validate/haproxy-unified-gateway-jonathan
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m17s
Details

Browse Source 
Change-Id: I37c91673bc7093df7b976dae85e79afb627e8a5d
This commit is contained in:
Scaffolder
2026-04-24 11:25:39 +00:00
commit a5447fd3f1
60 changed files with 3309 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
deploy/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
HAProxy Unified Gateway has been installed.
{{- if .Values.controller.service.enabled }}
The controller is exposed via a {{ .Values.controller.service.type }} Service:
- HTTP: {{ .Values.controller.service.http.port }}
- HTTPS: {{ .Values.controller.service.https.port }}
- Stats: {{ .Values.controller.service.stat.port }}
{{- if eq .Values.controller.service.type "NodePort" }}
Access the gateway using your node IP and the configured NodePort:
export NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="ExternalIP")].address}')
echo "HTTP: http://$NODE_IP:{{ .Values.controller.service.http.nodePort }}"
echo "HTTPS: https://$NODE_IP:{{ .Values.controller.service.https.nodePort }}"
{{- else if eq .Values.controller.service.type "LoadBalancer" }}
It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with:
kubectl get svc {{ include "haproxy-unified-gateway.fullname" . }} -n {{ include "haproxy-unified-gateway.namespace" . }} -w
{{- end }}
{{- end }}
{{- if .Values.crdjob.enabled }}
A post-install/pre-upgrade Job will install/update the HUG CRDs automatically.
{{- end }}
{{- if .Values.gwapijob.enabled }}
A post-install/pre-upgrade Job will install Gateway API CRDs (v{{ .Values.gwapijob.version }}).
{{- end }}
To check the controller status:
kubectl get pods -n {{ include "haproxy-unified-gateway.namespace" . }} -l "{{ include "haproxy-unified-gateway.selectorLabels" . | replace "\n" "," }}"
For more information, visit: https://github.com/haproxytech/haproxy-unified-gateway

174
deploy/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,174 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Expand the name of the chart.
*/}}
{{- define "haproxy-unified-gateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "haproxy-unified-gateway.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "haproxy-unified-gateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Namespace to use.
*/}}
{{- define "haproxy-unified-gateway.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride }}
{{- end }}
{{/*
Selector labels.
*/}}
{{- define "haproxy-unified-gateway.selectorLabels" -}}
app.kubernetes.io/name: {{ include "haproxy-unified-gateway.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Helm chart metadata labels.
*/}}
{{- define "haproxy-unified-gateway.helmChartLabels" -}}
helm.sh/chart: {{ include "haproxy-unified-gateway.chart" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common labels (selector + chart metadata).
*/}}
{{- define "haproxy-unified-gateway.labels" -}}
{{ include "haproxy-unified-gateway.selectorLabels" . }}
{{ include "haproxy-unified-gateway.helmChartLabels" . }}
{{- end }}
{{/*
ServiceAccount name.
*/}}
{{- define "haproxy-unified-gateway.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "haproxy-unified-gateway.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Controller image.
*/}}
{{- define "haproxy-unified-gateway.image" -}}
{{- $tag := default .Chart.AppVersion .Values.controller.image.tag -}}
{{- printf "%s:%s" .Values.controller.image.repository $tag }}
{{- end }}
{{/*
CRD Job ServiceAccount/RBAC name.
*/}}
{{- define "haproxy-unified-gateway.crdjob.saName" -}}
{{- printf "%s-crdjob" (include "haproxy-unified-gateway.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Metrics Service name.
*/}}
{{- define "haproxy-unified-gateway.metricsServiceName" -}}
{{- printf "%s-metrics" (include "haproxy-unified-gateway.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
HugConf cleanup Job name.
*/}}
{{- define "haproxy-unified-gateway.hugconfCleanup.fullname" -}}
{{- printf "%s-hugconf-cleanup" (include "haproxy-unified-gateway.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
CRD Job labels.
*/}}
{{- define "haproxy-unified-gateway.crdjobLabels" -}}
{{ include "haproxy-unified-gateway.helmChartLabels" . }}
app.kubernetes.io/name: {{ include "haproxy-unified-gateway.name" . }}-crdjob
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
CRD Job fullname (includes revision for uniqueness).
*/}}
{{- define "haproxy-unified-gateway.crdjob.fullname" -}}
{{- printf "%s-crdjob-%d" (include "haproxy-unified-gateway.fullname" .) .Release.Revision | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Gateway API Job labels.
*/}}
{{- define "haproxy-unified-gateway.gwapijobLabels" -}}
{{ include "haproxy-unified-gateway.helmChartLabels" . }}
app.kubernetes.io/name: {{ include "haproxy-unified-gateway.name" . }}-gwapijob
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Gateway API Job fullname (includes revision for uniqueness).
*/}}
{{- define "haproxy-unified-gateway.gwapijob.fullname" -}}
{{- printf "%s-gwapijob-%d" (include "haproxy-unified-gateway.fullname" .) .Release.Revision | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
ServiceMonitor name.
*/}}
{{- define "haproxy-unified-gateway.serviceMonitorName" -}}
{{- default (include "haproxy-unified-gateway.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
PodMonitor name.
*/}}
{{- define "haproxy-unified-gateway.podMonitorName" -}}
{{- default (include "haproxy-unified-gateway.fullname" .) .Values.controller.podMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
HugConf CRD reference path (namespace/name).
*/}}
{{- define "haproxy-unified-gateway.hugconfCrd" -}}
{{- if .Values.controller.hugconfCrd }}
{{- .Values.controller.hugconfCrd }}
{{- else }}
{{- printf "%s/%s" (include "haproxy-unified-gateway.namespace" .) .Values.hugconf.name }}
{{- end }}
{{- end }}

138
deploy/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,138 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts
verbs:
- get
- list
- watch
- create
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- patch
- update
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- replicasets
- deployments
- daemonsets
verbs:
- get
- list
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- referencegrants
- grpcroutes
- tlsroutes
verbs:
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- referencegrants/status
- grpcroutes/status
- tlsroutes/status
verbs:
- get
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- gate.v3.haproxy.org
resources:
- huggates
- hugconfs
- backends
- globals
- defaults
verbs:
- get
- list
- watch
# Required for kube-rbac metrics auth (TokenReview + SubjectAccessReview)
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
{{- end }}

32
deploy/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "haproxy-unified-gateway.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "haproxy-unified-gateway.serviceAccountName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
{{- end }}

72
deploy/templates/controller-crdjob-rbac.yaml Normal file
View File

@@ -0,0 +1,72 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if or .Values.crdjob.enabled .Values.gwapijob.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.crdjobLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
labels:
{{- include "haproxy-unified-gateway.crdjobLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
labels:
{{- include "haproxy-unified-gateway.crdjobLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
{{- end }}

96
deploy/templates/controller-crdjob.yaml Normal file
View File

@@ -0,0 +1,96 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.crdjob.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "haproxy-unified-gateway.crdjob.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.crdjobLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"argocd.argoproj.io/hook": PostSync
{{- with .Values.crdjob.podAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.crdjob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ . }}
{{- end }}
template:
metadata:
labels:
{{- include "haproxy-unified-gateway.crdjobLabels" . | nindent 8 }}
{{- with .Values.crdjob.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: crdjob
{{- if .Values.crdjob.image.repository }}
image: {{ printf "%s:%s" .Values.crdjob.image.repository (default .Chart.AppVersion .Values.crdjob.image.tag) }}
{{- else }}
image: {{ include "haproxy-unified-gateway.image" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
command:
- /usr/local/sbin/hug
- --job-check-crd
{{- with .Values.crdjob.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crdjob.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
backoffLimit: 0
{{- end }}

185
deploy/templates/controller-daemonset.yaml Normal file
View File

@@ -0,0 +1,185 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}}
{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- $hostIP := .Values.controller.daemonset.hostIP -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
updateStrategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 8 }}
{{- with .Values.controller.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "haproxy-unified-gateway.serviceAccountName" . }}
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{- with .Values.controller.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- with .Values.controller.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "haproxy-unified-gateway.name" . }}
image: {{ include "haproxy-unified-gateway.image" . }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if or .Values.hugconf.create .Values.controller.hugconfCrd }}
- --hugconf-crd={{ include "haproxy-unified-gateway.hugconfCrd" . }}
{{- end }}
{{- with .Values.controller.metricsAuth }}
- --metrics-auth={{ . }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- with .Values.controller.extraEnvs }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- with .Values.controller.seccompProfile }}
seccompProfile:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraVolumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.extraVolumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

175
deploy/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,175 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "Deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.controller.autoscaling.enabled }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 8 }}
{{- with .Values.controller.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "haproxy-unified-gateway.serviceAccountName" . }}
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{- with .Values.controller.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.controller.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "haproxy-unified-gateway.name" . }}
image: {{ include "haproxy-unified-gateway.image" . }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if or .Values.hugconf.create .Values.controller.hugconfCrd }}
- --hugconf-crd={{ include "haproxy-unified-gateway.hugconfCrd" . }}
{{- end }}
{{- with .Values.controller.metricsAuth }}
- --metrics-auth={{ . }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- with .Values.controller.extraEnvs }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- with .Values.controller.seccompProfile }}
seccompProfile:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraVolumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.extraVolumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

96
deploy/templates/controller-gwapijob.yaml Normal file
View File

@@ -0,0 +1,96 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.gwapijob.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "haproxy-unified-gateway.gwapijob.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.gwapijobLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"argocd.argoproj.io/hook": PostSync
{{- with .Values.gwapijob.podAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.gwapijob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ . }}
{{- end }}
template:
metadata:
labels:
{{- include "haproxy-unified-gateway.gwapijobLabels" . | nindent 8 }}
{{- with .Values.gwapijob.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "haproxy-unified-gateway.crdjob.saName" . }}
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: gwapijob
{{- if .Values.gwapijob.image.repository }}
image: {{ printf "%s:%s" .Values.gwapijob.image.repository (default .Chart.AppVersion .Values.gwapijob.image.tag) }}
{{- else }}
image: {{ include "haproxy-unified-gateway.image" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
command:
- /usr/local/sbin/hug
- --job-gwapi={{ .Values.gwapijob.version }}
{{- with .Values.gwapijob.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.gwapijob.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gwapijob.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gwapijob.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
backoffLimit: 0
{{- end }}

53
deploy/templates/controller-hpa.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) }}
{{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "haproxy-unified-gateway.fullname" . }}
minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
metrics:
{{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

125
deploy/templates/controller-hugconf-cleanup.yaml Normal file
View File

@@ -0,0 +1,125 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.hugconf.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups:
- "gate.v3.haproxy.org"
resources:
- hugconfs
verbs:
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
ttlSecondsAfterFinished: 60
template:
metadata:
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "haproxy-unified-gateway.hugconfCleanup.fullname" . }}
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: hugconf-cleanup
image: {{ include "haproxy-unified-gateway.image" . }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
command:
- /bin/sh
- -c
- |
APISERVER="https://kubernetes.default.svc"
TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
wget --header="Authorization: Bearer ${TOKEN}" \
--ca-certificate="${CACERT}" \
--method=DELETE \
-q -O /dev/null \
"${APISERVER}/apis/gate.v3.haproxy.org/v3/namespaces/{{ include "haproxy-unified-gateway.namespace" . }}/hugconfs/{{ .Values.hugconf.name }}" 2>/dev/null || true
backoffLimit: 1
{{- end }}

45
deploy/templates/controller-hugconf.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.hugconf.create }}
apiVersion: gate.v3.haproxy.org/v3
kind: HugConf
metadata:
name: {{ .Values.hugconf.name }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation
"argocd.argoproj.io/hook": PostSync
spec:
logging:
defaultLevel: {{ .Values.hugconf.logging.defaultLevel | quote }}
{{- with .Values.hugconf.logging.categoryLevelList }}
categoryLevelList:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.hugconf.globalRef }}
globalRef:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.hugconf.defaultsRef }}
defaultsRef:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

57
deploy/templates/controller-keda.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
name: {{ include "haproxy-unified-gateway.fullname" . }}
pollingInterval: {{ .Values.controller.keda.pollingInterval }}
cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.controller.keda.minReplicas }}
maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
triggers:
{{- with .Values.controller.keda.triggers }}
{{ toYaml . | indent 2 }}
{{ end }}
{{- with .Values.controller.keda.fallback }}
fallback:
{{ toYaml . | indent 4 }}
{{- end }}
advanced:
restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig }}
horizontalPodAutoscalerConfig:
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
name: {{ .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
{{- end }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.behavior }}
behavior:
{{ with .Values.controller.keda.horizontalPodAutoscalerConfig.behavior -}}
{{ toYaml . | indent 8 }}
{{ end }}
{{- end }}
{{- end }}
{{- end }}

35
deploy/templates/controller-poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 6 }}
{{- if .Values.controller.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.controller.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

37
deploy/templates/controller-podmonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "haproxy-unified-gateway.podMonitorName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.podMonitor.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
podMetricsEndpoints:
{{- toYaml .Values.controller.podMonitor.endpoints | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "haproxy-unified-gateway.namespace" . }}
selector:
matchLabels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 6 }}
{{- end }}

81
deploy/templates/controller-podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,81 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }}
{{- $useHostNetwork := false }}
{{- $useHostPort := false }}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostNetwork = .Values.controller.daemonset.useHostNetwork }}
{{- $useHostPort = .Values.controller.daemonset.useHostPort }}
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
{{- end }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
name: {{ include "haproxy-unified-gateway.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
allowedCapabilities:
- NET_BIND_SERVICE
defaultAllowPrivilegeEscalation: false
fsGroup:
rule: MustRunAs
ranges:
- max: 65535
min: 1
hostIPC: false
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if or $useHostPort $useHostNetwork }}
hostPorts:
{{- range $key, $value := .Values.controller.containerPort }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
hostPID: false
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- max: 65535
min: 1
volumes:
- configMap
- downwardAPI
- secret
{{- end }}
{{- end }}

34
deploy/templates/controller-role.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
rules:
- apiGroups:
- "policy"
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ include "haproxy-unified-gateway.fullname" . }}
{{- end -}}

33
deploy/templates/controller-rolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "haproxy-unified-gateway.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "haproxy-unified-gateway.serviceAccountName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
{{- end -}}

45
deploy/templates/controller-service-metrics.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.controller.serviceMonitor.enabled .Values.controller.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "haproxy-unified-gateway.metricsServiceName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.service.metrics.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.service.metrics.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.controller.service.metrics.type }}
selector:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 4 }}
ports:
- name: stat
port: {{ .Values.controller.service.stat.port }}
targetPort: {{ .Values.controller.service.stat.targetPort }}
protocol: TCP
- name: metrics
port: {{ index .Values.controller.service "controller-metrics" "port" }}
targetPort: {{ index .Values.controller.service "controller-metrics" "targetPort" }}
protocol: TCP
{{- end }}

64
deploy/templates/controller-service.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "haproxy-unified-gateway.fullname" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.controller.service.type }}
{{- with .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ . }}
{{- end }}
selector:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 4 }}
ports:
- name: http
port: {{ .Values.controller.service.http.port }}
targetPort: {{ .Values.controller.service.http.targetPort }}
protocol: TCP
{{- if and (eq .Values.controller.service.type "NodePort") .Values.controller.service.http.nodePort }}
nodePort: {{ .Values.controller.service.http.nodePort }}
{{- end }}
- name: https
port: {{ .Values.controller.service.https.port }}
targetPort: {{ .Values.controller.service.https.targetPort }}
protocol: TCP
{{- if and (eq .Values.controller.service.type "NodePort") .Values.controller.service.https.nodePort }}
nodePort: {{ .Values.controller.service.https.nodePort }}
{{- end }}
- name: stat
port: {{ .Values.controller.service.stat.port }}
targetPort: {{ .Values.controller.service.stat.targetPort }}
protocol: TCP
{{- if and (eq .Values.controller.service.type "NodePort") .Values.controller.service.stat.nodePort }}
nodePort: {{ .Values.controller.service.stat.nodePort }}
{{- end }}
{{- with .Values.controller.service.extraPorts }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

29
deploy/templates/controller-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "haproxy-unified-gateway.serviceAccountName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

37
deploy/templates/controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "haproxy-unified-gateway.serviceMonitorName" . }}
namespace: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- with .Values.controller.serviceMonitor.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- toYaml .Values.controller.serviceMonitor.endpoints | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "haproxy-unified-gateway.namespace" . }}
selector:
matchLabels:
{{- include "haproxy-unified-gateway.selectorLabels" . | nindent 6 }}
{{- end }}

24
deploy/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright 2026 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.namespace.create }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ include "haproxy-unified-gateway.namespace" . }}
labels:
{{- include "haproxy-unified-gateway.labels" . | nindent 4 }}
{{- end }}