Feat: upgrade cluster-gateway to support client-identity-exchange con…

…fig (kubevela#5284) Signed-off-by: Somefive <yd219913@alibaba-inc.com> Signed-off-by: Somefive <yd219913@alibaba-inc.com>
barnettZQG · Jan 30, 2023 · f621c95 · f621c95
1 parent 09f3245
commit f621c95
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -32,6 +32,7 @@ spec:
             - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
             - "--secret-namespace={{ .Release.Namespace }}"
             - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
+            - "--cluster-gateway-proxy-config=/etc/proxy-config/config.yaml"
             {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
             - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
             - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
@@ -42,14 +43,20 @@ spec:
           {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
           ports:
             - containerPort: {{ .Values.multicluster.clusterGateway.port }}
-          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
           volumeMounts:
+            - mountPath: /etc/proxy-config
+              name: proxy-config
+          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
             - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
               name: tls-cert-vol
               readOnly: true
           {{- end }}
-      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
       volumes:
+        - configMap:
+            defaultMode: 420
+            name: {{ .Release.Name }}-cluster-gateway-proxy-config
+          name: proxy-config
+      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
         - name: tls-cert-vol
           secret:
             defaultMode: 420
@@ -74,6 +81,23 @@ spec:
       maxUnavailable: 1
 ---
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway-proxy-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    apiVersion: cluster.core.oam.dev/v1alpha1
+    kind: ClusterGatewayProxyConfiguration
+    spec:
+      clientIdentityExchanger:
+        rules:
+          - name: super-user
+            source:
+              group: kubevela:ux
+            type: PrivilegedIdentityExchanger
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Release.Name }}-cluster-gateway-service