agents/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m12s
Details

Browse Source 
Change-Id: If67c32e979b6d03a135072c836ca54ee01c99e66
This commit is contained in:
Scaffolder
2026-04-15 16:23:13 +00:00
commit ea619ba456
179 changed files with 12011 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
deploy/kubernetes-ingress/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,109 @@
HAProxy Kubernetes Ingress Controller has been successfully installed.
Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}".
Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type.
{{- if .Values.rbac.create}}
RBAC authorization is enabled.
{{- else}}
RBAC authorization is disabled.
{{- end}}
{{- if .Values.controller.ingressClass}}
Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for
Ingress resource.
{{- end}}
{{- if .Values.controller.gatewayControllerName}}
Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure
that Gateway API CRDs are installed in Kubernetes.
{{- end}}
Service ports mapped are:
{{- if eq .Values.controller.kind "Deployment" }}
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- end }}
{{- end }}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- $hostIP := .Values.controller.daemonset.hostIP -}}
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ index $hostPorts $key | default $value }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .port }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- end }}
Node IP can be found with:
$ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}"
The following ingress resource routes traffic to pods that match the following:
* service name: web
* client's Host header: webdemo.com
* path begins with /
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
ingress.class: "haproxy"
spec:
rules:
- host: webdemo.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it
with helm chart option controller.ingressClass.
For more examples and up to date documentation, please visit:
* Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
* Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/
* Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation
* Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md

259
deploy/kubernetes-ingress/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,259 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kubernetes-ingress.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "kubernetes-ingress.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kubernetes-ingress.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubernetes-ingress.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create HAProxy Ingress Chart labels
*/}}
{{- define "kubernetes-ingress.helmChartLabels" -}}
helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Create HAProxy Ingress Selector labels
*/}}
{{- define "kubernetes-ingress.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create HAProxy Ingress labels
*/}}
{{- define "kubernetes-ingress.labels" -}}
{{ include "kubernetes-ingress.selectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Create CRD Job selector labels
*/}}
{{- define "kubernetes-ingress.crdJobSelectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create CRD Job labels
*/}}
{{- define "kubernetes-ingress.crdJobLabels" -}}
{{ include "kubernetes-ingress.crdJobSelectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Create Service Proxy selector labels
*/}}
{{- define "kubernetes-ingress.serviceProxySelectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create Service Proxy labels
*/}}
{{- define "kubernetes-ingress.serviceProxyLabels" -}}
{{ include "kubernetes-ingress.serviceProxySelectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Encode an imagePullSecret string.
*/}}
{{- define "kubernetes-ingress.imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
{{/*
Encode an imagePullSecret string for the default backend.
*/}}
{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
{{/*
Generate default certificate for HAProxy.
*/}}
{{- define "kubernetes-ingress.gen-certs" -}}
{{- $ca := genCA "kubernetes-ingress-ca" 365 -}}
{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}}
{{- $cert := genSignedCert $cn nil nil 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Create the name of the controller service account to use.
*/}}
{{- define "kubernetes-ingress.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}}
{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}}
{{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.defaultBackend.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
*/}}
{{- define "kubernetes-ingress.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default cert secret name.
*/}}
{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the path for the publish-service.
By default this will use the <namespace>/<service-name> matching the controller's service name.
Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride`
*/}}
{{- define "kubernetes-ingress.publishServicePath" -}}
{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}}
{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the syslog-server annotation
*/}}
{{- define "kubernetes-ingress.syslogServer" -}}
{{- range $key, $val := .Values.controller.logging.traffic -}}
{{- printf "%s:%s, " $key $val }}
{{- end -}}
{{- end -}}
{{/*
Render controller pod sysctls.
Input: .Values.controller.sysctls (map[string]string)
Also keeps the existing allowPrivilegedPorts behaviour by adding
net.ipv4.ip_unprivileged_port_start=0 unless explicitly overridden via controller.sysctls.
*/}}
{{- define "kubernetes-ingress.controller.sysctls" -}}
{{- $sysctls := .Values.controller.sysctls | default dict -}}
{{- $keys := keys $sysctls | sortAlpha -}}
{{- $needPrivPorts := and .Values.controller.unprivileged .Values.controller.allowPrivilegedPorts (not (hasKey $sysctls "net.ipv4.ip_unprivileged_port_start")) -}}
{{- if or (gt (len $keys) 0) $needPrivPorts -}}
sysctls:
{{- range $name := $keys }}
- name: {{ $name }}
value: {{ index $sysctls $name | quote }}
{{- end }}
{{- if $needPrivPorts }}
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified ServiceMonitor name.
*/}}
{{- define "kubernetes-ingress.serviceMonitorName" -}}
{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified PodMonitor name.
*/}}
{{- define "kubernetes-ingress.podMonitorName" -}}
{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.podMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a FQDN for the Service metrics.
*/}}
{{- define "kubernetes-ingress.serviceMetricsName" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }}
{{- end -}}
{{/*
Create a default fully qualified unique CRD job name.
*/}}
{{- define "kubernetes-ingress.crdjob.fullname" -}}
{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a FQDN for the proxy pods.
*/}}
{{- define "kubernetes-ingress.serviceProxyName" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 58 | trimSuffix "-") "proxy" }}
{{- end -}}
{{/* vim: set filetype=mustache: */}}

158
deploy/kubernetes-ingress/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,158 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts
verbs:
- get
- list
- watch
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
- apiGroups:
- ""
resources:
- services
- pods
verbs:
- update
{{- end }}
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
- ingresses/status
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- core.haproxy.org
resources:
- '*'
verbs:
- get
- list
- watch
- update
- apiGroups:
- ingress.v1.haproxy.org
- ingress.v1.haproxy.com
- ingress.v3.haproxy.org
- ingress.v3.haproxy.com
resources:
- "*"
verbs:
- get
- list
- watch
- update
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- if .Values.controller.kubernetesGateway.enabled }}
- apiGroups:
- "gateway.networking.k8s.io"
resources:
- referencegrants
- gateways
- gatewayclasses
- tcproutes
verbs:
- get
- list
- watch
- apiGroups:
- "gateway.networking.k8s.io"
resources:
- gatewayclasses/status
- gateways/status
- tcproutes/status
verbs:
- update
{{- end }}
- apiGroups:
- "apps"
resources:
- replicasets
- deployments
- daemonsets
verbs:
- get
- list
- watch
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- "*"
{{- end }}
{{- end -}}

33
deploy/kubernetes-ingress/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kubernetes-ingress.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- end -}}

38
deploy/kubernetes-ingress/templates/controller-configmap.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.configAnnotations }}
annotations:
{{ toYaml .Values.controller.configAnnotations | indent 4 }}
{{- end }}
data:
{{- if .Values.controller.logging.traffic }}
syslog-server: {{ include "kubernetes-ingress.syslogServer" . }}
{{- end }}
{{- if .Values.controller.config }}
{{- if eq "string" (printf "%T" .Values.controller.config) }}
{{ tpl .Values.controller.config . | indent 2 }}
{{- else }}
{{ toYaml .Values.controller.config | indent 2 }}
{{- end }}
{{- end }}

112
deploy/kubernetes-ingress/templates/controller-crdjob.yaml Normal file
View File

@@ -0,0 +1,112 @@
{{/*
Copyright 2023 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.crdJobLabels" . | nindent 4 }}
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
helm.sh/hook: post-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
{{- with .Values.controller.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.crdjob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.crdjob.ttlSecondsAfterFinished }}
{{- end }}
{{- end }}
backoffLimit: 0
template:
metadata:
labels:
{{- include "kubernetes-ingress.crdJobSelectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.crdjob.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.crdjob.podAnnotations) }}
{{ tpl .Values.crdjob.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.crdjob.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
containers:
- name: crd
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
command:
- /haproxy-ingress-controller
- --job-check-crd
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
resources:
{{- toYaml .Values.crdjob.resources | nindent 12 }}
{{- end }}
{{- with .Values.crdjob.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

300
deploy/kubernetes-ingress/templates/controller-daemonset.yaml Normal file
View File

@@ -0,0 +1,300 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}}
{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- $hostIP := .Values.controller.daemonset.hostIP -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.controller.minReadySeconds }}
{{- with .Values.controller.strategy }}
updateStrategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
securityContext:
{{- if .Values.controller.unprivileged }}
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .port }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
{{- with .Values.controller.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

33
deploy/kubernetes-ingress/templates/controller-defaultcertsecret.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.defaultTLSSecret.enabled }}
{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
data:
{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }}
{{- end }}
{{- end }}

318
deploy/kubernetes-ingress/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,318 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "Deployment" }}
{{- $useHostNetwork := .Values.controller.deployment.useHostNetwork -}}
{{- $useHostPort := .Values.controller.deployment.useHostPort -}}
{{- $hostPorts := .Values.controller.deployment.hostPorts -}}
{{- $hostIP := .Values.controller.deployment.hostIP -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
{{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
securityContext:
{{- if .Values.controller.unprivileged }}
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
{{- if eq .Values.controller.sync.mode "fetch" }}
{{- if .Values.controller.sync.fetchParams.period }}
- --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
{{- end }}
{{- if eq .Values.controller.sync.fetchParams.source "k8s" }}
- --k8s-api-sync-type=k8s
{{- else if eq .Values.controller.sync.fetchParams.source "proxy" }}
- --k8s-api-sync-type=proxy
- --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
{{- end }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.deployment.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
{{- with .Values.controller.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

67
deploy/kubernetes-ingress/templates/controller-hpa.yaml Normal file
View File

@@ -0,0 +1,67 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }}
{{- if not .Values.controller.keda.enabled }}
{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: autoscaling/v2
{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }}
apiVersion: autoscaling/v2beta2
{{- else }}
{{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }}
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
{{- if .Values.controller.autoscaling.annotations }}
annotations:
{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }}
{{- end }}
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kubernetes-ingress.fullname" . }}
minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
{{- if .Values.controller.autoscaling.behavior }}
behavior: {{- toYaml .Values.controller.autoscaling.behavior | nindent 4 }}
{{- end }}
metrics:
{{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- if .Values.controller.autoscaling.custom }}
{{- toYaml .Values.controller.autoscaling.custom | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

42
deploy/kubernetes-ingress/templates/controller-ingressclass.yaml Normal file
View File

@@ -0,0 +1,42 @@
{{/*
Copyright 2021 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: IngressClass
metadata:
name: {{ .Values.controller.ingressClassResource.name }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.ingressClassResource.default }}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
spec:
{{- if not .Values.controller.ingressClass }}
controller: haproxy.org/ingress-controller
{{- else }}
controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }}
{{- end }}
{{- if .Values.controller.ingressClassResource.parameters }}
parameters:
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }}
{{- end }}
{{- end }}

57
deploy/kubernetes-ingress/templates/controller-keda.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{/*
Copyright 2021 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
name: {{ include "kubernetes-ingress.fullname" . }}
pollingInterval: {{ .Values.controller.keda.pollingInterval }}
cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.controller.keda.minReplicas }}
maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
triggers:
{{- with .Values.controller.keda.triggers }}
{{ toYaml . | indent 2 }}
{{ end }}
{{- with .Values.controller.keda.fallback }}
fallback:
{{ toYaml . | indent 4 }}
{{- end }}
advanced:
restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig }}
horizontalPodAutoscalerConfig:
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
name: {{ .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
{{- end }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.behavior }}
behavior:
{{ with .Values.controller.keda.horizontalPodAutoscalerConfig.behavior -}}
{{ toYaml . | indent 8 }}
{{ end }}
{{- end }}
{{- end }}
{{- end }}

39
deploy/kubernetes-ingress/templates/controller-poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.PodDisruptionBudget.enable }}
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
spec:
{{- if .Values.controller.PodDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }}
{{- end }}
{{- if .Values.controller.PodDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }}
{{- end }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

37
deploy/kubernetes-ingress/templates/controller-podmonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "kubernetes-ingress.podMonitorName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.podMonitor.extraLabels }}
{{ toYaml .Values.controller.podMonitor.extraLabels | nindent 4 }}
{{- end }}
spec:
podMetricsEndpoints:
{{ .Values.controller.podMonitor.endpoints | toYaml | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "kubernetes-ingress.namespace" . }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

82
deploy/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }}
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }}
{{- $useHostPort := .Values.controller.daemonset.useHostPort }}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
name: {{ include "kubernetes-ingress.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
allowedCapabilities:
- NET_BIND_SERVICE
defaultAllowPrivilegeEscalation: false
fsGroup:
rule: MustRunAs
ranges:
- max: 65535
min: 1
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if or $useHostPort $useHostNetwork }}
hostPorts:
{{- range $key, $value := .Values.controller.containerPort }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- min: {{ .port }}
max: {{ .port }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- max: 65535
min: 1
volumes:
- configMap
- downwardAPI
- secret
{{- end }}
{{- end }}

283
deploy/kubernetes-ingress/templates/controller-proxy-deployment.yaml Normal file
View File

@@ -0,0 +1,283 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubernetes-ingress.serviceProxyName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.serviceProxyLabels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
{{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
replicas: {{ .Values.controller.sync.proxyParams.replicaCount }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
selector:
matchLabels:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- if .Values.controller.allowPrivilegedPorts }}
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
- --proxy-server-mode
- --k8s-api-sync-type=k8s
- --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
{{- if .Values.controller.sync.fetchParams.period }}
- --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

68
deploy/kubernetes-ingress/templates/controller-proxy-service.yaml Normal file
View File

@@ -0,0 +1,68 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.serviceProxyName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.serviceProxyLabels" . | nindent 4 }}
{{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._0 }}: {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._1 }}
{{- if .Values.controller.service.labels }}
{{ toYaml .Values.controller.service.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
ports:
{{- if .Values.controller.service.enablePorts.http }}
- name: http
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.http }}
{{- if .Values.controller.service.nodePorts.http }}
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.https }}
- name: https
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
selector:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 4 }}
{{- if .Values.controller.service.sessionAffinity }}
sessionAffinity: {{ .Values.controller.service.sessionAffinity }}
{{- end }}
{{- end }}

28
deploy/kubernetes-ingress/templates/controller-pullsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.imageCredentials.registry }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }}
{{- end }}

34
deploy/kubernetes-ingress/templates/controller-role.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
rules:
- apiGroups:
- "policy"
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ include "kubernetes-ingress.fullname" . }}
{{- end -}}

33
deploy/kubernetes-ingress/templates/controller-rolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kubernetes-ingress.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- end -}}

56
deploy/kubernetes-ingress/templates/controller-service-metrics.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{/*
Copyright 2022 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
The following Service resource will be created upon certain conditions:
- The ServiceMonitor integration is enabled
- A Service resource must be created
The reason for that is that the Ingress Controller would make it available to the outside
sensitive data such as its metrics, and the operator wants to keep these data private
(such as the value of "controller.service.enablePorts.stat=false").
To let the Prometheus Operator being able to scrape the metrics, an additional service
is going to be created, allowing it to expose of these in the internal Kubernetes networking.
*/}}
{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.serviceMetricsName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.service.metrics.labels }}
{{ toYaml .Values.controller.service.metrics.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.metrics.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: {{ .Values.controller.service.metrics.type }}
ports:
- name: stat
port: {{ .Values.controller.service.ports.stat }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.stat }}
{{- if .Values.controller.service.nodePorts.stat }}
nodePort: {{ .Values.controller.service.nodePorts.stat }}
{{- end }}
selector:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 4 }}
{{- end }}

133
deploy/kubernetes-ingress/templates/controller-service.yaml Normal file
View File

@@ -0,0 +1,133 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.service.labels }}
{{ toYaml .Values.controller.service.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }}
type: {{ .Values.controller.service.type }}
{{- if .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
{{- end }}
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
ports:
{{- if .Values.controller.service.enablePorts.http }}
- name: http
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.http }}
{{- if .Values.controller.service.nodePorts.http }}
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.https }}
- name: https
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
port: {{ .Values.controller.service.ports.https }}
protocol: UDP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.quic }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.stat }}
- name: stat
port: {{ .Values.controller.service.ports.stat }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.stat }}
{{- if .Values.controller.service.nodePorts.stat }}
nodePort: {{ .Values.controller.service.nodePorts.stat }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- name: admin
port: {{ .Values.controller.service.ports.admin }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.admin }}
{{- if .Values.controller.service.nodePorts.admin }}
nodePort: {{ .Values.controller.service.nodePorts.admin }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
port: {{ .port }}
protocol: TCP
targetPort: {{ .targetPort }}
{{- if .nodePort }}
nodePort: {{ .nodePort }}
{{- end }}
{{- end }}
selector:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 4 }}
{{- if .Values.controller.service.sessionAffinity }}
sessionAffinity: {{ .Values.controller.service.sessionAffinity }}
{{- end }}
{{- if .Values.controller.service.ipFamilies }}
ipFamilies:
{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }}
{{- end }}
externalIPs:
{{- if .Values.controller.service.externalIPs }}
{{ toYaml .Values.controller.service.externalIPs | indent 4 }}
{{- end -}}
{{- if (eq .Values.controller.service.type "LoadBalancer") }}
{{- if .Values.controller.service.loadBalancerIP }}
loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}"
{{- end }}
{{- if .Values.controller.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if .Values.controller.service.loadBalancerClass}}
loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}"
{{- end }}
{{- end }}
{{- end }}

28
deploy/kubernetes-ingress/templates/controller-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if or .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end -}}

37
deploy/kubernetes-ingress/templates/controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "kubernetes-ingress.serviceMonitorName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.serviceMonitor.extraLabels }}
{{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }}
{{- end }}
spec:
endpoints:
{{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "kubernetes-ingress.namespace" . }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

27
deploy/kubernetes-ingress/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright 2022 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.namespace.create -}}
apiVersion: v1
kind: Namespace
metadata:
name: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-weight": "-1"
{{- end -}}