mirror of
https://github.com/openappsec/openappsec.git
synced 2025-06-28 16:41:02 +03:00
1827 lines
55 KiB
Smarty
1827 lines
55 KiB
Smarty
{{/* vim: set filetype=mustache: */}}
|
|
{{/*
|
|
Create a default fully qualified app name.
|
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
*/}}
|
|
|
|
{{- define "kong.namespace" -}}
|
|
{{- default .Release.Namespace .Values.namespace -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.release" -}}
|
|
{{- default .Release.Name -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.name" -}}
|
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.fullname" -}}
|
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
|
{{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.chart" -}}
|
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.metaLabels" -}}
|
|
app.kubernetes.io/name: {{ template "kong.name" . }}
|
|
helm.sh/chart: {{ template "kong.chart" . }}
|
|
app.kubernetes.io/instance: "{{ .Release.Name }}"
|
|
app.kubernetes.io/managed-by: "{{ .Release.Service }}"
|
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
{{- range $key, $value := .Values.extraLabels }}
|
|
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.selectorLabels" -}}
|
|
app.kubernetes.io/name: {{ template "kong.name" . }}
|
|
app.kubernetes.io/component: app
|
|
app.kubernetes.io/instance: "{{ .Release.Name }}"
|
|
{{- end -}}
|
|
|
|
{{- define "kong.postgresql.fullname" -}}
|
|
{{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
|
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.dblessConfig.fullname" -}}
|
|
{{- $name := default "kong-custom-dbless-config" .Values.dblessConfig.nameOverride -}}
|
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create the name of the service account to use
|
|
*/}}
|
|
{{- define "kong.serviceAccountName" -}}
|
|
{{- if .Values.deployment.serviceAccount.create -}}
|
|
{{ default (include "kong.fullname" .) .Values.deployment.serviceAccount.name }}
|
|
{{- else -}}
|
|
{{ default "default" .Values.deployment.serviceAccount.name }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create the name of the secret for service account token to use
|
|
*/}}
|
|
{{- define "kong.serviceAccountTokenName" -}}
|
|
{{ include "kong.serviceAccountName" . }}-token
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create Ingress resource for a Kong service
|
|
*/}}
|
|
{{- define "kong.ingress" -}}
|
|
{{- $servicePort := include "kong.ingress.servicePort" . }}
|
|
{{- $path := .ingress.path -}}
|
|
{{- $hostname := .ingress.hostname -}}
|
|
{{- $pathType := .ingress.pathType -}}
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: {{ .fullName }}-{{ .serviceName }}
|
|
namespace: {{ .namespace }}
|
|
labels:
|
|
{{- .metaLabels | nindent 4 }}
|
|
{{- range $key, $value := .ingress.labels }}
|
|
{{- $key | nindent 4 }}: {{ $value | quote }}
|
|
{{- end }}
|
|
{{- if .ingress.annotations }}
|
|
annotations:
|
|
{{- range $key, $value := .ingress.annotations }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .ingress.ingressClassName }}
|
|
ingressClassName: {{ .ingress.ingressClassName }}
|
|
{{- end }}
|
|
rules:
|
|
{{- if ( not (or $hostname .ingress.hosts)) }}
|
|
- http:
|
|
paths:
|
|
- backend:
|
|
service:
|
|
name: {{ .fullName }}-{{ .serviceName }}
|
|
port:
|
|
number: {{ $servicePort }}
|
|
path: {{ $path }}
|
|
pathType: {{ $pathType }}
|
|
{{- else if $hostname }}
|
|
- host: {{ $hostname | quote }}
|
|
http:
|
|
paths:
|
|
- backend:
|
|
service:
|
|
name: {{ .fullName }}-{{ .serviceName }}
|
|
port:
|
|
number: {{ $servicePort }}
|
|
path: {{ $path }}
|
|
pathType: {{ $pathType }}
|
|
{{- end }}
|
|
{{- range .ingress.hosts }}
|
|
- host: {{ .host | quote }}
|
|
http:
|
|
paths:
|
|
{{- range .paths }}
|
|
- backend:
|
|
{{- if .backend -}}
|
|
{{ .backend | toYaml | nindent 12 }}
|
|
{{- else }}
|
|
service:
|
|
name: {{ $.fullName }}-{{ $.serviceName }}
|
|
port:
|
|
number: {{ $servicePort }}
|
|
{{- end }}
|
|
{{- if (and $hostname (and (eq $path .path))) }}
|
|
{{- fail "duplication of specified ingress path" }}
|
|
{{- end }}
|
|
path: {{ .path }}
|
|
pathType: {{ .pathType }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if (hasKey .ingress "tls") }}
|
|
tls:
|
|
{{- if (kindIs "string" .ingress.tls) }}
|
|
- hosts:
|
|
{{- range .ingress.hosts }}
|
|
- {{ .host | quote }}
|
|
{{- end }}
|
|
{{- if $hostname }}
|
|
- {{ $hostname | quote }}
|
|
{{- end }}
|
|
secretName: {{ .ingress.tls }}
|
|
{{- else if (kindIs "slice" .ingress.tls) }}
|
|
{{- range .ingress.tls }}
|
|
- hosts:
|
|
{{- range .hosts }}
|
|
- {{ . | quote }}
|
|
{{- end }}
|
|
secretName: {{ .secretName }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create Service resource for a Kong service
|
|
*/}}
|
|
{{- define "kong.service" -}}
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: {{ .fullName }}-{{ .serviceName }}
|
|
namespace: {{ .namespace }}
|
|
{{- if .annotations }}
|
|
annotations:
|
|
{{- range $key, $value := .annotations }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
labels:
|
|
{{- .metaLabels | nindent 4 }}
|
|
{{- range $key, $value := .labels }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
spec:
|
|
type: {{ .type }}
|
|
{{- if eq .type "LoadBalancer" }}
|
|
{{- if .loadBalancerIP }}
|
|
loadBalancerIP: {{ .loadBalancerIP }}
|
|
{{- end }}
|
|
{{- if .loadBalancerSourceRanges }}
|
|
loadBalancerSourceRanges:
|
|
{{- range $cidr := .loadBalancerSourceRanges }}
|
|
- {{ $cidr }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .loadBalancerClass }}
|
|
loadBalancerClass: {{ .loadBalancerClass }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .externalIPs }}
|
|
externalIPs:
|
|
{{- range $ip := .externalIPs }}
|
|
- {{ $ip }}
|
|
{{- end -}}
|
|
{{- end }}
|
|
ports:
|
|
{{- if .http }}
|
|
{{- if .http.enabled }}
|
|
- name: kong-{{ .serviceName }}
|
|
port: {{ .http.servicePort }}
|
|
targetPort: {{ .http.containerPort }}
|
|
{{- if .http.appProtocol }}
|
|
appProtocol: {{ .http.appProtocol }}
|
|
{{- end }}
|
|
{{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }}
|
|
nodePort: {{ .http.nodePort }}
|
|
{{- end }}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .tls.enabled }}
|
|
- name: kong-{{ .serviceName }}-tls
|
|
port: {{ .tls.servicePort }}
|
|
targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }}
|
|
{{- if .tls.appProtocol }}
|
|
appProtocol: {{ .tls.appProtocol }}
|
|
{{- end }}
|
|
{{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }}
|
|
nodePort: {{ .tls.nodePort }}
|
|
{{- end }}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (hasKey . "stream") }}
|
|
{{- $defaultProtocol := "TCP" }}
|
|
{{- if (hasSuffix "udp-proxy" .serviceName) }}
|
|
{{- $defaultProtocol = "UDP" }}
|
|
{{- end }}
|
|
{{- range $index, $streamEntry := .stream }}
|
|
{{- if (not (hasKey $streamEntry "protocol")) }}
|
|
{{- $_ := set $streamEntry "protocol" $defaultProtocol }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .stream }}
|
|
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
|
|
port: {{ .servicePort }}
|
|
targetPort: {{ .containerPort }}
|
|
{{- if (and (or (eq $.type "LoadBalancer") (eq $.type "NodePort")) (not (empty .nodePort))) }}
|
|
nodePort: {{ .nodePort }}
|
|
{{- end }}
|
|
protocol: {{ .protocol | default "TCP" }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .externalTrafficPolicy }}
|
|
externalTrafficPolicy: {{ .externalTrafficPolicy }}
|
|
{{- end }}
|
|
{{- if .clusterIP }}
|
|
{{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }}
|
|
clusterIP: {{ .clusterIP }}
|
|
{{- end }}
|
|
{{- end }}
|
|
selector:
|
|
{{- .selectorLabels | nindent 4 }}
|
|
{{- end -}}
|
|
|
|
|
|
{{/*
|
|
Create KONG_SERVICE_LISTEN strings
|
|
Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
|
|
*/}}
|
|
{{- define "kong.listen" -}}
|
|
{{- $unifiedListen := list -}}
|
|
{{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
|
|
|
|
{{/* Some services do not support these blocks at all, so these checks are a
|
|
two-stage "is it safe to evaluate this?" and then "should we evaluate
|
|
this?"
|
|
*/}}
|
|
{{- if .http -}}
|
|
{{- if .http.enabled -}}
|
|
{{- $listenConfig := dict -}}
|
|
{{- $listenConfig := merge $listenConfig .http -}}
|
|
{{- $addresses := (default $defaultAddrs .addresses) -}}
|
|
{{- range $addresses -}}
|
|
{{- $_ := set $listenConfig "address" . -}}
|
|
{{- $httpListen := (include "kong.singleListen" $listenConfig) -}}
|
|
{{- $unifiedListen = append $unifiedListen $httpListen -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if .tls -}}
|
|
{{- if .tls.enabled -}}
|
|
{{/*
|
|
This is a bit of a hack to support always including "ssl" in the parameter
|
|
list for TLS listens. It's not possible to set a variable to an object from
|
|
.Values and then modify one of the objects values locally, although
|
|
https://github.com/helm/helm/issues/4987 indicates it should be. Instead,
|
|
this creates a new object and new parameters list built from the original.
|
|
*/}}
|
|
{{- $listenConfig := dict -}}
|
|
{{- $listenConfig := merge $listenConfig .tls -}}
|
|
{{- $parameters := append .tls.parameters "ssl" -}}
|
|
{{- $_ := set $listenConfig "parameters" $parameters -}}
|
|
{{- $addresses := (default $defaultAddrs .addresses) -}}
|
|
{{- range $addresses -}}
|
|
{{- $_ := set $listenConfig "address" . -}}
|
|
{{- $tlsListen := (include "kong.singleListen" $listenConfig) -}}
|
|
{{- $unifiedListen = append $unifiedListen $tlsListen -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- $listenString := ($unifiedListen | join ", ") -}}
|
|
{{- if eq (len $listenString) 0 -}}
|
|
{{- $listenString = "off" -}}
|
|
{{- end -}}
|
|
{{- $listenString -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create KONG_PORT_MAPS string
|
|
Parameters: takes a service (e.g. .Values.proxy) as its argument and returns KONG_PORT_MAPS for that service.
|
|
*/}}
|
|
{{- define "kong.port_maps" -}}
|
|
{{- $portMaps := list -}}
|
|
|
|
{{- if .http.enabled -}}
|
|
{{- $portMaps = append $portMaps (printf "%d:%d" (int64 .http.servicePort) (int64 .http.containerPort)) -}}
|
|
{{- end -}}
|
|
|
|
{{- if .tls.enabled -}}
|
|
{{- $portMaps = append $portMaps (printf "%d:%d" (int64 .tls.servicePort) (int64 .tls.containerPort)) -}}
|
|
{{- end -}}
|
|
|
|
{{- $portMapsString := ($portMaps | join ", ") -}}
|
|
{{- $portMapsString -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create KONG_STREAM_LISTEN string
|
|
*/}}
|
|
{{- define "kong.streamListen" -}}
|
|
{{- $unifiedListen := list -}}
|
|
{{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
|
|
{{- range .stream -}}
|
|
{{- $listenConfig := dict -}}
|
|
{{- $listenConfig := merge $listenConfig . -}}
|
|
{{- $addresses := (default $defaultAddrs .addresses) -}}
|
|
{{- range $addresses -}}
|
|
{{- $_ := set $listenConfig "address" . -}}
|
|
{{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
|
|
Our configuration is dual-purpose, for both the Service and listen string, so we
|
|
forcibly inject this parameter if that's the Service protocol. The default handles
|
|
configs that predate the addition of the protocol field, where we only supported TCP. */}}
|
|
{{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}}
|
|
{{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}}
|
|
{{- end -}}
|
|
{{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- $listenString := ($unifiedListen | join ", ") -}}
|
|
{{- if eq (len $listenString) 0 -}}
|
|
{{- $listenString = "" -}}
|
|
{{- end -}}
|
|
{{- $listenString -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create a single listen (IP+port+parameter combo)
|
|
*/}}
|
|
{{- define "kong.singleListen" -}}
|
|
{{- $listen := list -}}
|
|
{{- $listen = append $listen (printf "%s:%d" .address (int64 .containerPort)) -}}
|
|
{{- range $param := .parameters | default (list) | uniq }}
|
|
{{- $listen = append $listen $param -}}
|
|
{{- end -}}
|
|
{{- $listen | join " " -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Return the admin API service name for service discovery
|
|
*/}}
|
|
{{- define "kong.adminSvc" -}}
|
|
{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
|
|
{{- if $gatewayDiscovery.enabled -}}
|
|
{{- $adminApiService := $gatewayDiscovery.adminApiService -}}
|
|
{{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
|
|
{{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
|
|
|
|
{{- if and $generateAdminApiService $adminApiService.name -}}
|
|
{{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}}
|
|
{{- end -}}
|
|
|
|
{{- if $generateAdminApiService -}}
|
|
{{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
|
|
{{- else }}
|
|
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}}
|
|
{{- end }}
|
|
|
|
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
{{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.deployment.kong.enabled }}
|
|
{{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
|
|
{{- end }}
|
|
|
|
{{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
|
|
{{- printf "%s/%s" $namespace $adminApiServiceName -}}
|
|
{{- else -}}
|
|
{{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Return the local admin API URL, preferring HTTPS if available
|
|
*/}}
|
|
{{- define "kong.adminLocalURL" -}}
|
|
{{- if .Values.admin.tls.enabled -}}
|
|
https://localhost:{{ .Values.admin.tls.containerPort }}
|
|
{{- else if .Values.admin.http.enabled -}}
|
|
http://localhost:{{ .Values.admin.http.containerPort }}
|
|
{{- else -}}
|
|
http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true!
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Create the ingress servicePort value string
|
|
*/}}
|
|
|
|
{{- define "kong.ingress.servicePort" -}}
|
|
{{- if .tls.enabled -}}
|
|
{{ .tls.servicePort }}
|
|
{{- else -}}
|
|
{{ .http.servicePort }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Generate an appropriate external URL from a Kong service's ingress configuration
|
|
Strips trailing slashes from the path. Manager at least does not handle these
|
|
intelligently and will append its own slash regardless, and the admin API cannot handle
|
|
the extra slash.
|
|
*/}}
|
|
|
|
{{- define "kong.ingress.serviceUrl" -}}
|
|
{{- if .tls -}}
|
|
https://{{ .hostname }}{{ .path | trimSuffix "/" }}
|
|
{{- else -}}
|
|
http://{{ .hostname }}{{ .path | trimSuffix "/" }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
The name of the service used for the ingress controller's validation webhook
|
|
*/}}
|
|
|
|
{{- define "kong.service.validationWebhook" -}}
|
|
{{ include "kong.fullname" . }}-validation-webhook
|
|
{{- end -}}
|
|
|
|
|
|
{{/*
|
|
The name of the Service which will be used by the controller to update the Ingress status field.
|
|
*/}}
|
|
|
|
{{- define "kong.controller-publish-service" -}}
|
|
{{- $proxyOverride := "" -}}
|
|
{{- if .Values.proxy.nameOverride -}}
|
|
{{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
|
|
{{- end -}}
|
|
{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.ingressController.env" -}}
|
|
{{/*
|
|
====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
|
|
{{- $autoEnv := dict -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
|
|
|
|
{{- if .Values.ingressController.admissionWebhook.enabled }}
|
|
{{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}}
|
|
{{- end }}
|
|
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
|
|
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
|
|
{{- end }}
|
|
|
|
{{/*
|
|
====== ADMIN API CONFIGURATION ======
|
|
*/}}
|
|
|
|
{{- if .Values.ingressController.gatewayDiscovery.enabled -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
|
|
{{- else -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
|
|
{{- end -}}
|
|
|
|
{{- if .Values.ingressController.adminApi.tls.client.enabled }}
|
|
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
|
|
{{- end }}
|
|
|
|
{{/*
|
|
====== KONNECT ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
{{- if .Values.ingressController.konnect.enabled }}
|
|
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
{{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
{{- end }}
|
|
|
|
{{- if not .Values.ingressController.gatewayDiscovery.enabled }}
|
|
{{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
|
|
{{- end }}
|
|
|
|
{{- $konnect := .Values.ingressController.konnect -}}
|
|
{{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
|
|
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
|
|
|
|
{{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
|
|
{{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
|
|
|
|
{{- if $konnect.license.enabled }}
|
|
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{/*
|
|
====== USER-SET ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
{{- $userEnv := dict -}}
|
|
{{- range $key, $val := .Values.ingressController.env }}
|
|
{{- $upper := upper $key -}}
|
|
{{- $var := printf "CONTROLLER_%s" $upper -}}
|
|
{{- $_ := set $userEnv $var $val -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
{{- $customIngressEnv := dict -}}
|
|
{{- range $key, $val := .Values.ingressController.customEnv }}
|
|
{{- $upper := upper $key -}}
|
|
{{- $_ := set $customIngressEnv $upper $val -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
====== MERGE AND RENDER ENV BLOCK ======
|
|
*/}}
|
|
|
|
{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}}
|
|
{{- template "kong.renderEnv" $completeEnv -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- define "kong.userDefinedVolumes" -}}
|
|
{{- if .Values.deployment.userDefinedVolumes }}
|
|
{{- toYaml .Values.deployment.userDefinedVolumes }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.volumes" -}}
|
|
- name: {{ template "kong.fullname" . }}-prefix-dir
|
|
emptyDir:
|
|
sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
|
|
- name: {{ template "kong.fullname" . }}-tmp
|
|
emptyDir:
|
|
sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
|
|
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
|
|
- name: {{ template "kong.serviceAccountTokenName" . }}
|
|
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
|
|
See the related documentation of semver module that Helm depends on for semverCompare:
|
|
https://github.com/Masterminds/semver#working-with-prerelease-versions
|
|
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
|
|
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
|
|
projected:
|
|
sources:
|
|
- serviceAccountToken:
|
|
expirationSeconds: 3607
|
|
path: token
|
|
- configMap:
|
|
items:
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
name: kube-root-ca.crt
|
|
- downwardAPI:
|
|
items:
|
|
- fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
path: namespace
|
|
{{- else }}
|
|
secret:
|
|
secretName: {{ template "kong.serviceAccountTokenName" . }}
|
|
items:
|
|
- key: token
|
|
path: token
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
- key: namespace
|
|
path: namespace
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
|
|
{{- if .Values.certificates.cluster.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-cluster-cert
|
|
secret:
|
|
secretName: {{ include "kong.fullname" . }}-cluster-cert
|
|
{{- end }}
|
|
{{- if .Values.certificates.proxy.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-proxy-cert
|
|
secret:
|
|
secretName: {{ include "kong.fullname" . }}-proxy-cert
|
|
{{- end }}
|
|
{{- if .Values.certificates.admin.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-admin-cert
|
|
secret:
|
|
secretName: {{ include "kong.fullname" . }}-admin-cert
|
|
{{- end }}
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- if .Values.certificates.portal.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-portal-cert
|
|
secret:
|
|
secretName: {{ include "kong.fullname" . }}-portal-cert
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
|
|
- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
|
|
configMap:
|
|
name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
|
|
defaultMode: 0755
|
|
{{- end }}
|
|
{{- range .Values.plugins.configMaps }}
|
|
- name: kong-plugin-{{ .pluginName }}
|
|
configMap:
|
|
name: {{ .name }}
|
|
{{- range .subdirectories }}
|
|
- name: {{ .name }}
|
|
configMap:
|
|
name: {{ .name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .Values.plugins.secrets }}
|
|
- name: kong-plugin-{{ .pluginName }}
|
|
secret:
|
|
secretName: {{ .name }}
|
|
{{- range .subdirectories }}
|
|
- name: {{ .name }}
|
|
secret:
|
|
secretName: {{ .name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
|
|
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
|
|
{{- if gt $dblessSourceCount 1 -}}
|
|
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
|
|
{{- else if eq $dblessSourceCount 1 }}
|
|
- name: kong-custom-dbless-config-volume
|
|
{{- if .Values.dblessConfig.configMap }}
|
|
configMap:
|
|
name: {{ .Values.dblessConfig.configMap }}
|
|
{{- else if .Values.dblessConfig.secret }}
|
|
secret:
|
|
secretName: {{ .Values.dblessConfig.secret }}
|
|
{{- else }}
|
|
configMap:
|
|
name: {{ template "kong.dblessConfig.fullname" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
|
|
- name: webhook-cert
|
|
secret:
|
|
{{- if .Values.ingressController.admissionWebhook.certificate.provided }}
|
|
secretName: {{ .Values.ingressController.admissionWebhook.certificate.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
|
|
- name: admin-client-ca
|
|
configMap:
|
|
name: {{ template "kong.fullname" . }}-admin-client-ca
|
|
{{- end -}}
|
|
{{- range $secretVolume := .Values.secretVolumes }}
|
|
- name: {{ . }}
|
|
secret:
|
|
secretName: {{ . }}
|
|
{{- end }}
|
|
{{- range .Values.extraConfigMaps }}
|
|
- name: {{ .name }}
|
|
configMap:
|
|
name: {{ .name }}
|
|
{{- end }}
|
|
{{- range .Values.extraSecrets }}
|
|
- name: {{ .name }}
|
|
secret:
|
|
secretName: {{ .name }}
|
|
{{- end }}
|
|
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
|
|
- name: admin-api-cert
|
|
secret:
|
|
secretName: {{ template "adminApiService.certSecretName" . }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "controller.adminApiCertVolumeMount" -}}
|
|
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
|
|
- name: admin-api-cert
|
|
mountPath: /etc/secrets/admin-api-cert
|
|
readOnly: true
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.userDefinedVolumeMounts" -}}
|
|
{{- if .userDefinedVolumeMounts }}
|
|
{{- toYaml .userDefinedVolumeMounts }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.volumeMounts" -}}
|
|
- name: {{ template "kong.fullname" . }}-prefix-dir
|
|
mountPath: /kong_prefix/
|
|
- name: {{ template "kong.fullname" . }}-tmp
|
|
mountPath: /tmp
|
|
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
|
|
{{- if .Values.certificates.cluster.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-cluster-cert
|
|
mountPath: /etc/cert-manager/cluster/
|
|
{{- end }}
|
|
{{- if .Values.certificates.proxy.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-proxy-cert
|
|
mountPath: /etc/cert-manager/proxy/
|
|
{{- end }}
|
|
{{- if .Values.certificates.admin.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-admin-cert
|
|
mountPath: /etc/cert-manager/admin/
|
|
{{- end }}
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- if .Values.certificates.portal.enabled }}
|
|
- name: {{ include "kong.fullname" . }}-portal-cert
|
|
mountPath: /etc/cert-manager/portal/
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
|
|
{{- if eq $dblessSourceCount 1 -}}
|
|
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
|
|
- name: kong-custom-dbless-config-volume
|
|
mountPath: /kong_dbless/
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
|
|
- name: admin-client-ca
|
|
mountPath: /etc/admin-client-ca/
|
|
readOnly: true
|
|
{{- end -}}
|
|
{{- range .Values.secretVolumes }}
|
|
- name: {{ . }}
|
|
mountPath: /etc/secrets/{{ . }}
|
|
{{- end }}
|
|
{{- range .Values.plugins.configMaps }}
|
|
{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
|
|
- name: kong-plugin-{{ .pluginName }}
|
|
mountPath: {{ $mountPath }}
|
|
readOnly: true
|
|
{{- range .subdirectories }}
|
|
- name: {{ .name }}
|
|
mountPath: {{ printf "%s/%s" $mountPath ( .path | default .name ) }}
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .Values.plugins.secrets }}
|
|
{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
|
|
- name: kong-plugin-{{ .pluginName }}
|
|
mountPath: {{ $mountPath }}
|
|
readOnly: true
|
|
{{- range .subdirectories }}
|
|
- name: {{ .name }}
|
|
mountPath: {{ printf "%s/%s" $mountPath .path }}
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- range .Values.extraConfigMaps }}
|
|
- name: {{ .name }}
|
|
mountPath: {{ .mountPath }}
|
|
|
|
{{- if .subPath }}
|
|
subPath: {{ .subPath }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .Values.extraSecrets }}
|
|
- name: {{ .name }}
|
|
mountPath: {{ .mountPath }}
|
|
|
|
{{- if .subPath }}
|
|
subPath: {{ .subPath }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- define "kong.plugins" -}}
|
|
{{ $myList := list "bundled" }}
|
|
{{- range .Values.plugins.configMaps -}}
|
|
{{- $myList = append $myList .pluginName -}}
|
|
{{- end -}}
|
|
{{- range .Values.plugins.secrets -}}
|
|
{{ $myList = append $myList .pluginName -}}
|
|
{{- end }}
|
|
{{- $myList | uniq | join "," -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.wait-for-db" -}}
|
|
- name: wait-for-db
|
|
image: {{ include "kong.getRepoTag" .Values.image }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
securityContext:
|
|
{{ toYaml .Values.containerSecurityContext | nindent 4 }}
|
|
env:
|
|
{{- include "kong.env" . | nindent 2 }}
|
|
{{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
|
|
{{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295
|
|
Note that we use args instead of command here to /not/ override the standard image entrypoint. */}}
|
|
args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"]
|
|
volumeMounts:
|
|
{{- include "kong.volumeMounts" . | nindent 4 }}
|
|
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 4 }}
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 4 }}
|
|
{{- end -}}
|
|
|
|
{{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}}
|
|
{{- define "kong.effectiveVersion" -}}
|
|
{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}}
|
|
{{- /* as semver does, we need to account for that here by extracting */ -}}
|
|
{{- /* first 3 segments for comparison */ -}}
|
|
{{- if .effectiveSemver -}}
|
|
{{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
|
|
{{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
|
|
{{- else -}}
|
|
{{- .effectiveSemver -}}
|
|
{{- end -}}
|
|
{{- else -}}
|
|
{{- $tag := (trimSuffix "-redhat" .tag) -}}
|
|
{{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
|
|
{{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
|
|
{{- else -}}
|
|
{{- .tag -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.controller-container" -}}
|
|
- name: ingress-controller
|
|
securityContext:
|
|
{{ toYaml .Values.containerSecurityContext | nindent 4 }}
|
|
args:
|
|
{{ if .Values.ingressController.args}}
|
|
{{- range $val := .Values.ingressController.args }}
|
|
- {{ $val }}
|
|
{{- end }}
|
|
{{- end }}
|
|
ports:
|
|
{{- if .Values.ingressController.admissionWebhook.enabled }}
|
|
- name: webhook
|
|
containerPort: {{ .Values.ingressController.admissionWebhook.port }}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
|
|
- name: cmetrics
|
|
containerPort: 10255
|
|
protocol: TCP
|
|
{{- end }}
|
|
- name: cstatus
|
|
containerPort: 10254
|
|
protocol: TCP
|
|
env:
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.name
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
{{- include "kong.ingressController.env" . | indent 2 }}
|
|
{{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }}
|
|
image: {{ include "kong.getRepoTag" .Values.ingressController.image }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger
|
|
Helm value interpretation doesn't let you replace the default HTTP checks with any other
|
|
check type, and all HTTP checks freeze when a debugger pauses operation.
|
|
Setting disableReadiness to ANY value disables the probes.
|
|
*/}}
|
|
{{- if (not (hasKey .Values.ingressController "disableProbes")) }}
|
|
readinessProbe:
|
|
{{ toYaml .Values.ingressController.readinessProbe | indent 4 }}
|
|
livenessProbe:
|
|
{{ toYaml .Values.ingressController.livenessProbe | indent 4 }}
|
|
{{- end }}
|
|
resources:
|
|
{{ toYaml .Values.ingressController.resources | indent 4 }}
|
|
volumeMounts:
|
|
{{- if .Values.ingressController.admissionWebhook.enabled }}
|
|
- name: webhook-cert
|
|
mountPath: /admission-webhook
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
|
|
- name: {{ template "kong.serviceAccountTokenName" . }}
|
|
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
|
|
{{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
|
|
{{- end -}}
|
|
|
|
{{- define "secretkeyref" -}}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .name }}
|
|
key: {{ .key }}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Use the Pod security context defined in Values or set the UID by default
|
|
*/}}
|
|
{{- define "kong.podsecuritycontext" -}}
|
|
{{ .Values.securityContext | toYaml }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.no_daemon_env" -}}
|
|
{{- template "kong.env" . }}
|
|
- name: KONG_NGINX_DAEMON
|
|
value: "off"
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
The environment values passed to Kong; this should come after all
|
|
the template that it itself is using form the above sections.
|
|
*/}}
|
|
{{- define "kong.env" -}}
|
|
{{/*
|
|
====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
{{- $autoEnv := dict -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_LUA_PACKAGE_PATH" "/opt/?.lua;/opt/?/init.lua;;" -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_PROXY_ACCESS_LOG" "/dev/stdout" -}}
|
|
{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ACCESS_LOG" "/dev/stdout basic" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_ACCESS_LOG" "/dev/stdout" -}}
|
|
{{- $_ := set $autoEnv "KONG_STATUS_ACCESS_LOG" "off" -}}
|
|
{{- $_ := set $autoEnv "KONG_PROXY_ERROR_LOG" "/dev/stderr" -}}
|
|
{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ERROR_LOG" "/dev/stderr" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}}
|
|
{{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}}
|
|
|
|
{{- if .Values.ingressController.enabled -}}
|
|
{{- $_ := set $autoEnv "KONG_KIC" "on" -}}
|
|
{{- end -}}
|
|
|
|
{{- with .Values.admin -}}
|
|
{{- $listenConfig := dict -}}
|
|
{{- $listenConfig := merge $listenConfig . -}}
|
|
{{- if (and (not (hasKey . "addresses")) (not .enabled)) -}}
|
|
{{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}}
|
|
{{- end -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
|
|
|
|
{{- if or .tls.client.secretName .tls.client.caBundle -}}
|
|
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
|
|
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
|
|
{{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
|
|
{{- end -}}
|
|
|
|
{{- if .Values.certificates.proxy.enabled -}}
|
|
{{- $_ := set $autoEnv "KONG_SSL_CERT" "/etc/cert-manager/proxy/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_SSL_CERT_KEY" "/etc/cert-manager/proxy/tls.key" -}}
|
|
{{- end -}}
|
|
|
|
{{- if .Values.certificates.admin.enabled -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- if .Values.certificates.portal.enabled -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if .Values.admin.ingress.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
|
|
{{- end -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_PROXY_LISTEN" (include "kong.listen" .Values.proxy) -}}
|
|
|
|
{{- $streamStrings := list -}}
|
|
{{- if .Values.proxy.enabled -}}
|
|
{{- $tcpStreamString := (include "kong.streamListen" .Values.proxy) -}}
|
|
{{- if (not (eq $tcpStreamString "")) -}}
|
|
{{- $streamStrings = (append $streamStrings $tcpStreamString) -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- if .Values.udpProxy.enabled -}}
|
|
{{- $udpStreamString := (include "kong.streamListen" .Values.udpProxy) -}}
|
|
{{- if (not (eq $udpStreamString "")) -}}
|
|
{{- $streamStrings = (append $streamStrings $udpStreamString) -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- $streamString := $streamStrings | join ", " -}}
|
|
{{- if (eq (len $streamString) 0) -}}
|
|
{{- $streamString = "off" -}}
|
|
{{- end -}}
|
|
{{- $_ := set $autoEnv "KONG_STREAM_LISTEN" $streamString -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_STATUS_LISTEN" (include "kong.listen" .Values.status) -}}
|
|
|
|
{{- if .Values.proxy.enabled -}}
|
|
{{- $_ := set $autoEnv "KONG_PORT_MAPS" (include "kong.port_maps" .Values.proxy) -}}
|
|
{{- end -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_LISTEN" (include "kong.listen" .Values.cluster) -}}
|
|
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_ACCESS_LOG" "/dev/stdout" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_ACCESS_LOG" "/dev/stdout" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_ACCESS_LOG" "/dev/stdout" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_ERROR_LOG" "/dev/stderr" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_ERROR_LOG" "/dev/stderr" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_ERROR_LOG" "/dev/stderr" -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_LISTEN" (include "kong.listen" .Values.manager) -}}
|
|
{{- if .Values.manager.ingress.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_URL" (include "kong.ingress.serviceUrl" .Values.manager.ingress) -}}
|
|
{{- end -}}
|
|
|
|
{{- if not .Values.enterprise.vitals.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_VITALS" "off" -}}
|
|
{{- end }}
|
|
{{- $_ := set $autoEnv "KONG_CLUSTER_TELEMETRY_LISTEN" (include "kong.listen" .Values.clustertelemetry) -}}
|
|
|
|
{{- if .Values.enterprise.portal.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL" "on" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_LISTEN" (include "kong.listen" .Values.portal) -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_LISTEN" (include "kong.listen" .Values.portalapi) -}}
|
|
|
|
{{- if .Values.portal.ingress.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_HOST" .Values.portal.ingress.hostname -}}
|
|
{{- if .Values.portal.ingress.tls }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "https" -}}
|
|
{{- else }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "http" -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.portalapi.ingress.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.enterprise.rbac.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_ENFORCE_RBAC" "on" -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH" .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" -}}
|
|
|
|
{{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }}
|
|
{{- $guiAuthConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.admin_gui_auth_conf_secret "key" "admin_gui_auth_conf") -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH_CONF" $guiAuthConf -}}
|
|
{{- end }}
|
|
|
|
{{- $guiSessionConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.session_conf_secret "key" "admin_gui_session_conf") -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_GUI_SESSION_CONF" $guiSessionConf -}}
|
|
{{- end }}
|
|
|
|
{{- if .Values.enterprise.smtp.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_MOCK" "off" -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_FROM" .Values.enterprise.smtp.portal_emails_from -}}
|
|
{{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_REPLY_TO" .Values.enterprise.smtp.portal_emails_reply_to -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_FROM" .Values.enterprise.smtp.admin_emails_from -}}
|
|
{{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_REPLY_TO" .Values.enterprise.smtp.admin_emails_reply_to -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_ADMIN_EMAILS" .Values.enterprise.smtp.smtp_admin_emails -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_HOST" .Values.enterprise.smtp.smtp_host -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_AUTH_TYPE" .Values.enterprise.smtp.smtp_auth_type -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_SSL" .Values.enterprise.smtp.smtp_ssl -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_PORT" .Values.enterprise.smtp.smtp_port -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_STARTTLS" (quote .Values.enterprise.smtp.smtp_starttls) -}}
|
|
{{- if .Values.enterprise.smtp.auth.smtp_username }}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_USERNAME" .Values.enterprise.smtp.auth.smtp_username -}}
|
|
{{- $smtpPassword := include "secretkeyref" (dict "name" .Values.enterprise.smtp.auth.smtp_password_secret "key" "smtp_password") -}}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_PASSWORD" $smtpPassword -}}
|
|
{{- end }}
|
|
{{- else }}
|
|
{{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}}
|
|
{{- end }}
|
|
|
|
{{- if .Values.enterprise.license_secret -}}
|
|
{{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}}
|
|
{{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}}
|
|
{{- end }}
|
|
|
|
{{- end }} {{/* End of the Enterprise settings block */}}
|
|
|
|
{{- if .Values.postgresql.enabled }}
|
|
{{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.postgresql.fullname" .) -}}
|
|
{{- $_ := set $autoEnv "KONG_PG_PORT" .Values.postgresql.service.ports.postgresql -}}
|
|
{{- $pgPassword := include "secretkeyref" (dict "name" (include "kong.postgresql.fullname" .) "key" "password") -}}
|
|
|
|
{{- $_ := set $autoEnv "KONG_PG_PASSWORD" $pgPassword -}}
|
|
{{- else if eq .Values.env.database "postgres" }}
|
|
{{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }}
|
|
{{- end }}
|
|
|
|
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
|
|
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
|
|
{{- if eq $dblessSourceCount 1 -}}
|
|
{{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if (.Values.plugins) }}
|
|
{{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}}
|
|
{{- end }}
|
|
|
|
{{/*
|
|
====== USER-SET ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
{{- $userEnv := dict -}}
|
|
{{- range $key, $val := .Values.env }}
|
|
{{- if (contains "_log" $key) -}}
|
|
{{- if (eq (typeOf $val) "bool") -}}
|
|
{{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- $upper := upper $key -}}
|
|
{{- $var := printf "KONG_%s" $upper -}}
|
|
{{- $_ := set $userEnv $var $val -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
====== CUSTOM-SET ENVIRONMENT VARIABLES ======
|
|
*/}}
|
|
|
|
{{- $customEnv := dict -}}
|
|
{{- range $key, $val := .Values.customEnv }}
|
|
{{- $upper := upper $key -}}
|
|
{{- $_ := set $customEnv $upper $val -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
====== MERGE AND RENDER ENV BLOCK ======
|
|
*/}}
|
|
|
|
{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customEnv -}}
|
|
{{- template "kong.renderEnv" $completeEnv -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Given a dictionary of variable=value pairs, render a container env block.
|
|
Environment variables are sorted alphabetically
|
|
*/}}
|
|
{{- define "kong.renderEnv" -}}
|
|
|
|
{{- $dict := . -}}
|
|
|
|
{{- range keys . | sortAlpha }}
|
|
{{- $val := pluck . $dict | first -}}
|
|
{{- $valueType := printf "%T" $val -}}
|
|
{{ if eq $valueType "map[string]interface {}" }}
|
|
- name: {{ . }}
|
|
{{ toYaml $val | indent 2 -}}
|
|
{{- else if eq $valueType "string" }}
|
|
{{- if regexMatch "valueFrom" $val }}
|
|
- name: {{ . }}
|
|
{{ $val | indent 2 }}
|
|
{{- else }}
|
|
- name: {{ . }}
|
|
value: {{ $val | quote }}
|
|
{{- end }}
|
|
{{- else }}
|
|
- name: {{ . }}
|
|
value: {{ $val | quote }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- define "kong.wait-for-postgres" -}}
|
|
- name: wait-for-postgres
|
|
{{- if (or .Values.waitImage.unifiedRepoTag .Values.waitImage.repository) }}
|
|
image: {{ include "kong.getRepoTag" .Values.waitImage }}
|
|
{{- else }} {{/* default to the Kong image */}}
|
|
image: {{ include "kong.getRepoTag" .Values.image }}
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
|
|
env:
|
|
{{- include "kong.no_daemon_env" . | nindent 2 }}
|
|
{{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
|
|
command: [ "bash", "/wait_postgres/wait.sh" ]
|
|
volumeMounts:
|
|
- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
|
|
mountPath: /wait_postgres
|
|
resources:
|
|
{{- toYaml .Values.migrations.resources | nindent 4 }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.deprecation-warnings" -}}
|
|
{{- $warnings := list -}}
|
|
{{- range $warning := . }}
|
|
{{- $warnings = append $warnings (wrap 80 (printf "WARNING: %s" $warning)) -}}
|
|
{{- $warnings = append $warnings "\n\n" -}}
|
|
{{- end -}}
|
|
{{- $warningString := ($warnings | join "") -}}
|
|
{{- $warningString -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.getRepoTag" -}}
|
|
{{- if .unifiedRepoTag }}
|
|
{{- .unifiedRepoTag }}
|
|
{{- else if .repository }}
|
|
{{- .repository }}:{{ .tag }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
kong.kubernetesRBACRoles outputs a static list of RBAC rules (the "rules" block
|
|
of a Role or ClusterRole) that provide the ingress controller access to the
|
|
Kubernetes namespace-scoped resources it uses to build Kong configuration.
|
|
|
|
Collectively, these are built from:
|
|
kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main
|
|
kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main
|
|
|
|
However, there is no way to generate the split between cluster and namespaced
|
|
role sets used in the charts. Updating these requires separating out cluster
|
|
resource roles into their separate templates.
|
|
*/}}
|
|
{{- define "kong.kubernetesRBACRules" -}}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- list
|
|
{{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image))
|
|
(contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }}
|
|
- apiGroups:
|
|
- incubator.ingress-controller.konghq.com
|
|
resources:
|
|
- kongservicefacades
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- incubator.ingress-controller.konghq.com
|
|
resources:
|
|
- kongservicefacades/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongupstreampolicies
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongupstreampolicies/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongconsumergroups
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongconsumergroups/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- list
|
|
- watch
|
|
{{- end }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- ingressclassparameterses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongconsumers
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongconsumers/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongplugins
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongplugins/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- tcpingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- tcpingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- udpingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- udpingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- gateways
|
|
verbs:
|
|
- get
|
|
- list
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- gateways/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- httproutes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- httproutes/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- referencegrants
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- referencegrants/status
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- tcproutes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- tcproutes/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- tlsroutes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- tlsroutes/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- udproutes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- udproutes/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- grpcroutes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- grpcroutes/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
|
|
- apiGroups:
|
|
- networking.internal.knative.dev
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.internal.knative.dev
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- discovery.k8s.io
|
|
resources:
|
|
- endpointslices
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- konglicenses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- konglicenses/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
kong.kubernetesRBACClusterRoles outputs a static list of RBAC rules (the "rules" block
|
|
of a Role or ClusterRole) that provide the ingress controller access to the
|
|
Kubernetes Cluster-scoped resources it uses to build Kong configuration.
|
|
*/}}
|
|
{{- define "kong.kubernetesRBACClusterRules" -}}
|
|
- apiGroups:
|
|
- openappsec.io
|
|
resources:
|
|
- '*'
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongvaults
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongvaults/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongclusterplugins
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
resources:
|
|
- kongclusterplugins/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- list
|
|
- watch
|
|
{{- end }}
|
|
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- gatewayclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
resources:
|
|
- gatewayclasses/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- end }}
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingressclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- end -}}
|
|
|
|
{{- define "kong.autoscalingVersion" -}}
|
|
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
|
|
autoscaling/v2
|
|
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
|
|
autoscaling/v2beta2
|
|
{{- else -}}
|
|
autoscaling/v1
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.policyVersion" -}}
|
|
{{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
|
|
policy/v1beta1
|
|
{{- else -}}
|
|
{{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.renderTpl" -}}
|
|
{{- if typeIs "string" .value }}
|
|
{{- tpl .value .context }}
|
|
{{- else }}
|
|
{{- tpl (.value | toYaml) .context }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.ingressVersion" -}}
|
|
{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
|
|
networking.k8s.io/v1
|
|
{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
|
|
networking.k8s.io/v1beta1
|
|
{{- else -}}
|
|
extensions/v1beta1
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.proxy.compatibleReadiness" -}}
|
|
{{- $proxyReadiness := .Values.readinessProbe -}}
|
|
{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}}
|
|
{{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}}
|
|
{{- $_ := set $proxyReadiness.httpGet "path" "/status" -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- (toYaml $proxyReadiness) -}}
|
|
{{- end -}}
|
|
|
|
{{- define "kong.envFrom" -}}
|
|
{{- if (gt (len .) 0) -}}
|
|
envFrom:
|
|
{{- toYaml . | nindent 2 -}}
|
|
{{- else -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{/*
|
|
appsec labels
|
|
*/}}
|
|
{{- define "appsec.labels" -}}
|
|
{{- end -}}
|
|
|