http.containerPort }} + {{- if .Values.admin.http.hostPort }} + hostPort: {{ .Values.admin.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} + - name: admin-tls + containerPort: {{ .Values.admin.tls.containerPort }} + {{- if .Values.admin.tls.hostPort }} + hostPort: {{ .Values.admin.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} + - name: proxy + containerPort: {{ .Values.proxy.http.containerPort }} + {{- if .Values.proxy.http.hostPort }} + hostPort: {{ .Values.proxy.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} + - name: proxy-tls + containerPort: {{ .Values.proxy.tls.containerPort }} + {{- if .Values.proxy.tls.hostPort }} + hostPort: {{ .Values.proxy.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- range .Values.proxy.stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- range .Values.udpProxy.stream }} + - name: streamudp-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- if (and .Values.status.http.enabled .Values.status.enabled)}} + - name: status + containerPort: {{ .Values.status.http.containerPort }} + {{- if .Values.status.http.hostPort }} + hostPort: {{ .Values.status.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.status.tls.enabled .Values.status.enabled) }} + - name: status-tls + containerPort: {{ .Values.status.tls.containerPort }} + {{- if .Values.status.tls.hostPort }} + hostPort: {{ .Values.status.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} + - name: cluster-tls + containerPort: {{ .Values.cluster.tls.containerPort }} + {{- if .Values.cluster.tls.hostPort }} + hostPort: {{ .Values.cluster.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if .Values.enterprise.enabled }} + {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} + - name: manager + containerPort: {{ .Values.manager.http.containerPort }} + {{- if .Values.manager.http.hostPort }} + hostPort: {{ .Values.manager.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} + - name: manager-tls + containerPort: {{ .Values.manager.tls.containerPort }} + {{- if .Values.manager.tls.hostPort }} + hostPort: {{ .Values.manager.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} + - name: portal + containerPort: {{ .Values.portal.http.containerPort }} + {{- if .Values.portal.http.hostPort }} + hostPort: {{ .Values.portal.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} + - name: portal-tls + containerPort: {{ .Values.portal.tls.containerPort }} + {{- if .Values.portal.tls.hostPort }} + hostPort: {{ .Values.portal.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} + - name: portalapi + containerPort: {{ .Values.portalapi.http.containerPort }} + {{- if .Values.portalapi.http.hostPort }} + hostPort: {{ .Values.portalapi.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} + - name: portalapi-tls + containerPort: {{ .Values.portalapi.tls.containerPort }} + {{- if .Values.portalapi.tls.hostPort }} + hostPort: {{ .Values.portalapi.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} + - name: clustert-tls + containerPort: {{ .Values.clustertelemetry.tls.containerPort }} + {{- if .Values.clustertelemetry.tls.hostPort }} + hostPort: {{ .Values.clustertelemetry.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- end }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 10 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} + readinessProbe: +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 10 }} + {{- if .Values.startupProbe }} + startupProbe: +{{ toYaml .Values.startupProbe | indent 10 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- end }} {{/* End of Kong container spec */}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} + {{- end }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + volumes: + {{- include "kong.volumes" . | nindent 8 -}} + {{- include "kong.userDefinedVolumes" . | nindent 8 -}} +{{- end }} +*/}} diff --git a/charts/kong/jail/tmp-kong-deploy.yaml b/charts/kong/jail/tmp-kong-deploy.yaml new file mode 100644 index 000000000..6675de1c3 --- /dev/null +++ b/charts/kong/jail/tmp-kong-deploy.yaml @@ -0,0 +1,36 @@ +{{- if .Values.deployment.kong.enabled }} +{{- $deployConfig := dict -}} +{{- $deployConfig = (mustMerge $deployConfig .deployment.kong) -}} +{{- $deployPreRender := dict -}} {{/* collection of values rendered from includes, so that there's no risk of colliding with things from the merge */}} +{{- $podConfig := dict -}} +{{- $_ := set $deployPreRender "name" (printf "%s-%s (include "kong.fullname" .) "proxy") -}} +{{- $_ := set $deployPreRender "namespace" (include "kong.namespace" .) -}} +# TODO 921 combine with .deployment.controller.labels. +# unsure how the types work out here--kong.metaLabels produces YAML output, and I'm not sure if we can +# just concat them as strings or what. can maybe ignore .deployment.controller.labels--it wasn't +# included in the past and we instead set extraLabels on EVERYTHING. that's apparently sufficient for +# user needs (there's been no request to provide separate per-resource labels here), but incongruous +# with how we handle annotations +{{- $_ := set $deployPreRender "labels" (include "kong.metaLabels" .) -}} +# TODO 921 this needs changes to the helper template since we'll need to point to two different sets of pods. +# in ingress chart this is relying on different fullnames. can't simply format since there multiple keys, +# need to pass a suffix to the helper +{{- $_ := set $deployPreRender "selectorMatchLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $deployPreRender "serviceAccountTokenName" (template "kong.serviceAccountTokenName" .) -}} + +{{/* +# TODO 921 unsure if we want to keep this gate. it's probably simpler to just say "don't set .Values.dblessConfig.config +# if you're not using a setup that makes sense for it" +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} +*/}} +{{- if .Values.dblessConfig.config }} +{{- $- := set $deployPreRender "dblessChecksum" (toYaml .Values.dblessConfig.config | sha256sum) }} +{{- end }} +{{/* # TODO 921 end of the old gate above +{{- end }} +*/}} + +{{- $preRender := dict -}} +{{- $_ := set $preRender "deployment" $deployPreRender -}} +{{- $_ := set $preRender "pod" $podPreRender -}} +{{- $_ := set $deployConfig "pre" $preRender -}} # TODO 921 maybe think of a better key name diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 26c91ae74..84e27d1df 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -38,12 +38,18 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- define "kong.selectorLabels" -}} app.kubernetes.io/name: {{ template "kong.name" . }} -app.kubernetes.io/component: app +app.kubernetes.io/component: proxy +app.kubernetes.io/instance: "{{ .Release.Name }}" +{{- end -}} + +{{- define "kong.controllerSelectorLabels" -}} +app.kubernetes.io/name: {{ template "kong.name" . }} +app.kubernetes.io/component: controller app.kubernetes.io/instance: "{{ .Release.Name }}" {{- end -}} {{- define "kong.postgresql.fullname" -}} -{{- $name := default "postgresql" .Values.postgresql.nameOverride -}} +{{- $name := default "postgresql" .postgresql.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -56,10 +62,10 @@ app.kubernetes.io/instance: "{{ .Release.Name }}" Create the name of the service account to use */}} {{- define "kong.serviceAccountName" -}} -{{- if .Values.deployment.serviceAccount.create -}} - {{ default (include "kong.fullname" .) .Values.deployment.serviceAccount.name }} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kong.fullname" .) .Values.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.deployment.serviceAccount.name }} + {{ default "default" .Values.serviceAccount.name }} {{- end -}} {{- end -}} @@ -384,8 +390,8 @@ Return the admin API service name for service discovery {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}} {{- end }} - {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} + {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} {{- end }} {{- if .Values.deployment.kong.enabled }} @@ -460,358 +466,15 @@ The name of the Service which will be used by the controller to update the Ingre {{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}} {{- end -}} -{{- define "kong.ingressController.env" -}} -{{/* - ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== -*/}} - - -{{- $autoEnv := dict -}} - {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} - {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}} - {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} - {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} - - {{- if .Values.ingressController.admissionWebhook.enabled }} - {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}} - {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}} - {{- end }} - {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} - {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} - {{- end }} - -{{/* - ====== ADMIN API CONFIGURATION ====== -*/}} - - {{- if .Values.ingressController.gatewayDiscovery.enabled -}} - {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}} - {{- else -}} - {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} - {{- end -}} - - {{- if .Values.ingressController.adminApi.tls.client.enabled }} - {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}} - {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}} - {{- end }} - -{{/* - ====== KONNECT ENVIRONMENT VARIABLES ====== -*/}} - -{{- if .Values.ingressController.konnect.enabled }} - {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - {{- end }} - - {{- if not .Values.ingressController.gatewayDiscovery.enabled }} - {{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}} - {{- end }} - - {{- $konnect := .Values.ingressController.konnect -}} - {{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}} - - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}} - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}} - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}} - - {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}} - {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}} - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}} - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}} - - {{- if $konnect.license.enabled }} - {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}} - {{- end }} -{{- end }} - -{{/* - ====== USER-SET ENVIRONMENT VARIABLES ====== -*/}} - -{{- $userEnv := dict -}} -{{- range $key, $val := .Values.ingressController.env }} - {{- $upper := upper $key -}} - {{- $var := printf "CONTROLLER_%s" $upper -}} - {{- $_ := set $userEnv $var $val -}} -{{- end -}} - -{{/* - ====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ====== -*/}} - -{{- $customIngressEnv := dict -}} -{{- range $key, $val := .Values.ingressController.customEnv }} - {{- $upper := upper $key -}} - {{- $_ := set $customIngressEnv $upper $val -}} -{{- end -}} - -{{/* - ====== MERGE AND RENDER ENV BLOCK ====== -*/}} - -{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}} -{{- template "kong.renderEnv" $completeEnv -}} - -{{- end -}} - -{{- define "kong.userDefinedVolumes" -}} -{{- if .Values.deployment.userDefinedVolumes }} -{{- toYaml .Values.deployment.userDefinedVolumes }} -{{- end }} -{{- end -}} - -{{- define "kong.volumes" -}} -- name: {{ template "kong.fullname" . }}-prefix-dir - emptyDir: - sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }} -- name: {{ template "kong.fullname" . }}-tmp - emptyDir: - sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }} -{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} -- name: {{ template "kong.serviceAccountTokenName" . }} - {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. - See the related documentation of semver module that Helm depends on for semverCompare: - https://github.com/Masterminds/semver#working-with-prerelease-versions - Related Helm issue: https://github.com/helm/helm/issues/3810 */}} - {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} - projected: - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- else }} - secret: - secretName: {{ template "kong.serviceAccountTokenName" . }} - items: - - key: token - path: token - - key: ca.crt - path: ca.crt - - key: namespace - path: namespace - {{- end }} -{{- end }} -{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} -{{- if .Values.certificates.cluster.enabled }} -- name: {{ include "kong.fullname" . }}-cluster-cert - secret: - secretName: {{ include "kong.fullname" . }}-cluster-cert -{{- end }} -{{- if .Values.certificates.proxy.enabled }} -- name: {{ include "kong.fullname" . }}-proxy-cert - secret: - secretName: {{ include "kong.fullname" . }}-proxy-cert -{{- end }} -{{- if .Values.certificates.admin.enabled }} -- name: {{ include "kong.fullname" . }}-admin-cert - secret: - secretName: {{ include "kong.fullname" . }}-admin-cert -{{- end }} -{{- if .Values.enterprise.enabled }} -{{- if .Values.certificates.portal.enabled }} -- name: {{ include "kong.fullname" . }}-portal-cert - secret: - secretName: {{ include "kong.fullname" . }}-portal-cert -{{- end }} -{{- end }} -{{- end }} -{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} -- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres - configMap: - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres - defaultMode: 0755 -{{- end }} -{{- range .Values.plugins.configMaps }} -- name: kong-plugin-{{ .pluginName }} - configMap: - name: {{ .name }} -{{- range .subdirectories }} -- name: {{ .name }} - configMap: - name: {{ .name }} -{{- end }} -{{- end }} -{{- range .Values.plugins.secrets }} -- name: kong-plugin-{{ .pluginName }} - secret: - secretName: {{ .name }} -{{- range .subdirectories }} -- name: {{ .name }} - secret: - secretName: {{ .name }} -{{- end }} -{{- end }} - -{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} - {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} - {{- if gt $dblessSourceCount 1 -}} - {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}} - {{- else if eq $dblessSourceCount 1 }} -- name: kong-custom-dbless-config-volume - {{- if .Values.dblessConfig.configMap }} - configMap: - name: {{ .Values.dblessConfig.configMap }} - {{- else if .Values.dblessConfig.secret }} - secret: - secretName: {{ .Values.dblessConfig.secret }} - {{- else }} - configMap: - name: {{ template "kong.dblessConfig.fullname" . }} - {{- end }} - {{- end }} -{{- end }} - -{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }} -- name: webhook-cert - secret: - {{- if .Values.ingressController.admissionWebhook.certificate.provided }} - secretName: {{ .Values.ingressController.admissionWebhook.certificate.secretName }} - {{- else }} - secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair - {{- end }} -{{- end }} -{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }} -- name: admin-client-ca - configMap: - name: {{ template "kong.fullname" . }}-admin-client-ca -{{- end -}} -{{- range $secretVolume := .Values.secretVolumes }} -- name: {{ . }} - secret: - secretName: {{ . }} -{{- end }} -{{- range .Values.extraConfigMaps }} -- name: {{ .name }} - configMap: - name: {{ .name }} -{{- end }} -{{- range .Values.extraSecrets }} -- name: {{ .name }} - secret: - secretName: {{ .name }} -{{- end }} -{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} -- name: admin-api-cert - secret: - secretName: {{ template "adminApiService.certSecretName" . }} -{{- end }} -{{- end -}} - -{{- define "controller.adminApiCertVolumeMount" -}} -{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} -- name: admin-api-cert - mountPath: /etc/secrets/admin-api-cert - readOnly: true -{{- end -}} -{{- end -}} - -{{- define "kong.userDefinedVolumeMounts" -}} -{{- if .userDefinedVolumeMounts }} -{{- toYaml .userDefinedVolumeMounts }} -{{- end }} -{{- end -}} - -{{- define "kong.volumeMounts" -}} -- name: {{ template "kong.fullname" . }}-prefix-dir - mountPath: /kong_prefix/ -- name: {{ template "kong.fullname" . }}-tmp - mountPath: /tmp -{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} -{{- if .Values.certificates.cluster.enabled }} -- name: {{ include "kong.fullname" . }}-cluster-cert - mountPath: /etc/cert-manager/cluster/ -{{- end }} -{{- if .Values.certificates.proxy.enabled }} -- name: {{ include "kong.fullname" . }}-proxy-cert - mountPath: /etc/cert-manager/proxy/ -{{- end }} -{{- if .Values.certificates.admin.enabled }} -- name: {{ include "kong.fullname" . }}-admin-cert - mountPath: /etc/cert-manager/admin/ -{{- end }} -{{- if .Values.enterprise.enabled }} -{{- if .Values.certificates.portal.enabled }} -- name: {{ include "kong.fullname" . }}-portal-cert - mountPath: /etc/cert-manager/portal/ -{{- end }} -{{- end }} -{{- end }} -{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} - {{- if eq $dblessSourceCount 1 -}} - {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} -- name: kong-custom-dbless-config-volume - mountPath: /kong_dbless/ - {{- end }} - {{- end }} -{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }} -- name: admin-client-ca - mountPath: /etc/admin-client-ca/ - readOnly: true -{{- end -}} -{{- range .Values.secretVolumes }} -- name: {{ . }} - mountPath: /etc/secrets/{{ . }} -{{- end }} -{{- range .Values.plugins.configMaps }} -{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }} -- name: kong-plugin-{{ .pluginName }} - mountPath: {{ $mountPath }} - readOnly: true -{{- range .subdirectories }} -- name: {{ .name }} - mountPath: {{ printf "%s/%s" $mountPath ( .path | default .name ) }} - readOnly: true -{{- end }} -{{- end }} -{{- range .Values.plugins.secrets }} -{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }} -- name: kong-plugin-{{ .pluginName }} - mountPath: {{ $mountPath }} - readOnly: true -{{- range .subdirectories }} -- name: {{ .name }} - mountPath: {{ printf "%s/%s" $mountPath .path }} - readOnly: true -{{- end }} -{{- end }} - -{{- range .Values.extraConfigMaps }} -- name: {{ .name }} - mountPath: {{ .mountPath }} - - {{- if .subPath }} - subPath: {{ .subPath }} - {{- end }} -{{- end }} -{{- range .Values.extraSecrets }} -- name: {{ .name }} - mountPath: {{ .mountPath }} - - {{- if .subPath }} - subPath: {{ .subPath }} - {{- end }} -{{- end }} - -{{- end -}} +{{/* TODO 921 this gets used for any Kong env. the migrations and init paths here don't yet + build a dict, and so won't work without the removed .Values */}} {{- define "kong.plugins" -}} {{ $myList := list "bundled" }} -{{- range .Values.plugins.configMaps -}} +{{- range .pre.plugins.configMaps -}} {{- $myList = append $myList .pluginName -}} {{- end -}} -{{- range .Values.plugins.secrets -}} +{{- range .pre.plugins.secrets -}} {{ $myList = append $myList .pluginName -}} {{- end }} {{- $myList | uniq | join "," -}} @@ -872,7 +535,7 @@ The name of the Service which will be used by the controller to update the Ingre containerPort: {{ .Values.ingressController.admissionWebhook.port }} protocol: TCP {{- end }} - {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}} + {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) -}} - name: cmetrics containerPort: 10255 protocol: TCP @@ -889,7 +552,7 @@ The name of the Service which will be used by the controller to update the Ingre apiVersion: v1 fieldPath: metadata.namespace {{- include "kong.ingressController.env" . | indent 2 }} - image: {{ include "kong.getRepoTag" .Values.ingressController.image }} + image: {{ include "kong.getRepoTag" .Values.deployment.controller.pod.container.image }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger Helm value interpretation doesn't let you replace the default HTTP checks with any other @@ -910,7 +573,7 @@ The name of the Service which will be used by the controller to update the Ingre mountPath: /admission-webhook readOnly: true {{- end }} -{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} +{{- if (and (not .Values.serviceAccount.automountServiceAccountToken) (or .Values.serviceAccount.create .Values.serviceAccount.name)) }} - name: {{ template "kong.serviceAccountTokenName" . }} mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true @@ -919,6 +582,7 @@ The name of the Service which will be used by the controller to update the Ingre {{- include "controller.adminApiCertVolumeMount" . | nindent 2 }} {{- end -}} + {{- define "secretkeyref" -}} valueFrom: secretKeyRef: @@ -926,13 +590,6 @@ valueFrom: key: {{ .key }} {{- end -}} -{{/* -Use the Pod security context defined in Values or set the UID by default -*/}} -{{- define "kong.podsecuritycontext" -}} -{{ .Values.securityContext | toYaml }} -{{- end -}} - {{- define "kong.no_daemon_env" -}} {{- template "kong.env" . }} - name: KONG_NGINX_DAEMON @@ -960,7 +617,7 @@ the template that it itself is using form the above sections. {{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}} {{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}} -{{- if .Values.ingressController.enabled -}} +{{- if .Values.deployment.controller.enabled -}} {{- $_ := set $autoEnv "KONG_KIC" "on" -}} {{- end -}} @@ -1136,7 +793,7 @@ the template that it itself is using form the above sections. {{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }} {{- end }} -{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +{{- if (and (not .Values.deployment.controller.enabled) (eq .Values.env.database "off")) }} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} {{- if eq $dblessSourceCount 1 -}} {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}} @@ -1180,35 +837,6 @@ the template that it itself is using form the above sections. {{- end -}} -{{/* -Given a dictionary of variable=value pairs, render a container env block. -Environment variables are sorted alphabetically -*/}} -{{- define "kong.renderEnv" -}} - -{{- $dict := . -}} - -{{- range keys . | sortAlpha }} -{{- $val := pluck . $dict | first -}} -{{- $valueType := printf "%T" $val -}} -{{ if eq $valueType "map[string]interface {}" }} -- name: {{ . }} -{{ toYaml $val | indent 2 -}} -{{- else if eq $valueType "string" }} -{{- if regexMatch "valueFrom" $val }} -- name: {{ . }} -{{ $val | indent 2 }} -{{- else }} -- name: {{ . }} - value: {{ $val | quote }} -{{- end }} -{{- else }} -- name: {{ . }} - value: {{ $val | quote }} -{{- end }} -{{- end -}} - -{{- end -}} {{- define "kong.wait-for-postgres" -}} - name: wait-for-postgres @@ -1261,7 +889,7 @@ role sets used in the charts. Updating these requires separating out cluster resource roles into their separate templates. */}} {{- define "kong.kubernetesRBACRules" -}} -{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - configuration.konghq.com resources: @@ -1279,7 +907,7 @@ resource roles into their separate templates. - patch - update {{- end }} -{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - configuration.konghq.com resources: @@ -1297,7 +925,7 @@ resource roles into their separate templates. - patch - update {{- end }} -{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - "" resources: @@ -1563,24 +1191,6 @@ resource roles into their separate templates. - patch - update {{- end }} -{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }} -- apiGroups: - - networking.internal.knative.dev - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.internal.knative.dev - resources: - - ingresses/status - verbs: - - get - - patch - - update -{{- end }} - apiGroups: - networking.k8s.io resources: @@ -1629,7 +1239,7 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. - get - patch - update -{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - apiextensions.k8s.io resources: @@ -1703,7 +1313,7 @@ extensions/v1beta1 {{- define "kong.proxy.compatibleReadiness" -}} {{- $proxyReadiness := .Values.readinessProbe -}} -{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}} +{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.deployment.controller.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)))) -}} {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}} {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}} {{- end -}} diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index 8e223f406..6c9efac8e 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -1,4 +1,5 @@ -{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }} +# DEMONS: {{ (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image) }} +{{- if (and .Values.admissionWebhook.enabled .Values.deployment.controller.enabled) }} {{- $certCert := "" -}} {{- $certKey := "" -}} {{- $caCert := "" -}} @@ -69,10 +70,10 @@ webhooks: resources: - kongconsumers - kongplugins -{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - kongclusterplugins {{- end }} -{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - kongingresses {{- end }} - apiGroups: @@ -80,16 +81,16 @@ webhooks: apiVersions: - 'v1' operations: -{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - CREATE {{- end }} - UPDATE resources: - secrets -{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - services {{- end }} -{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - networking.k8s.io apiVersions: diff --git a/charts/kong/templates/config-dbless.yaml b/charts/kong/templates/config-dbless.yaml index 5619b59a5..9cc5af35e 100644 --- a/charts/kong/templates/config-dbless.yaml +++ b/charts/kong/templates/config-dbless.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +{{- if (and (not .Values.deployment.controller.enabled) (eq .Values.deployment.kong.pod.container.env.database "off")) }} {{- if not (or .Values.dblessConfig.configMap .Values.dblessConfig.secret) }} {{- if .Values.dblessConfig.config }} apiVersion: v1 diff --git a/charts/kong/templates/containers.yaml b/charts/kong/templates/containers.yaml new file mode 100644 index 000000000..29bba15cb --- /dev/null +++ b/charts/kong/templates/containers.yaml @@ -0,0 +1,228 @@ +{{- define "kong.proxy-container-new" -}} +- name: "proxy" + image: {{ include "kong.getRepoTag" .image }} + imagePullPolicy: {{ .image.pullPolicy }} + securityContext: + {{ toYaml .securityContext | nindent 4 }} + env: + {{- (include "kong.env.proxy.noDaemon" .) | nindent 2 }} + lifecycle: + {{- toYaml .lifecycle | nindent 4 }} + ports: + {{- if (and .pre.svc.admin.http.enabled .pre.svc.admin.enabled) }} + - name: admin + containerPort: {{ .pre.svc.admin.http.containerPort }} + {{- if .pre.svc.admin.http.hostPort }} + hostPort: {{ .pre.svc.admin.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.admin.tls.enabled .pre.svc.admin.enabled) }} + - name: admin-tls + containerPort: {{ .pre.svc.admin.tls.containerPort }} + {{- if .pre.svc.admin.tls.hostPort }} + hostPort: {{ .pre.svc.admin.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.proxy.http.enabled .pre.svc.proxy.enabled) }} + - name: proxy + containerPort: {{ .pre.svc.proxy.http.containerPort }} + {{- if .pre.svc.proxy.http.hostPort }} + hostPort: {{ .pre.svc.proxy.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.proxy.tls.enabled .pre.svc.proxy.enabled)}} + - name: proxy-tls + containerPort: {{ .pre.svc.proxy.tls.containerPort }} + {{- if .pre.svc.proxy.tls.hostPort }} + hostPort: {{ .pre.svc.proxy.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- range .pre.svc.proxy.stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- range .pre.svc.udpProxy.stream }} + - name: streamudp-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- if (and .pre.svc.status.http.enabled .pre.svc.status.enabled)}} + - name: status + containerPort: {{ .pre.svc.status.http.containerPort }} + {{- if .pre.svc.status.http.hostPort }} + hostPort: {{ .pre.svc.status.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.status.tls.enabled .pre.svc.status.enabled) }} + - name: status-tls + containerPort: {{ .pre.svc.status.tls.containerPort }} + {{- if .pre.svc.status.tls.hostPort }} + hostPort: {{ .pre.svc.status.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.cluster.tls.enabled .pre.svc.cluster.enabled) }} + - name: cluster-tls + containerPort: {{ .pre.svc.cluster.tls.containerPort }} + {{- if .pre.svc.cluster.tls.hostPort }} + hostPort: {{ .pre.svc.cluster.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if .pre.enterprise.enabled }} + {{- if (and .pre.svc.manager.http.enabled .pre.svc.manager.enabled) }} + - name: manager + containerPort: {{ .pre.svc.manager.http.containerPort }} + {{- if .pre.svc.manager.http.hostPort }} + hostPort: {{ .pre.svc.manager.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.manager.tls.enabled .pre.svc.manager.enabled) }} + - name: manager-tls + containerPort: {{ .pre.svc.manager.tls.containerPort }} + {{- if .pre.svc.manager.tls.hostPort }} + hostPort: {{ .pre.svc.manager.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.portal.http.enabled .pre.svc.portal.enabled) }} + - name: portal + containerPort: {{ .pre.svc.portal.http.containerPort }} + {{- if .pre.svc.portal.http.hostPort }} + hostPort: {{ .pre.svc.portal.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.portal.tls.enabled .pre.svc.portal.enabled) }} + - name: portal-tls + containerPort: {{ .pre.svc.portal.tls.containerPort }} + {{- if .pre.svc.portal.tls.hostPort }} + hostPort: {{ .pre.svc.portal.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.portalapi.http.enabled .pre.svc.portalapi.enabled) }} + - name: portalapi + containerPort: {{ .pre.svc.portalapi.http.containerPort }} + {{- if .pre.svc.portalapi.http.hostPort }} + hostPort: {{ .pre.svc.portalapi.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.portalapi.tls.enabled .pre.svc.portalapi.enabled) }} + - name: portalapi-tls + containerPort: {{ .pre.svc.portalapi.tls.containerPort }} + {{- if .pre.svc.portalapi.tls.hostPort }} + hostPort: {{ .pre.svc.portalapi.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .pre.svc.clustertelemetry.tls.enabled .pre.svc.clustertelemetry.enabled) }} + - name: clustert-tls + containerPort: {{ .pre.svc.clustertelemetry.tls.containerPort }} + {{- if .pre.svc.clustertelemetry.tls.hostPort }} + hostPort: {{ .pre.svc.clustertelemetry.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- end }} + volumeMounts: + {{- .pre.volumeMounts | nindent 4 }} + {{- if .userDefinedVolumeMounts -}} + {{ .userDefinedVolumeMounts | toYaml | nindent 4 }} + {{- end }} + readinessProbe: +{{ toYaml .readinessProbe | indent 4 }} +{{/* TODO 921 this requires controller-related keys we aren't passing in yet +{{ include "kong.proxy.compatibleReadiness" . | indent 4 }} +*/}} + livenessProbe: +{{ toYaml .livenessProbe | indent 4 }} + {{- if .startupProbe }} + startupProbe: +{{ toYaml .startupProbe | indent 4 }} + {{- end }} + resources: +{{ toYaml .resources | indent 4 }} +{{- end -}} + +{{- define "kong.controller-container-new" -}} +- name: ingress-controller + securityContext: +{{ toYaml .securityContext | nindent 4 }} + args: + {{ if .args}} + {{- range $val := .args }} + - {{ $val }} + {{- end }} + {{- end }} + ports: + {{- if .pre.admissionWebhook.enabled }} + - name: webhook + containerPort: {{ .pre.admissionWebhook.port }} + protocol: TCP + {{- end }} + {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .image)) -}} + - name: cmetrics + containerPort: 10255 + protocol: TCP + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +# TODO 921 this is not currently designed to be at all relative and relies on +# external sections. the template invoker renders this from the root and passes +# it in as .env + env: +{{- .pre.env | indent 4 }} + image: {{ include "kong.getRepoTag" .image }} + imagePullPolicy: {{ .image.pullPolicy }} +{{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger + Helm value interpretation doesn't let you replace the default HTTP checks with any other + check type, and all HTTP checks freeze when a debugger pauses operation. + Setting disableReadiness to ANY value disables the probes. +*/}} +{{- if (not (hasKey .pre "disableProbes")) }} + readinessProbe: +{{ toYaml .readinessProbe | indent 4 }} + livenessProbe: +{{ toYaml .livenessProbe | indent 4 }} +{{- end }} + resources: +{{ toYaml .resources | indent 4 }} + volumeMounts: +{{- if .pre.admissionWebhook.enabled }} + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true +{{- end }} +{{- if (and (not .pre.serviceAccount.automountServiceAccountToken) (or .pre.serviceAccount.create .pre.serviceAccount.name)) }} + - name: {{ .pre.serviceAccountTokenName }} + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true +{{- end }} + {{- include "kong.userDefinedVolumeMounts" . | nindent 2 }} + {{- include "kong.volumeMounts.controller.adminApiCertVolumeMount" . | nindent 2 }} +{{- end -}} + diff --git a/charts/kong/templates/controller-deploy.yaml b/charts/kong/templates/controller-deploy.yaml new file mode 100644 index 000000000..a7017d97e --- /dev/null +++ b/charts/kong/templates/controller-deploy.yaml @@ -0,0 +1,54 @@ +{{- if .Values.deployment.controller.enabled }} +{{- $deployConfig := dict -}} +{{- $deployConfig = (mustMerge $deployConfig .Values.deployment.controller) -}} +{{- $deployPreRender := dict -}} {{/* collection of values rendered from includes, so that there's no risk of colliding with things from the merge */}} +{{- $podPreRender := dict -}} + +{{- $_ := set $deployPreRender "name" (printf "%s-%s" (include "kong.fullname" .) "controller") -}} +{{- $_ := set $deployPreRender "namespace" (include "kong.namespace" .) -}} +# TODO 921 combine with .deployment.controller.labels. +# unsure how the types work out here--kong.metaLabels produces YAML output, and I'm not sure if we can +# just concat them as strings or what. can maybe ignore .deployment.controller.labels--it wasn't +# included in the past and we instead set extraLabels on EVERYTHING. that's apparently sufficient for +# user needs (there's been no request to provide separate per-resource labels here), but incongruous +# with how we handle annotations +{{- $_ := set $deployPreRender "labels" (include "kong.metaLabels" .) -}} +# TODO 921 this needs changes to the helper template since we'll need to point to two different sets of pods. +# in ingress chart this is relying on different fullnames. can't simply format since there multiple keys, +# need to pass a suffix to the helper +{{- $_ := set $deployPreRender "selectorMatchLabels" (include "kong.controllerSelectorLabels" .) -}} +{{- $_ := set $deployPreRender "serviceAccount" .Values.serviceAccount -}} +{{- $_ := set $deployPreRender "serviceAccountTokenName" (include "kong.serviceAccountTokenName" .) -}} +{{- $_ := set $deployPreRender "serviceAccountName" (include "kong.serviceAccountName" .) -}} + +{{- $_ := set $deployPreRender "volumes" (include "kong.volumes.controller" .) -}} +{{- $_ := set $deployPreRender "userVolumes" (include "kong.userDefinedVolumes" .Values.deployment.controller ) -}} + +# TODO 921 ditto the deploy labels todo +{{- $_ := set $podPreRender "component" "controller" -}} +{{- $_ := set $podPreRender "app" (include "kong.fullname" .) -}} +{{- $_ := set $podPreRender "labels" (include "kong.metaLabels" .) -}} +{{- $_ := set $podPreRender "name" (printf "%s-%s" (include "kong.fullname" .) "controller") -}} +# TODO 921 copy pasta as-is, but we can probably set this to the _controller_ version +{{- $_ := set $podPreRender "versionLabel" .Chart.AppVersion -}} + +{{- $containerConfig := .Values.deployment.controller.pod.container -}} +{{- $containerPre := dict -}} +{{- $_ := set $containerPre "admissionWebhook" .Values.admissionWebhook -}} +{{- $_ := set $containerPre "env" (include "kong.env.controller" .) -}} +{{- $_ := set $containerPre "disableProbes" .Values.ingressController.disableProbes -}} +{{- $_ := set $containerPre "adminApi" .Values.ingressController.adminApi -}} +{{- $_ := set $containerPre "serviceAccount" .Values.serviceAccount -}} +{{- $_ := set $containerPre "serviceAccountTokenName" (include "kong.serviceAccountTokenName" .) -}} +{{- $_ := set $containerPre "serviceAccountName" (include "kong.serviceAccountName" .) -}} +{{- $_ := set $containerConfig "pre" $containerPre -}} + +{{- $_ := set $podPreRender "container" (include "kong.controller-container-new" $containerConfig ) -}} + +{{- $preRender := dict -}} +{{- $_ := set $preRender "deployment" $deployPreRender -}} +{{- $_ := set $preRender "pod" $podPreRender -}} +{{- $_ := set $deployConfig "pre" $preRender -}} # TODO 921 maybe think of a better key name + +{{- template "kong.deployment" $deployConfig -}} +{{- end -}} diff --git a/charts/kong/templates/controller-rbac-resources.yaml b/charts/kong/templates/controller-rbac-resources.yaml index f5873f052..56194e3b6 100644 --- a/charts/kong/templates/controller-rbac-resources.yaml +++ b/charts/kong/templates/controller-rbac-resources.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}} +{{- if and .Values.ingressController.rbac.create .Values.deployment.controller.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -35,7 +35,7 @@ rules: - configmaps verbs: - create -{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} - apiGroups: - "" resources: diff --git a/charts/kong/templates/deployment-controller.yaml b/charts/kong/templates/deployment-controller.yaml new file mode 100644 index 000000000..27a5b1e49 --- /dev/null +++ b/charts/kong/templates/deployment-controller.yaml @@ -0,0 +1,169 @@ +{{- define "kong.deployment" -}} +{{- if .daemonset }} +apiVersion: apps/v1 +kind: DaemonSet +{{- else }} +apiVersion: apps/v1 +kind: Deployment +{{- end }} +metadata: + name: {{ .pre.deployment.name }} + namespace: {{ .pre.deployment.namespace }} + labels: + {{- .pre.deployment.labels | nindent 4 }} + app.kubernetes.io/component: app + {{- if .annotations }} + annotations: + {{- range $key, $value := .annotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} +spec: + {{- if not .autoscaling.enabled }} + {{- if not .daemonset }} + replicas: {{ .replicaCount }} + {{- end }} + {{- end }} + selector: + matchLabels: +{{ .pre.deployment.selectorMatchLabels | nindent 6 -}} + {{- if .updateStrategy }} + {{- if .daemonset }} + updateStrategy: + {{- else }} + strategy: + {{- end }} +{{ toYaml .updateStrategy | indent 4 }} + {{- end }} + {{- if .minReadySeconds }} + minReadySeconds: {{ .minReadySeconds }} + {{- end }} + + template: + metadata: + annotations: + {{/* # NOTE 921 some keys in the pod template end up being from the deployment dict, so probably no separate define + # there's no obvious reason to separate them, since there can only be one per Deployment anyway + */ -}} + {{- if (and (not .pod.automountServiceAccountToken) (or .pre.deployment.serviceAccount.create .pre.deployment.serviceAccount.name)) }} + {{/* # TODO 921 needs to be passed in as-is. possibly should be made relative, since the generator will attempt to use the same + # name, but lives in a separate service-account.yaml template, so vov + # TODO above is complete but keeping the note around for now + */ -}} + kuma.io/service-account-token-volume: {{ .pre.deployment.serviceAccountTokenName }} + {{- end }} + {{/* # TODO 921 special to DB-less Kong with static config. I think this can be handled with the .Values.dblessConfig.config only: + # if you do not want to redeploy on hash change, do not provide a static config. However, this would fire in both controller + # and proxy calls, so we probably need to have injection for additional Pod (and whatever else) annotations. + */}} + {{- if .pre.deployment.dblessChecksum }} + checksum/dbless.config: {{ .pre.deployment.dblessChecksum }} + {{- end }} + {{- if .pod.annotations }} + {{- range $key, $value := .pod.annotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} + labels: + {{- .pre.pod.labels | nindent 8 }} + app.kubernetes.io/component: {{ .pre.pod.component }} + app: {{ .pre.pod.app }} + version: {{ .pre.pod.versionLabel | quote }} + {{- if .pod.labels }} + {{ include "kong.renderTpl" (dict "value" .pod.labels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- if .pod.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .pod.priorityClassName }} + priorityClassName: "{{ .pod.priorityClassName }}" + {{- end }} + {{- if or .pre.deployment.serviceAccount.create .pre.deployment.serviceAccount.name }} + serviceAccountName: {{ .pre.deployment.serviceAccountName }} + {{- end }} + {{- if (and (or .pre.deployment.serviceAccount.create .pre.deployment.serviceAccount.name) .pre.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .pod.container.image.pullSecrets }} + # NOTE 921 this is out of place, but the rest of .image _does_ live + # inside the container, so probably just keep it there, rather than + # separating into .pod.imagePullSecrets + imagePullSecrets: + {{- range .pod.container.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + # TODO 921 this is Kong-specific and does not rely on any settings in the + # deployment config, it's just a static-ish initcontainer we inject. it + # does need Kong's image, security context, resources, env, so probably + # create a dedicated helper to create the initContainer and then support + # injecting initContainers in general. .Values stuff left as-is from here +{{/* + {{- if .Values.deployment.kong.enabled }} + initContainers: + - name: clear-stale-pid + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + {{- include "kong.env" . | nindent 8 }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-db" . | nindent 6 }} + {{- end }} + {{- end }} # TODO 921 END initContainers clear-stale-pid +*/}} + {{- if .pod.hostAliases }} + hostAliases: + {{- toYaml .pod.hostAliases | nindent 6 }} + {{- end}} + {{- if .dnsPolicy }} + dnsPolicy: {{ .pod.dnsPolicy | quote }} + {{- end }} + {{- if .pod.dnsConfig }} + dnsConfig: +{{ toYaml .pod.dnsConfig | indent 8 }} + {{- end }} + containers: +{{ .pre.pod.container | nindent 8 }} +{{- if .pod.sidecarContainers }} +{{- toYaml .pod.sidecarContainers | nindent 8 }} +{{- end }} + {{- if .pod.affinity }} + affinity: +{{ toYaml .pod.affinity | indent 8 }} + {{- end }} + {{- if .pod.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .pod.topologySpreadConstraints | indent 8 }} + {{- end }} + securityContext: + {{- .pod.securityContext | toYaml | nindent 8 }} + {{- if .pod.nodeSelector }} + nodeSelector: +{{ toYaml .pod.nodeSelector | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .pod.terminationGracePeriodSeconds }} + {{- if .pod.tolerations }} + tolerations: +{{ toYaml .pod.tolerations | indent 8 }} + {{- end }} + volumes: + {{- .pre.deployment.volumes | nindent 8 -}} + {{- .pre.deployment.userVolumes | nindent 8 -}} + +{{- end -}} {{/* end kong.deployment */}} diff --git a/charts/kong/templates/env.yaml b/charts/kong/templates/env.yaml new file mode 100644 index 000000000..973206c4a --- /dev/null +++ b/charts/kong/templates/env.yaml @@ -0,0 +1,378 @@ +{{/* +Given a dictionary of variable=value pairs, render a container env block. +Environment variables are sorted alphabetically +*/}} +{{- define "kong.renderEnv" -}} + +{{- $dict := . -}} + +{{- range keys . | sortAlpha }} +{{- $val := pluck . $dict | first -}} +{{- $valueType := printf "%T" $val -}} +{{ if eq $valueType "map[string]interface {}" }} +- name: {{ . }} +{{ toYaml $val | indent 2 -}} +{{- else if eq $valueType "string" }} +{{- if regexMatch "valueFrom" $val }} +- name: {{ . }} +{{ $val | indent 2 }} +{{- else }} +- name: {{ . }} + value: {{ $val | quote }} +{{- end }} +{{- else }} +- name: {{ . }} + value: {{ $val | quote }} +{{- end }} +{{- end -}} + +{{- end -}} + + +{{- define "kong.env.proxy.noDaemon" -}} +{{- template "kong.env.proxy.basic" . }} +- name: KONG_NGINX_DAEMON + value: "off" +{{- end -}} + + +{{/* +The environment values passed to Kong; this should come after all +the template that it itself is using form the above sections. +*/}} +{{- define "kong.env.proxy.basic" -}} +{{/* + ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== +*/}} +{{- $autoEnv := dict -}} + +{{- $_ := set $autoEnv "KONG_LUA_PACKAGE_PATH" "/opt/?.lua;/opt/?/init.lua;;" -}} + +{{- $_ := set $autoEnv "KONG_PROXY_ACCESS_LOG" "/dev/stdout" -}} +{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ACCESS_LOG" "/dev/stdout basic" -}} +{{- $_ := set $autoEnv "KONG_ADMIN_ACCESS_LOG" "/dev/stdout" -}} +{{- $_ := set $autoEnv "KONG_STATUS_ACCESS_LOG" "off" -}} +{{- $_ := set $autoEnv "KONG_PROXY_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}} + +{{- if .pre.ingressControllerEnabled -}} + {{- $_ := set $autoEnv "KONG_KIC" "on" -}} +{{- end -}} + +{{- with .pre.svc.admin -}} + {{- $address := "0.0.0.0" -}} + {{- if (not .enabled) -}} + {{- $address = "127.0.0.1" -}} + {{- end -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig . -}} + {{- $_ := set $listenConfig "address" (default $address .address) -}} + {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} + + {{- if or .tls.client.secretName .tls.client.caBundle -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}} + {{- end -}} + +{{- end -}} + +{{- if and ( .pre.Capabilities.APIVersions.Has "cert-manager.io/v1" ) .pre.certificates.enabled -}} + {{- if (and .pre.certificates.cluster.enabled .pre.svc.cluster.enabled) -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .pre.certificates.cluster.commonName -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}} + {{- end -}} + + {{- if .pre.certificates.proxy.enabled -}} + {{- $_ := set $autoEnv "KONG_SSL_CERT" "/etc/cert-manager/proxy/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_SSL_CERT_KEY" "/etc/cert-manager/proxy/tls.key" -}} + {{- end -}} + + {{- if .pre.certificates.admin.enabled -}} + {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}} + {{- if .pre.enterprise.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}} + {{- end -}} + {{- end -}} + + {{- if .pre.enterprise.enabled }} + {{- if .pre.certificates.portal.enabled -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- if .pre.svc.admin.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .pre.svc.admin.ingress) -}} + {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .pre.svc.admin.ingress) -}} +{{- end -}} + +{{- $_ := set $autoEnv "KONG_PROXY_LISTEN" (include "kong.listen" .pre.svc.proxy) -}} + +{{- $streamStrings := list -}} +{{- if .pre.svc.proxy.enabled -}} + {{- $tcpStreamString := (include "kong.streamListen" .pre.svc.proxy) -}} + {{- if (not (eq $tcpStreamString "")) -}} + {{- $streamStrings = (append $streamStrings $tcpStreamString) -}} + {{- end -}} +{{- end -}} +{{- if .pre.svc.udpProxy.enabled -}} + {{- $udpStreamString := (include "kong.streamListen" .pre.svc.udpProxy) -}} + {{- if (not (eq $udpStreamString "")) -}} + {{- $streamStrings = (append $streamStrings $udpStreamString) -}} + {{- end -}} +{{- end -}} +{{- $streamString := $streamStrings | join ", " -}} +{{- if (eq (len $streamString) 0) -}} + {{- $streamString = "off" -}} +{{- end -}} +{{- $_ := set $autoEnv "KONG_STREAM_LISTEN" $streamString -}} + +{{- $_ := set $autoEnv "KONG_STATUS_LISTEN" (include "kong.listen" .pre.svc.status) -}} + +{{- if .pre.svc.proxy.enabled -}} + {{- $_ := set $autoEnv "KONG_PORT_MAPS" (include "kong.port_maps" .pre.svc.proxy) -}} +{{- end -}} + +{{- $_ := set $autoEnv "KONG_CLUSTER_LISTEN" (include "kong.listen" .pre.svc.cluster) -}} + +{{- if .pre.enterprise.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_API_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_ERROR_LOG" "/dev/stderr" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ERROR_LOG" "/dev/stderr" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ERROR_LOG" "/dev/stderr" -}} + + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_LISTEN" (include "kong.listen" .pre.svc.manager) -}} + {{- if .pre.svc.manager.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_URL" (include "kong.ingress.serviceUrl" .pre.svc.manager.ingress) -}} + {{- end -}} + + {{- if not .pre.enterprise.vitals.enabled }} + {{- $_ := set $autoEnv "KONG_VITALS" "off" -}} + {{- end }} + {{- $_ := set $autoEnv "KONG_CLUSTER_TELEMETRY_LISTEN" (include "kong.listen" .pre.svc.clustertelemetry) -}} + + {{- if .pre.enterprise.portal.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL" "on" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_LISTEN" (include "kong.listen" .pre.svc.portal) -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_LISTEN" (include "kong.listen" .pre.svc.portalapi) -}} + + {{- if .pre.svc.portal.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_HOST" .pre.svc.portal.ingress.hostname -}} + {{- if .pre.svc.portal.ingress.tls }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "https" -}} + {{- else }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "http" -}} + {{- end }} + {{- end }} + + {{- if .pre.svc.portalapi.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .pre.svc.portalapi.ingress) -}} + {{- end }} + {{- end }} + + {{- if .pre.enterprise.rbac.enabled }} + {{- $_ := set $autoEnv "KONG_ENFORCE_RBAC" "on" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH" .pre.enterprise.rbac.admin_gui_auth | default "basic-auth" -}} + + {{- if not (eq .pre.enterprise.rbac.admin_gui_auth "basic-auth") }} + {{- $guiAuthConf := include "secretkeyref" (dict "name" .pre.enterprise.rbac.admin_gui_auth_conf_secret "key" "admin_gui_auth_conf") -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH_CONF" $guiAuthConf -}} + {{- end }} + + {{- $guiSessionConf := include "secretkeyref" (dict "name" .pre.enterprise.rbac.session_conf_secret "key" "admin_gui_session_conf") -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SESSION_CONF" $guiSessionConf -}} + {{- end }} + + {{- if .pre.enterprise.smtp.enabled }} + {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "off" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_FROM" .pre.enterprise.smtp.portal_emails_from -}} + {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_REPLY_TO" .pre.enterprise.smtp.portal_emails_reply_to -}} + {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_FROM" .pre.enterprise.smtp.admin_emails_from -}} + {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_REPLY_TO" .pre.enterprise.smtp.admin_emails_reply_to -}} + {{- $_ := set $autoEnv "KONG_SMTP_ADMIN_EMAILS" .pre.enterprise.smtp.smtp_admin_emails -}} + {{- $_ := set $autoEnv "KONG_SMTP_HOST" .pre.enterprise.smtp.smtp_host -}} + {{- $_ := set $autoEnv "KONG_SMTP_AUTH_TYPE" .pre.enterprise.smtp.smtp_auth_type -}} + {{- $_ := set $autoEnv "KONG_SMTP_SSL" .pre.enterprise.smtp.smtp_ssl -}} + {{- $_ := set $autoEnv "KONG_SMTP_PORT" .pre.enterprise.smtp.smtp_port -}} + {{- $_ := set $autoEnv "KONG_SMTP_STARTTLS" (quote .pre.enterprise.smtp.smtp_starttls) -}} + {{- if .pre.enterprise.smtp.auth.smtp_username }} + {{- $_ := set $autoEnv "KONG_SMTP_USERNAME" .pre.enterprise.smtp.auth.smtp_username -}} + {{- $smtpPassword := include "secretkeyref" (dict "name" .pre.enterprise.smtp.auth.smtp_password_secret "key" "smtp_password") -}} + {{- $_ := set $autoEnv "KONG_SMTP_PASSWORD" $smtpPassword -}} + {{- end }} + {{- else }} + {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}} + {{- end }} + + {{- if .pre.enterprise.license_secret -}} + {{- $lic := include "secretkeyref" (dict "name" .pre.enterprise.license_secret "key" "license") -}} + {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- end }} + +{{- end }} {{/* End of the.pre.enterprise settings block */}} + +{{- if .pre.postgresql.enabled }} + {{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.pre.postgresql.fullname" .) -}} + {{- $_ := set $autoEnv "KONG_PG_PORT" .pre.postgresql.service.ports.pre.postgresql -}} + {{- $pgPassword := include "secretkeyref" (dict "name" (include "kong.pre.postgresql.fullname" .) "key" "password") -}} + + {{- $_ := set $autoEnv "KONG_PG_PASSWORD" $pgPassword -}} +{{- else if eq .env.database "postgres" }} + {{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }} +{{- end }} + +{{- if (and (not .pre.ingressControllerEnabled) (eq .env.database "off")) }} +{{- $dblessSourceCount := (add (.pre.dblessConfig.configMap | len | min 1) (.pre.dblessConfig.secret | len | min 1) (.pre.dblessConfig.config | len | min 1)) -}} +{{- if eq $dblessSourceCount 1 -}} + {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}} +{{- end }} +{{- end }} + +{{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}} + +{{/* + ====== USER-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $userEnv := dict -}} +{{- range $key, $val := .env }} + {{- if (contains "_log" $key) -}} + {{- if (eq (typeOf $val) "bool") -}} + {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}} + {{- end -}} + {{- end -}} + {{- $upper := upper $key -}} + {{- $var := printf "KONG_%s" $upper -}} + {{- $_ := set $userEnv $var $val -}} +{{- end -}} + +{{/* + ====== CUSTOM-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $customEnv := dict -}} +{{- range $key, $val := .customEnv }} + {{- $upper := upper $key -}} + {{- $_ := set $customEnv $upper $val -}} +{{- end -}} + +{{/* + ====== MERGE AND RENDER ENV BLOCK ====== +*/}} + +{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customEnv -}} +{{- template "kong.renderEnv" $completeEnv -}} + +{{- end -}} + + +{{/* =========== CONTROLLER ENVIRONMENT =========== */}} + +# TODO 921 everything here would need to become relative. some of it relies on +# external values though, e.g. .Values.ingressController.ingressClass and +# .Values.ingressController.admissionWebhook.address presumably remain where +# they are. +{{- define "kong.env.controller" -}} +{{/* + ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== +*/}} + + +{{- $autoEnv := dict -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} + {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}} + {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} + {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} + + {{- if .Values.ingressController.admissionWebhook.enabled }} + {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}} + {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}} + {{- end }} + {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} + {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} + {{- end }} + +{{/* + ====== ADMIN API CONFIGURATION ====== +*/}} + + # TODO 921 this will need to be an pre var, it's not available from controller scope + # Support for automatic CONTROLLER_KONG_ADMIN_URL has been removed, but we somehow need to handle DB-backed instances that need to + # set it manually: some installs are weird and split the Kong instance into an entire separate cluster, or something that's + # otherwise not available via a local Service. + # The controller code gives ADMIN_SVC precedence, so if we set it without checking it will just knock out the user config. + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (printf "%s/%s-%s" (include "kong.namespace" .) (include "kong.fullname" .) "admin") -}} + + {{- if .Values.ingressController.adminApi.tls.client.enabled }} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}} + {{- end }} + +{{/* + ====== KONNECT ENVIRONMENT VARIABLES ====== +*/}} + +{{- if .Values.ingressController.konnect.enabled }} + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} + {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) }} + {{- end }} + + # TODO 921 removed a "must set GW discovery" check here since the setting will go away. dunno if we bother with a check on admin URL setting + {{- $konnect := .Values.ingressController.konnect -}} + {{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}} + + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}} + + {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}} + {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}} + + {{- if $konnect.license.enabled }} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}} + {{- end }} +{{- end }} + +{{/* + ====== USER-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $userEnv := dict -}} +{{- range $key, $val := .Values.deployment.controller.pod.container.env }} + {{- $upper := upper $key -}} + {{- $var := printf "CONTROLLER_%s" $upper -}} + {{- $_ := set $userEnv $var $val -}} +{{- end -}} + +{{/* + ====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ====== +*/}} + +{{- $customIngressEnv := dict -}} +{{- range $key, $val := .Values.ingressController.customEnv }} + {{- $upper := upper $key -}} + {{- $_ := set $customIngressEnv $upper $val -}} +{{- end -}} + +{{/* + ====== MERGE AND RENDER ENV BLOCK ====== +*/}} + +{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}} +{{- template "kong.renderEnv" $completeEnv -}} + +{{- end -}} diff --git a/charts/kong/templates/ingress-class.yaml b/charts/kong/templates/ingress-class.yaml index d2ac47d69..4c5b5135a 100644 --- a/charts/kong/templates/ingress-class.yaml +++ b/charts/kong/templates/ingress-class.yaml @@ -1,6 +1,6 @@ {{/* Default to not managing if unsupported or created outside this chart */}} {{- $includeIngressClass := false -}} -{{- if .Values.ingressController.enabled -}} +{{- if .Values.deployment.controller.enabled -}} {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}} {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}} {{- if (hasKey .metadata "annotations") -}} diff --git a/charts/kong/templates/kong-deploy.yaml b/charts/kong/templates/kong-deploy.yaml new file mode 100644 index 000000000..40e819ca4 --- /dev/null +++ b/charts/kong/templates/kong-deploy.yaml @@ -0,0 +1,122 @@ +{{- if .Values.deployment.kong.enabled }} +{{- $deployConfig := dict -}} +{{- $deployConfig = (mustMerge $deployConfig .Values.deployment.kong) -}} +{{- $deployPreRender := dict -}} {{/* collection of values rendered from includes, so that there's no risk of colliding with things from the merge */}} +{{- $podPreRender := dict -}} +{{- $containerConfig := .Values.deployment.kong.pod.container -}} +{{- $containerPreRender := dict -}} + +# TODO 921 review how these names end up in practice with a "kong" release. we've historically +# suggested a lot of example configurations that resulted in various "kong-kong" resources which, +# while harmless, look a bit silly +{{- $_ := set $deployPreRender "name" (printf "%s-%s" (include "kong.fullname" .) "proxy") -}} +{{- $_ := set $deployPreRender "namespace" (include "kong.namespace" .) -}} +# TODO 921 combine with .deployment.kong.labels. +# unsure how the types work out here--kong.metaLabels produces YAML output, and I'm not sure if we can +# just concat them as strings or what. can maybe ignore .deployment.kong.labels--it wasn't +# included in the past and we instead set extraLabels on EVERYTHING. that's apparently sufficient for +# user needs (there's been no request to provide separate per-resource labels here), but incongruous +# with how we handle annotations +{{- $_ := set $deployPreRender "labels" (include "kong.metaLabels" .) -}} +# TODO 921 this needs changes to the helper template since we'll need to point to two different sets of pods. +# in ingress chart this is relying on different fullnames. can't simply format since there multiple keys, +# need to pass a suffix to the helper +{{- $_ := set $deployPreRender "selectorMatchLabels" (include "kong.selectorLabels" .) -}} +# TODO 921 SA stuff can probably be refactored to be cleaner, but as-is it's functional +{{- $_ := set $deployPreRender "serviceAccount" .Values.serviceAccount -}} +{{- $_ := set $deployPreRender "serviceAccountTokenName" (include "kong.serviceAccountTokenName" .) -}} +{{- $_ := set $deployPreRender "serviceAccountName" (include "kong.serviceAccountName" .) -}} + +{{- $_ := set $deployPreRender "volumes" (include "kong.volumes.proxy" .) -}} +{{- $_ := set $deployPreRender "userVolumes" (include "kong.userDefinedVolumes" .Values.deployment.kong ) -}} +{{- $_ := set $containerPreRender "volumeMounts" (include "kong.volumeMounts.proxy" .) -}} +{{- $_ := set $containerPreRender "userVolumeMounts" (include "kong.userDefinedVolumeMounts" .Values.deployment.kong ) -}} + +# TODO 921 ditto the deploy labels todo +{{- $_ := set $podPreRender "component" "proxy" -}} +{{- $_ := set $podPreRender "labels" (include "kong.metaLabels" .) -}} +{{- $_ := set $podPreRender "name" (printf "%s-%s" (include "kong.fullname" .) "proxy") -}} +{{- $_ := set $podPreRender "versionLabel" .Chart.AppVersion -}} + +{{- $serviceConfig := dict -}} +{{- $_ := set $containerPreRender "admissionWebhook" .Values.admissionWebhook -}} +{{- $_ := set $containerPreRender "enterprise" .Values.enterprise -}} + +{{- $_ := set $serviceConfig "admin" .Values.admin -}} +{{- $_ := set $serviceConfig "proxy" .Values.proxy -}} +{{- $_ := set $serviceConfig "udpProxy" .Values.udpProxy -}} +{{- $_ := set $serviceConfig "status" .Values.status -}} +{{- $_ := set $serviceConfig "cluster" .Values.cluster -}} +{{- $_ := set $serviceConfig "manager" .Values.manager -}} +{{- $_ := set $serviceConfig "portal" .Values.portal -}} +{{- $_ := set $serviceConfig "portalapi" .Values.portalapi -}} +{{- $_ := set $serviceConfig "clustertelemetry" .Values.clustertelemetry -}} +{{- $_ := set $containerPreRender "svc" $serviceConfig -}} + +{{- $_ := set $containerPreRender "serviceAccount" .Values.serviceAccount -}} +{{- $_ := set $containerPreRender "serviceAccountTokenName" (include "kong.serviceAccountTokenName" .) -}} +{{- $_ := set $containerPreRender "serviceAccountName" (include "kong.serviceAccountName" .) -}} + +{{- $_ := set $containerPreRender "ingressControllerEnabled" .Values.deployment.controller.enabled -}} +# TODO 921 Capabilities and Release got stuck here because it was the first place I used them, but +# it's probably not a great home for them--they are not specific to the container and also get used +# in the deployment-level volumes +{{- $_ := set $containerPreRender "Capabilities" .Capabilities -}} +{{- $_ := set $containerPreRender "Release" .Release -}} +{{- $_ := set $containerPreRender "dblessConfig" .Values.dblessConfig -}} +{{- $_ := set $containerPreRender "plugins" .Values.plugins -}} +{{- $_ := set $containerPreRender "certificates" .Values.certificates -}} +# TODO 921 we should probably take this opportunity to drop the postgresql subchart. keeping for +# now to try and reduce scope (hah) +{{- $_ := set $containerPreRender "postgresql" .Values.postgresql -}} + +# TODO 921 figure this initcontainer out. it needs stuff like env and volumemounts figured out +# first, and then needs to be injected into a prerender var, since we don't know whether +# we're rendering kong or the controller here +{{/* + {{- if .Values.deployment.kong.enabled }} + initContainers: + - name: clear-stale-pid + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + {{- include "kong.env" . | nindent 8 }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-db" . | nindent 6 }} + {{- end }} + {{- end }} # TODO 921 END initContainers clear-stale-pid +*/}} +{{- $initContainers := list -}} +{{- range .Values.deployment.kong.pod.initContainers -}} + {{- $initContainers = mustAppend $initContainers . -}} +{{- end -}} +{{- $_ := set $podPreRender "initContainers" $initContainers -}} + +{{- $volumeMounts := list -}} +{{- $volumeMounts = mustAppend $volumeMounts (dict "foo" "bar") -}} + +# TODO 921 this is inconsistent with the others +{{- $_ := set $containerConfig "pre" $containerPreRender -}} + +{{- $_ := set $podPreRender "container" (include "kong.proxy-container-new" $containerConfig ) -}} + +{{- $preRender := dict -}} +{{- $_ := set $preRender "deployment" $deployPreRender -}} +{{- $_ := set $preRender "pod" $podPreRender -}} +{{- $_ := set $deployConfig "pre" $preRender -}} # TODO 921 maybe think of a better key name + +{{- template "kong.deployment" $deployConfig -}} +{{- end -}} diff --git a/charts/kong/templates/migrations-post-upgrade.yaml b/charts/kong/templates/migrations-post-upgrade.yaml index 6b1b38e32..44b408735 100644 --- a/charts/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/templates/migrations-post-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.postUpgrade (not (eq .Values.deployment.kong.pod.container.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 @@ -29,29 +29,29 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + {{- if (and (not .Values.deployment.kong.pod.automountServiceAccountToken) (or .Values.serviceAccount.create .Values.serviceAccount.name)) }} kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} {{- end }} {{- end }} spec: - {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} {{- end }} - {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + {{- if (and (or .Values.serviceAccount.create .Values.serviceAccount.name) .Values.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false {{ end }} - {{- if .Values.image.pullSecrets }} + {{- if .Values.deployment.kong.pod.container.image.pullSecrets }} imagePullSecrets: - {{- range .Values.image.pullSecrets }} + {{- range .Values.deployment.kong.pod.container.image.pullSecrets }} - name: {{ . }} {{- end }} {{- end }} - {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.kong.pod.initContainers) }} initContainers: - {{- if .Values.deployment.initContainers }} - {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- if .Values.deployment.kong.pod.initContainers }} + {{- toYaml .Values.deployment.kong.pod.initContainers | nindent 6 }} {{- end }} {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} {{- include "kong.wait-for-postgres" . | nindent 6 }} @@ -62,27 +62,33 @@ spec: {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- end }} - name: {{ template "kong.name" . }}-post-upgrade-migrations - image: {{ include "kong.getRepoTag" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ include "kong.getRepoTag" .Values.deployment.kong.pod.container.image }} + imagePullPolicy: {{ .Values.deployment.kong.pod.container.image.pullPolicy }} securityContext: - {{ toYaml .Values.containerSecurityContext | nindent 10 }} + {{ toYaml .Values.deployment.kong.pod.container.securityContext | nindent 10 }} +{{/* TODO 921 needs the same inputs as the main proxy container env: +*/}} {{- include "kong.no_daemon_env" . | nindent 8 }} args: [ "kong", "migrations", "finish" ] +{{/* TODO 921 volume stuff is a mess volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} - {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment.kong | nindent 8 }} +*/}} resources: {{- toYaml .Values.migrations.resources | nindent 10 }} +{{/* TODO 921 wat why was this not just a value dump securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} - {{- if .Values.nodeSelector }} +*/}} + {{- if .Values.deployment.kong.pod.nodeSelector }} nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.nodeSelector | nindent 8 }} {{- end }} - {{- if .Values.tolerations }} + {{- if .Values.deployment.kong.pod.tolerations }} tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.tolerations | nindent 8 }} {{- end }} restartPolicy: OnFailure volumes: diff --git a/charts/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/templates/migrations-pre-upgrade.yaml index f5002aec9..0e6cd0831 100644 --- a/charts/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/templates/migrations-pre-upgrade.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployment.kong.enabled }} -{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }} +{{- if (and .Values.migrations.preUpgrade (not (eq .Values.deployment.kong.pod.container.env.database "off"))) }} # Why is this Job duplicated and not using only helm hooks? # See: https://github.com/helm/charts/pull/7362 apiVersion: batch/v1 @@ -31,29 +31,29 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + {{- if (and (not .Values.deployment.kong.pod.automountServiceAccountToken) (or .Values.serviceAccount.create .Values.serviceAccount.name)) }} kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} {{- end }} {{- end }} spec: - {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} {{- end }} - {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + {{- if (and (or .Values.serviceAccount.create .Values.serviceAccount.name) .Values.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false {{ end }} - {{- if .Values.image.pullSecrets }} + {{- if .Values.deployment.kong.pod.container.image.pullSecrets }} imagePullSecrets: - {{- range .Values.image.pullSecrets }} + {{- range .Values.deployment.kong.pod.container.image.pullSecrets }} - name: {{ . }} {{- end }} {{- end }} - {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.kong.pod.initContainers) }} initContainers: - {{- if .Values.deployment.initContainers }} - {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- if .Values.deployment.kong.pod.initContainers }} + {{- toYaml .Values.deployment.kong.pod.initContainers | nindent 6 }} {{- end }} {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} {{- include "kong.wait-for-postgres" . | nindent 6 }} @@ -64,27 +64,33 @@ spec: {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- end }} - name: {{ template "kong.name" . }}-upgrade-migrations - image: {{ include "kong.getRepoTag" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ include "kong.getRepoTag" .Values.deployment.kong.pod.container.image }} + imagePullPolicy: {{ .Values.deployment.kong.pod.container.image.pullPolicy }} securityContext: - {{ toYaml .Values.containerSecurityContext | nindent 10 }} + {{ toYaml .Values.deployment.kong.pod.container.securityContext | nindent 10 }} +{{/* TODO 921 needs the same inputs as the main proxy container env: +*/}} {{- include "kong.no_daemon_env" . | nindent 8 }} args: [ "kong", "migrations", "up" ] +{{/* TODO 921 volume stuff is a mess volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} - {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment.kong | nindent 8 }} +*/}} resources: {{- toYaml .Values.migrations.resources| nindent 10 }} +{{/* TODO 921 wat why was this not just a value dump securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} - {{- if .Values.nodeSelector }} +*/}} + {{- if .Values.deployment.kong.pod.nodeSelector }} nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.nodeSelector | nindent 8 }} {{- end }} - {{- if .Values.tolerations }} + {{- if .Values.deployment.kong.pod.tolerations }} tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.tolerations | nindent 8 }} {{- end }} restartPolicy: OnFailure volumes: diff --git a/charts/kong/templates/migrations.yaml b/charts/kong/templates/migrations.yaml index a996fcd13..e81d494fa 100644 --- a/charts/kong/templates/migrations.yaml +++ b/charts/kong/templates/migrations.yaml @@ -11,7 +11,7 @@ {{- $runInit = .Values.migrations.init -}} {{- end -}} -{{- if (and ($runInit) (not (eq .Values.env.database "off"))) }} +{{- if (and ($runInit) (not (eq .Values.deployment.kong.pod.container.env.database "off"))) }} apiVersion: batch/v1 kind: Job metadata: @@ -39,29 +39,29 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + {{- if (and (not .Values.deployment.kong.pod.automountServiceAccountToken) (or .Values.serviceAccount.create .Values.serviceAccount.name)) }} kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} {{- end }} {{- end }} spec: - {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ template "kong.serviceAccountName" . }} {{- end }} - {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + {{- if (and (or .Values.serviceAccount.create .Values.serviceAccount.name) .Values.serviceAccount.automountServiceAccountToken) }} automountServiceAccountToken: true {{- else }} automountServiceAccountToken: false {{ end }} - {{- if .Values.image.pullSecrets }} + {{- if .Values.deployment.kong.pod.container.image.pullSecrets }} imagePullSecrets: - {{- range .Values.image.pullSecrets }} + {{- range .Values.deployment.kong.pod.container.image.pullSecrets }} - name: {{ . }} {{- end }} {{- end }} - {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.kong.pod.initContainers) }} initContainers: - {{- if .Values.deployment.initContainers }} - {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- if .Values.deployment.kong.pod.initContainers }} + {{- toYaml .Values.deployment.kong.pod.initContainers | nindent 6 }} {{- end }} {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} {{- include "kong.wait-for-postgres" . | nindent 6 }} @@ -72,27 +72,33 @@ spec: {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- end }} - name: {{ template "kong.name" . }}-migrations - image: {{ include "kong.getRepoTag" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ include "kong.getRepoTag" .Values.deployment.kong.pod.container.image }} + imagePullPolicy: {{ .Values.deployment.kong.pod.container.image.pullPolicy }} securityContext: - {{ toYaml .Values.containerSecurityContext | nindent 10 }} + {{ toYaml .Values.deployment.kong.pod.container.securityContext | nindent 10 }} +{{/* TODO 921 needs the same inputs as the main proxy container env: {{- include "kong.no_daemon_env" . | nindent 8 }} +*/}} args: [ "kong", "migrations", "bootstrap" ] volumeMounts: +{{/* TODO 921 volume stuff is a mess {{- include "kong.volumeMounts" . | nindent 8 }} - {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment.kong | nindent 8 }} +*/}} resources: {{- toYaml .Values.migrations.resources | nindent 10 }} +{{/* TODO 921 wat why was this not just a value dump securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} - {{- if .Values.nodeSelector }} +*/}} + {{- if .Values.deployment.kong.pod.nodeSelector }} nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.nodeSelector | nindent 8 }} {{- end }} - {{- if .Values.tolerations }} + {{- if .Values.deployment.kong.pod.tolerations }} tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} + {{- toYaml .Values.deployment.kong.pod.tolerations | nindent 8 }} {{- end }} restartPolicy: OnFailure volumes: diff --git a/charts/kong/templates/secret-sa-token.yaml b/charts/kong/templates/secret-sa-token.yaml index fe8a67d23..e1ff34952 100644 --- a/charts/kong/templates/secret-sa-token.yaml +++ b/charts/kong/templates/secret-sa-token.yaml @@ -2,7 +2,7 @@ See the related documentation of semver module that Helm depends on for semverCompare: https://github.com/Masterminds/semver#working-with-prerelease-versions Related Helm issue: https://github.com/helm/helm/issues/3810 */}} -{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and (or .Values.serviceAccount.create .Values.serviceAccount.name) (semverCompare "<1.20.0-0" .Capabilities.KubeVersion.Version) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/kong/templates/service-account.yaml b/charts/kong/templates/service-account.yaml index 41ef6ace6..268c6d27d 100644 --- a/charts/kong/templates/service-account.yaml +++ b/charts/kong/templates/service-account.yaml @@ -1,12 +1,12 @@ -{{- if and (or .Values.deployment.kong.enabled .Values.ingressController.enabled) .Values.deployment.serviceAccount.create -}} +{{- if and (or .Values.deployment.kong.enabled .Values.deployment.controller.enabled) .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kong.serviceAccountName" . }} namespace: {{ template "kong.namespace" . }} - {{- if .Values.deployment.serviceAccount.annotations }} + {{- if .Values.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.deployment.serviceAccount.annotations }} + {{- range $key, $value := .Values.serviceAccount.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} diff --git a/charts/kong/templates/servicemonitor.yaml b/charts/kong/templates/servicemonitor.yaml index b0f8b4d3a..72e965912 100644 --- a/charts/kong/templates/servicemonitor.yaml +++ b/charts/kong/templates/servicemonitor.yaml @@ -24,7 +24,7 @@ spec: {{- if .Values.serviceMonitor.metricRelabelings }} metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }} {{- end }} - {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}} + {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.deployment.controller.pod.container.image)) -}} - targetPort: cmetrics scheme: http {{- if .Values.serviceMonitor.interval }} diff --git a/charts/kong/templates/tests/test-jobs.yaml b/charts/kong/templates/tests/test-jobs.yaml index d34660ee8..5d0dc9be8 100644 --- a/charts/kong/templates/tests/test-jobs.yaml +++ b/charts/kong/templates/tests/test-jobs.yaml @@ -1,4 +1,4 @@ -{{- if .Values.deployment.test.enabled }} +{{- if .Values.test.enabled }} --- apiVersion: v1 kind: Pod diff --git a/charts/kong/templates/tests/test-resources.yaml b/charts/kong/templates/tests/test-resources.yaml index 79e32d7e2..9630ce312 100644 --- a/charts/kong/templates/tests/test-resources.yaml +++ b/charts/kong/templates/tests/test-resources.yaml @@ -1,4 +1,4 @@ -{{- if .Values.deployment.test.enabled }} +{{- if .Values.test.enabled }} --- apiVersion: v1 kind: Pod diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 115c73b2a..b64b3ea34 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -13,136 +13,397 @@ # Deployment parameters # ----------------------------------------------------------------------------- +# TODO 921 we added this key to hold Deployment-level settings, though it does +# not contain all of them. Many settings (e.g. `.deploymentAnnotations`) were +# created at the root earlier in the chart's life, before we thought to +# organize them by resource better. +# +# The same is true of Pod settings, which naturally nest under Deployment +# settings, but were often created at the root (e.g. `.env`). +# +# We already have a `kong` key here, so adding a `controller` key follows +# pretty naturally for a separate controller Deployment. Moving the current +# contents of `.ingressController` under here would be simplest for migration, +# but would keep some other bad organization. +# +# The keys under `ingressController` are a mixture of container-level (e.g. +# `readinessProbe`), application-level (e.g. `gatewayDiscovery`), and external +# resource-level (e.g. `admissionWebhook`) settings. The former two can +# reasonably enough be grouped under here, but the external resources arguably +# should not be. For maximum reorganization, I'd recommend something like: +# +# ``` +# deployment: +# controller: +# annotations: {} # Deployment-level annotations +# autoscaling: {} # A duplicate of the current root key, for the controller Deployment. This may actually be a separate autoscaling.controller section. +# pod: +# annotations: {} # Pod-level annotations. currently there is a single root-level .podAnnotations used for the single unified Pod +# container: +# env: {...} # controller environment +# image: {} +# sidecarContainers: [] # attach a tcpdump or what have you +# kong: {} # same as the controller section +# +# admissionWebhook: {} # the current contents for .ingressController.admissionWebhook +# ``` +# +# A more conservative approach is to preserve existing settings where +# available. This means that existing configuration doesn't need to be +# modified, but will be incongruous. You would have, for example, +# `.deployment.controller.pod.annotations` to set Pod annotations for the +# controller Deployment, but `.podAnnotations` for the Kong Deployment's Pods. deployment: + controller: + enabled: true + labels: {} + annotations: {} # TODO 921 add any defaults + # TODO 921 the equivalent root setting has "default" values: https://github.com/Kong/charts/blob/kong-2.30.0/charts/kong/values.yaml#L887-L904 + # These are no-oped with an `enabled=false` key, but are somewhat + # misleading in that we didn't really design them for any particular + # purpose--they're just values to show the structure. Given how values.yaml + # defaults work IDK if maybe we'd consider making the _actual_ values.yaml + # base not set defaults in these cases, and then having a dedicated example + # values.yaml that just shows structure. + autoscaling: {} + updateStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: "100%" + # maxUnavailable: "0%" + replicaCount: 1 + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, + ## for it to be considered available. + # minReadySeconds: 60 + pod: + labels: {} + annotations: {} # .podAnnotations, for the controller + automountServiceAccountToken: false + hostNetwork: false + # Affinity for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + # Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) + # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # Sets the termination grace period for pods spawned by the Kubernetes Deployment. + # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + terminationGracePeriodSeconds: 30 + # Tolerations for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + priorityClassName: "" + securityContext: {} + userDefinedVolumes: [] + hostAliases: [] + initContainers: [] + sidecarContainers: [] + ## Optional DNS configuration for pods + # dnsPolicy: ClusterFirst + # dnsConfig: + # nameservers: + # - "10.100.0.10" + # options: + # - name: ndots + # value: "5" + # searches: + # - default.svc.cluster.local + # - svc.cluster.local + # - cluster.local + # - us-east-1.compute.internal + container: + args: [] + env: + # The controller disables TLS verification by default because Kong + # generates self-signed certificates by default. Set this to false once you + # have installed CA-signed certificates. + kong_admin_tls_skip_verify: true + # If using Kong Enterprise with RBAC enabled, uncomment the section below + # and specify the secret/key containing your admin token. + # kong_admin_token: + # valueFrom: + # secretKeyRef: + # name: CHANGEME-admin-token-secret + # key: CHANGEME-admin-token-key + # Additional non-Kong environment variables. Keys here will be set in + # the container environment _without_ prepending a "CONTROLLER_" prefix. + # customEnv: {} + image: + repository: kong/kubernetes-ingress-controller + tag: "2.12" + # Optionally set a semantic version for version-gated features. This can normally + # be left unset. You only need to set this if your tag is not a semver string, + # such as when you are using a "next" tag. Set this to the effective semantic + # version of your tag: for example if using a "next" image for an unreleased 3.1.0 + # version, set this to "3.1.0". + effectiveSemver: "" + livenessProbe: + httpGet: + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: "/readyz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + lifecycle: {} + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + userDefinedVolumeMounts: [] + # If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # limits: + # cpu: 1 + # memory: 2G + # requests: + # cpu: 1 + # memory: 2G + # TODO 921 since kong.volumes isn't properly split yet, this + # is not honored (it uses the setting under deployment.kong) + # tmp empty dir size + tmpDir: + sizeLimit: 1Gi + kong: - # Enable or disable Kong itself - # Setting this to false with ingressController.enabled=true will create a - # controller-only release. enabled: true - ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, - ## for it to be considered available. - # minReadySeconds: 60 - ## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations - serviceAccount: - create: true - # Automount the service account token. By default, this is disabled, and the token is only mounted on the controller - # container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong - # Lua code, increasing potential attack surface. - automountServiceAccountToken: false - ## Optionally specify the name of the service account to create and the annotations to add. - # name: - # annotations: {} + labels: {} + annotations: {} # TODO 921 add any defaults + # TODO 921 the equivalent root setting has "default" values: https://github.com/Kong/charts/blob/kong-2.30.0/charts/kong/values.yaml#L887-L904 + # These are no-oped with an `enabled=false` key, but are somewhat + # misleading in that we didn't really design them for any particular + # purpose--they're just values to show the structure. Given how values.yaml + # defaults work IDK if maybe we'd consider making the _actual_ values.yaml + # base not set defaults in these cases, and then having a dedicated example + # values.yaml that just shows structure. + autoscaling: {} + daemonset: false + updateStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: "100%" + # maxUnavailable: "0%" + replicaCount: 1 + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, + ## for it to be considered available. + # minReadySeconds: 60 + pod: + labels: {} + annotations: {} + # TODO 921 whoever decided that these needed to evaluate templates is the bane of my existence + # kuma.io/gateway: enabled + # traffic.sidecar.istio.io/includeInboundPorts: "" + automountServiceAccountToken: false + hostNetwork: false + # Affinity for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + # Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) + # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # Sets the termination grace period for pods spawned by the Kubernetes Deployment. + # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + terminationGracePeriodSeconds: 30 + # Tolerations for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + hostAliases: [] + priorityClassName: "" + securityContext: {} + sidecarContainers: [] + initContainers: [] + ## Optional DNS configuration for pods + # dnsPolicy: ClusterFirst + # dnsConfig: + # nameservers: + # - "10.100.0.10" + # options: + # - name: ndots + # value: "5" + # searches: + # - default.svc.cluster.local + # - svc.cluster.local + # - cluster.local + # - us-east-1.compute.internal + container: + args: [] + # Specify Kong configuration + # This chart takes all entries defined under `.env` and transforms them into into `KONG_*` + # environment variables for Kong containers. + # Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default + # See https://docs.konghq.com/latest/configuration also for additional details + # Values here take precedence over values from other sections of values.yaml, + # e.g. setting pg_user here will override the value normally set when postgresql.enabled + # is set below. In general, you should not set values here if they are set elsewhere. + env: + database: "off" + router_flavor: "traditional" + nginx_worker_processes: "2" + proxy_access_log: /dev/stdout + admin_access_log: /dev/stdout + admin_gui_access_log: /dev/stdout + portal_api_access_log: /dev/stdout + proxy_error_log: /dev/stderr + admin_error_log: /dev/stderr + admin_gui_error_log: /dev/stderr + portal_api_error_log: /dev/stderr + prefix: /kong_prefix/ + # Additional non-Kong environment variables. Keys here will be set in + # the container environment _without_ prepending a "KONG_" prefix. + # customEnv: {} + image: + repository: kong + tag: "3.4" + # Kong Enterprise + # repository: kong/kong-gateway + # tag: "3.4" + # Optionally set a semantic version for version-gated features. This can normally + # be left unset. You only need to set this if your tag is not a semver string, + # such as when you are using a "next" tag. Set this to the effective semantic + # version of your tag: for example if using a "next" image for an unreleased 3.1.0 + # version, set this to "3.1.0". + effectiveSemver: "" + readinessProbe: + httpGet: + path: "/status/ready" + port: status + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: "/status" + port: status + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + lifecycle: + preStop: + exec: + # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds. + # Note: together they should be less than the terminationGracePeriodSeconds setting below. + command: + - kong + - quit + - '--wait=15' + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + userDefinedVolumeMounts: {} + # - name: example + # mountPath: /example + # If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # limits: + # cpu: 1 + # memory: 2G + # requests: + # cpu: 1 + # memory: 2G + # kong_prefix empty dir size + prefixDir: + sizeLimit: 256Mi + # tmp empty dir size + tmpDir: + sizeLimit: 1Gi - ## Optionally specify any extra sidecar containers to be included in the deployment - ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core - # sidecarContainers: - # - name: sidecar - # image: sidecar:latest - # initContainers: - # - name: initcon - # image: initcon:latest - # hostAliases: - # - ip: "127.0.0.1" - # hostnames: - # - "foo.local" - # - "bar.local" - - ## Define any volumes and mounts you want present in the Kong proxy container - # userDefinedVolumes: - # - name: "volumeName" - # emptyDir: {} - # userDefinedVolumeMounts: - # - name: "volumeName" - # mountPath: "/opt/user/dir/mount" - test: - # Enable creation of test resources for use with "helm test" - enabled: false - # Use a DaemonSet controller instead of a Deployment controller - daemonset: false - hostNetwork: false - # kong_prefix empty dir size - prefixDir: - sizeLimit: 256Mi - # tmp empty dir size - tmpDir: - sizeLimit: 1Gi # Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace. # This may not be desirable when using this chart as a dependency. # namespace: "example" +serviceAccount: + create: true + ## Optionally specify the name of the service account to create and the annotations to add. + name: "" + annotations: {} + # ----------------------------------------------------------------------------- -# Kong parameters +# Admission webhook # ----------------------------------------------------------------------------- -# Specify Kong configuration -# This chart takes all entries defined under `.env` and transforms them into into `KONG_*` -# environment variables for Kong containers. -# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default -# See https://docs.konghq.com/latest/configuration also for additional details -# Values here take precedence over values from other sections of values.yaml, -# e.g. setting pg_user here will override the value normally set when postgresql.enabled -# is set below. In general, you should not set values here if they are set elsewhere. -env: - database: "off" - # the chart uses the traditional router (for Kong 3.x+) because the ingress - # controller generates traditional routes. if you do not use the controller, - # you may set this to "traditional_compatible" or "expressions" to use the new - # DSL-based router - router_flavor: "traditional" - nginx_worker_processes: "2" - proxy_access_log: /dev/stdout - admin_access_log: /dev/stdout - admin_gui_access_log: /dev/stdout - portal_api_access_log: /dev/stdout - proxy_error_log: /dev/stderr - admin_error_log: /dev/stderr - admin_gui_error_log: /dev/stderr - portal_api_error_log: /dev/stderr - prefix: /kong_prefix/ - -# This section is any customer specific environments variables that doesn't require KONG_ prefix. -# These custom environment variables are typicall used in custom plugins or serverless plugins to -# access environment specific credentials or tokens. -# Example as below, uncomment if required and add additional attributes as required. -# Note that these environment variables will only apply to the proxy and init container. The ingress-controller -# container has its own customEnv section. - -# customEnv: -# api_token: -# valueFrom: -# secretKeyRef: -# key: token -# name: api_key -# client_name: testClient +admissionWebhook: + enabled: true + failurePolicy: Ignore + port: 8080 + certificate: + provided: false + namespaceSelector: {} + # Specifiy the secretName when the certificate is provided via a TLS secret + # secretName: "" + # Specifiy the CA bundle of the provided certificate. + # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used. + # caBundle: + # | Add the CA bundle content here. + service: + # Specify custom labels for the validation webhook service. + labels: {} + # Tune the default Kubernetes timeoutSeconds of 10 seconds + # timeoutSeconds: 10 # This section can be used to configure some extra labels that will be added to each Kubernetes object generated. extraLabels: {} -# Specify Kong's Docker image and repository details here -image: - repository: kong - tag: "3.4" - # Kong Enterprise - # repository: kong/kong-gateway - # tag: "3.4" +######################## +# +# Service configuration +# +######################## - # Specify a semver version if your image tag is not one (e.g. "nightly") - effectiveSemver: - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistrKeySecretName +# TODO 921 we can probably leave the service definitions at the root. Although +# they're specific to a particular Deployment, they can't be defined +# arbitrarily (you can only configure admin, proxy, etc. that we've given you) +# and we know what Deployment they target. Controller-related Services AFAIK +# have no such configuration (we create a webhook service, but it's done +# through the webhook config, not through anything that uses the standard +# service template. +# # Specify Kong admin API service and listener configuration admin: # Enable creating a Kubernetes service for the admin API # Disabling this is recommended for most ingress controller configurations # Enterprise users that wish to use Kong Manager with the controller should enable this - enabled: false - type: NodePort + enabled: true + type: ClusterIP loadBalancerClass: # To specify annotations or labels for the admin service, add them to the respective # "annotations" or "labels" dictionaries below. @@ -435,6 +696,7 @@ plugins: {} # secrets: # - pluginName: rewriter # name: kong-plugin-rewriter + # Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/ # This can be used to override default SSL certificates. # Be aware that the secret name will be used verbatim, and that certain types @@ -447,10 +709,18 @@ secretVolumes: [] # Enable/disable migration jobs, and set annotations for them migrations: + # TODO 921 the new pattern would have individual configurations for each + # migration, which is probably more annoying than useful. there shouldn't be + # a reason to assign, say, more resources to post migrations. # Enable pre-upgrade migrations (run "kong migrations up") preUpgrade: true # Enable post-upgrade migrations (run "kong migrations finish") postUpgrade: true + # TODO 921 these do not follow the pattern, but it's probably less crucial + # that they do. our allowed configuration for migrations is pretty limited. + # we may want to just do it anyway--once you're using a migration tool, + # there's not a whole lot of reason to be conservative. the work required is + # all on the dev side, and adding more key remaps is easy. # Annotations to apply to migrations job pods # By default, these disable service mesh sidecar injection for Istio and Kuma, # as the sidecar containers do not terminate and prevent the jobs from completing @@ -462,6 +732,7 @@ migrations: jobAnnotations: {} # Optionally set a backoffLimit. If none is set, Jobs will use the cluster default backoffLimit: + # TODO 921 if we do move stuff here, this is part of the container resources: {} # Example reasonable setting for "resources": # resources: @@ -513,25 +784,6 @@ dblessConfig: # created in k8s. It uses CRDs for more fine grained control over routing and # for Kong specific configuration. ingressController: - enabled: true - image: - repository: kong/kubernetes-ingress-controller - tag: "2.12" - # Optionally set a semantic version for version-gated features. This can normally - # be left unset. You only need to set this if your tag is not a semver string, - # such as when you are using a "next" tag. Set this to the effective semantic - # version of your tag: for example if using a "next" image for an unreleased 3.1.0 - # version, set this to "3.1.0". - effectiveSemver: - args: [] - - gatewayDiscovery: - enabled: false - generateAdminApiService: false - adminApiService: - namespace: "" - name: "" - # Specify individual namespaces to watch for ingress configuration. By default, # when no namespaces are set, the controller watches all namespaces and uses a # ClusterRole to grant access to Kubernetes resources. When you list specific @@ -541,25 +793,6 @@ ingressController: # Requires controller 2.0.0 or newer. watchNamespaces: [] - # Specify Kong Ingress Controller configuration via environment variables - env: - # The controller disables TLS verification by default because Kong - # generates self-signed certificates by default. Set this to false once you - # have installed CA-signed certificates. - kong_admin_tls_skip_verify: true - # If using Kong Enterprise with RBAC enabled, uncomment the section below - # and specify the secret/key containing your admin token. - # kong_admin_token: - # valueFrom: - # secretKeyRef: - # name: CHANGEME-admin-token-secret - # key: CHANGEME-admin-token-key - - # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix. - # Example as below, uncomment if required and add additional attributes as required. - # customEnv: - # TZ: "Europe/Berlin" - admissionWebhook: enabled: true failurePolicy: Ignore @@ -583,47 +816,10 @@ ingressController: # annotations for IngressClass resource (Kubernetes 1.18+) ingressClassAnnotations: {} - ## Define any volumes and mounts you want present in the ingress controller container - ## Volumes are defined above in deployment.userDefinedVolumes - # userDefinedVolumeMounts: - # - name: "volumeName" - # mountPath: "/opt/user/dir/mount" - rbac: # Specifies whether RBAC resources should be created create: true - # general properties - livenessProbe: - httpGet: - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: "/readyz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: {} - # Example reasonable setting for "resources": - # resources: - # limits: - # cpu: 100m - # memory: 256Mi - # requests: - # cpu: 50m - # memory: 128Mi - konnect: enabled: false @@ -643,6 +839,7 @@ ingressController: # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways. enabled: false + # TODO 921 app-level config, probably remains here adminApi: tls: client: @@ -770,6 +967,8 @@ certificates: # Miscellaneous parameters # ----------------------------------------------------------------------------- +# TODO 921 kinda part of the kong deployment, but not generic deployment +# functionality. waitImage: # Wait for the database to come online before starting Kong or running migrations # If Kong is to access the database through a service mesh that injects a sidecar to @@ -784,106 +983,9 @@ waitImage: # tag: 5 pullPolicy: IfNotPresent -# update strategy -updateStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: "100%" - # maxUnavailable: "0%" - -# If you want to specify resources, uncomment the following -# lines, adjust them as necessary, and remove the curly braces after 'resources:'. -resources: {} - # limits: - # cpu: 1 - # memory: 2G - # requests: - # cpu: 1 - # memory: 2G - -# readinessProbe for Kong pods -readinessProbe: - httpGet: - path: "/status/ready" - port: status - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -# livenessProbe for Kong pods -livenessProbe: - httpGet: - path: "/status" - port: status - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -# startupProbe for Kong pods -# startupProbe: -# httpGet: -# path: "/status" -# port: status -# scheme: HTTP -# initialDelaySeconds: 5 -# timeoutSeconds: 5 -# periodSeconds: 2 -# successThreshold: 1 -# failureThreshold: 40 - -# Proxy container lifecycle hooks -# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ -lifecycle: - preStop: - exec: - # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds. - # Note: together they should be less than the terminationGracePeriodSeconds setting below. - command: - - kong - - quit - - '--wait=15' - -# Sets the termination grace period for pods spawned by the Kubernetes Deployment. -# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution -terminationGracePeriodSeconds: 30 - -# Affinity for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# affinity: {} - -# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) -# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -# topologySpreadConstraints: [] - -# Tolerations for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Node labels for pod assignment -# Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} - -# Annotation to be added to Kong pods -podAnnotations: - kuma.io/gateway: enabled - traffic.sidecar.istio.io/includeInboundPorts: "" - -# Labels to be added to Kong pods -podLabels: {} - -# Kong pod count. -# It has no effect when autoscaling.enabled is set to true -replicaCount: 1 - -# Annotations to be added to Kong deployment -deploymentAnnotations: {} - +# TODO 921 this is a resource separate from the Deployment, but attached to it +# not sure if we should nest under deployment config or create +# `autoscaling.kong` and `autoscaling.controller` keys. # Enable autoscaling using HorizontalPodAutoscaler # When configuring an HPA, you must set resource requests on all containers via # "resources" and, if using the controller, "ingressController.resources" in values.yaml @@ -903,6 +1005,7 @@ autoscaling: type: Utilization averageUtilization: 80 +# TODO 921 ditto autoscaling # Kong Pod Disruption Budget podDisruptionBudget: enabled: false @@ -910,6 +1013,9 @@ podDisruptionBudget: # maxUnavailable: "50%" # minAvailable: "50%" +# TODO 921 discard this? unrelated to the task mostly since PSP is separate, +# but it's basically removed at this point. need to confirm what the minimum +# Pod security standards version is instead podSecurityPolicy: enabled: false labels: {} @@ -939,38 +1045,7 @@ podSecurityPolicy: # If you use Kong Enterprise <1.5, this must be set to false. readOnlyRootFilesystem: true - -priorityClassName: "" - -# securityContext for Kong pods. -securityContext: {} - -# securityContext for containers. -containerSecurityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - -## Optional DNS configuration for Kong pods -# dnsPolicy: ClusterFirst -# dnsConfig: -# nameservers: -# - "10.100.0.10" -# options: -# - name: ndots -# value: "5" -# searches: -# - default.svc.cluster.local -# - svc.cluster.local -# - cluster.local -# - us-east-1.compute.internal - +# TODO 921 figure out if anything is necessary for this serviceMonitor: # Specifies whether ServiceMonitor for Prometheus operator should be created # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see: @@ -1213,6 +1288,8 @@ clustertelemetry: # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) pathType: ImplementationSpecific +# TODO 921 maybe keep these as-is but do not add them to the generic handler. +# They are also features that are special cases of userDefinedVolume(Mount)s extraConfigMaps: [] # extraConfigMaps: # - name: my-config-map @@ -1234,3 +1311,7 @@ extraObjects: [] # config: # per_consumer: false # plugin: prometheus + +test: + # Enable creation of test resources for use with "helm test" + enabled: false