validate/haproxy-unified
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit
All checks were successful
Build and Publish TechDocs / build-and-publish (push) Successful in 1m15s
Details

Browse Source 
Change-Id: I2e2564a72b6be9af536235fc3795fd788fd9257b
This commit is contained in:
Scaffolder
2026-04-15 15:41:22 +00:00
commit b6460c4ea3
180 changed files with 12299 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
haproxy/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

35
haproxy/Chart.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2020 HAProxy Technologies LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v2
name: haproxy
description: A Helm chart for HAProxy on Kubernetes
type: application
version: 1.28.1
appVersion: 3.3.6
kubeVersion: ">=1.17.0-0"
keywords:
- haproxy
home: https://github.com/haproxytech/helm-charts/tree/main/haproxy
sources:
- http://www.haproxy.org/
icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/haproxy/chart-icon.png
maintainers:
- name: Dinko Korunic
email: dkorunic@haproxy.com
engine: gotpl
annotations:
artifacthub.io/changes: |
- Update base image to HAProxy 3.3.6
- Fix newline issue with YAML normalisation (#344)

378
haproxy/README.md Normal file
View File

@@ -0,0 +1,378 @@
# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy")
## HAProxy Helm Chart
## Introduction
This chart bootstraps an HAProxy load balancer as deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. As oposed to [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress) Chart, HAProxy is installed as a regular application and not as an Ingress Controller.
### Prerequisites
- Kubernetes 1.17+ (recommended 1.20+)
- Helm 3.6+ (recommended 3.7+)
## Before you begin
### Setup a Kubernetes Cluster
The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides.
For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/).
### Install Helm
Get the latest [Helm release](https://github.com/helm/helm#install).
### Add Helm chart repo
Once you have Helm installed, add the haproxytech Chat Repository as follows:
```console
helm repo add haproxytech https://haproxytech.github.io/helm-charts
helm repo update
```
Alternatively if you want to proceed with just OCI-based repository, skip this step and follow the installation with OCI.
## Install the chart
To install the chart with Helm v3 as _my-release_ deployment:
```console
helm install my-release haproxytech/haproxy
```
**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter:
```console
helm install haproxytech/haproxy \
--name my-release
```
Alternatively also have OCI-based repository available for simplified access:
```console
helm install oci://ghcr.io/haproxytech/helm-charts/haproxy --version 1.24.0
```
### Installing with unique name
To auto-generate resource names when installing, use the following:
```console
helm install haproxytech/haproxy \
--generate-name
```
### Installing from a private registry
To install the chart using a private registry for HAProxy (for instance to use a HAProxy Enterprise image) into a separate namespace _prod_.
**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`)
```console
helm install my-haproxy haproxytech/haproxy \
--namespace prod \
--set image.tag=latest \
--set image.repository=myregistry.domain.com/imagename \
--set imageCredentials.registry=myregistry.domain.com \
--set imageCredentials.username=MYUSERNAME \
--set imageCredentials.password=MYPASSWORD
```
Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace:
```console
helm install my-ingress haproxytech/haproxy \
--namespace prod \
--set image.tag=SOMETAG \
--set existingImagePullSecret name-of-existing-image-pull-secret
```
**_NOTE_**: Enterprise images using S6 overlay need default CMD arguments disabled (more about YAML configuration file for Helm can be found in a separate paragraph below):
```yaml
args:
enabled: false
```
### Installing as DaemonSet
Default image mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well:
```console
helm install my-haproxy2 haproxytech/haproxy \
--set kind=DaemonSet
```
**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string.
### Installing with Horizontal Pod Autoscaler
[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count. Therefore we want to unset default replicaCount by setting corresponding key value to null and enable autoscaling:
```console
helm install my-haproxy3 haproxytech/haproxy \
--set kind=Deployment \
--set replicaCount=null \
--set autoscaling.enabled=true \
--set autoscaling.targetCPUUtilizationPercentage=80
```
**_NOTE_**: Make sure to look into other tunable values for HPA documented in [values.yaml](values.yaml).
### Installing with service annotations
On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however:
```console
helm install my-haproxy4 haproxytech/haproxy \
--set kind=DaemonSet \
--set service.type=LoadBalancer \
--set service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \
--set service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true"
```
**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string.
### Using values from YAML file
As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm.
The `config` block can also support using helm templates to populate dynamic values, e.g. `{{ .Release.Name }}`.
_mylb.yaml_:
```yaml
kind: DaemonSet
config: |
global
log stdout format raw local0
daemon
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server {{ .Values.global.serverTimeout }}
frontend fe_main
bind :80
default_backend be_main
backend be_main
server web1 10.0.0.1:8080 check
server web2 {{ .Release.Name }}-web:8080 check
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
```
And invoking Helm becomes (compare to the previous example):
```console
helm install my-haproxy5 -f mylb.yml haproxytech/haproxy
```
### Using secrets in additional volume mounts
In order to e.g. support SSL certificates, you can mount additional volumes from secrets:
_mylb.yaml_:
```yaml
service:
type: LoadBalancer
config: |
global
log stdout format raw local0
daemon
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
mode http
bind :80
bind :443 ssl crt /usr/local/etc/ssl/tls.crt
http-request redirect scheme https code 301 unless { ssl_fc }
default_backend be_main
backend be_main
mode http
server web1 10.0.0.1:8080 check
mountedSecrets:
- volumeName: ssl-certificate
secretName: star-example-com
mountPath: /usr/local/etc/ssl
```
The above example assumes that there is a certificate in key `tls.crt` of a secret called `star-example-com`.
### Using additional volumes and volumeMounts
In order to load data from other sources (e.g. to preload something inside an init-container) you can mount additional volumes to the container:
```yaml
extraVolumes:
- name: tls
emptyDir: {}
- name: tmp
emptyDir:
medium: Memory
extraVolumeMounts:
- name: tls
mountPath: /etc/tls
- name: tmp
mountPath: /tmp
```
### Using additional environment variables
In order to expose extra data (e.g. node and pod IP addresses) to haproxy, you can populate extra environment variables on the container:
```yaml
extraEnvs:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
```
### Automatic configuration reloading
In some cases, configuration changes are frequent and constantly restarting HAProxy is not optimal. For those cases the HAProxy hot-reload feature
can be used.
In master-worker mode, sending a USR2 signal to the HAProxy process will trigger a configuration reload.
```yaml
config: |
global
log stdout format raw local0
master-worker
daemon
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
mode http
bind :80
http-request redirect scheme https code 301 unless { ssl_fc }
default_backend be_main
backend be_main
mode http
server web1 10.0.0.1:8080 check
```
Make sure you are not specifying subPath for any of your volumeMounts so that Kubernetes will automatically update the volumes created from
ConfigMaps.
And finally, use some sidecar container which will be delivering the signal to the process. The shareProcessNamespace Pod property is required
for the sidecars to be able to access other containers' processes.
```yaml
shareProcessNamespace:
enabled: true
sidecarContainers:
- name: reflex
image: acim/go-reflex:1.17.3
command: ["reflex", "-d", "fancy"]
workingDir: /usr/local/etc/haproxy
args:
- -svr
- "..data"
- --
- bash
- -c
- 'pkill -SIGUSR2 "haproxy|hapee-lb"'
volumeMounts:
- name: haproxy-config
mountPath: /usr/local/etc/haproxy
resources:
limits:
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
```
## Installing as non-root with binding to privileged ports
To be able to bind to privileged ports such as tcp/80 and tcp/443 without root privileges (UID and GID are set to 1000 in the example, as HAProxy Docker image has UID/GID of 1000 reserved for HAProxy), there is a special workaround required as `NET_BIND_SERVICE` capability is [not propagated](https://github.com/kubernetes/kubernetes/issues/56374), so we need to use `initContainers` feature as well:
```yaml
kind: DaemonSet
containerPorts:
http: 80
https: 443
stat: 1024
daemonset:
useHostNetwork: true
useHostPort: true
hostPorts:
http: 80
https: 443
stat: 1024
config: |
global
log stdout format raw local0
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
bind :80
default_backend be_main
backend be_main
server web1 127.0.0.1:8080 check
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
initContainers:
- name: sysctl
image: "busybox:musl"
command:
- /bin/sh
- -c
- sysctl -w net.ipv4.ip_unprivileged_port_start=0
securityContext:
privileged: true
```
## Upgrading the chart
To upgrade the _my-release_ deployment:
```console
helm upgrade my-release haproxytech/haproxy
```
## Uninstalling the chart
To uninstall/delete the _my-release_ deployment:
```console
helm delete my-release
```
## Debugging
It is possible to generate a set of YAML files for testing/debugging:
```console
helm install my-release haproxytech/haproxy \
--debug \
--dry-run
```
## Contributing
We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution.

BIN
haproxy/chart-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

2
haproxy/ci/daemonset-basic-values.yaml Normal file
View File

@@ -0,0 +1,2 @@
kind: DaemonSet
replicaCount: 2

13
haproxy/ci/daemonset-hostnet-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
kind: DaemonSet
containerPorts:
http: 8080
https: 8443
stat: 8024
daemonset:
useHostNetwork: true
useHostPort: true
hostPorts:
http: 8080
https: 8443
stat: 8024
dnsPolicy: ClusterFirstWithHostNet

3
haproxy/ci/daemonset-ingress-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
kind: DaemonSet
ingress:
enabled: true

4
haproxy/ci/daemonset-ipfamily-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
kind: DaemonSet
service:
ipFamilies: [IPv4]
ipFamilyPolicy: SingleStack

26
haproxy/ci/daemonset-probes-values.yaml Normal file
View File

@@ -0,0 +1,26 @@
kind: DaemonSet
replicaCount: 2
livenessProbe:
failureThreshold: 3
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 10
readinessProbe:
failureThreshold: 3
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 10
startupProbe:
failureThreshold: 20
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 1

1
haproxy/ci/deployment-basic-values.yaml Normal file
View File

@@ -0,0 +1 @@
kind: Deployment

18
haproxy/ci/deployment-config-values.yaml Normal file
View File

@@ -0,0 +1,18 @@
config: |
global
log stdout format raw local0
daemon
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
bind :80
default_backend be_main
backend be_main
server web1 10.0.0.1:8080 check

19
haproxy/ci/deployment-hpa-values.yaml Normal file
View File

@@ -0,0 +1,19 @@
kind: Deployment
replicaCount: null
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
behavior:
scaleUp:
policies:
- type: Percent
value: 900
periodSeconds: 60
scaleDown:
stabilizationWindowSeconds: 600
policies:
- type: Pods
value: 1
periodSeconds: 600

3
haproxy/ci/deployment-ingress-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
kind: Deployment
ingress:
enabled: true

4
haproxy/ci/deployment-ipfamily-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
kind: Deployment
service:
ipFamilies: [IPv4]
ipFamilyPolicy: SingleStack

25
haproxy/ci/deployment-probes-values.yaml Normal file
View File

@@ -0,0 +1,25 @@
kind: Deployment
livenessProbe:
failureThreshold: 3
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 10
readinessProbe:
failureThreshold: 3
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 10
startupProbe:
failureThreshold: 20
successThreshold: 1
initialDelaySeconds: 0
timeoutSeconds: 1
tcpSocket:
port: 80
periodSeconds: 1

58
haproxy/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,58 @@
HAProxy has been has been successfully installed. This Chart is used to run HAProxy as a regular application,
as opposed to HAProxy Ingress Controller Chart.
Controller image deployed is: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}".
Your HAProxy app is of a "{{ .Values.kind }}" kind.
Service ports mapped are:
{{- $nodePorts := .Values.service.nodePorts }}
{{- $servicePortType := .Values.service.type }}
{{- if eq .Values.kind "Deployment" }}
{{- range $key, $value := .Values.containerPorts }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and (hasKey $nodePorts $key) (eq $servicePortType "NodePort") }}
nodePort: {{ get $nodePorts $key }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.kind "DaemonSet" }}
{{- $hostPorts := .Values.daemonset.hostPorts -}}
{{- $useHostPort := .Values.daemonset.useHostPort -}}
{{- range $key, $value := .Values.containerPorts }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ index $hostPorts $key | default $value }}
{{- end }}
{{- if and (hasKey $nodePorts $key) (eq $servicePortType "NodePort") }}
nodePort: {{ get $nodePorts $key }}
{{- end }}
{{- end }}
{{- end }}
To be able to bind to privileged ports as non-root, the following is required:
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
initContainers:
- name: sysctl
image: "busybox:musl"
command:
- /bin/sh
- -c
- sysctl -w net.ipv4.ip_unprivileged_port_start=0
securityContext:
privileged: true
Node IP can be found with:
$ kubectl --namespace {{ template "haproxy.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}"
For more examples and up to date documentation, please visit:
* Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/haproxy
* HAProxy Alpine Docker container documentation: https://github.com/haproxytech/haproxy-docker-alpine
* HAProxy documentation: https://www.haproxy.org/download/2.7/doc/configuration.txt

105
haproxy/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,105 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Expand the name of the chart.
*/}}
{{- define "haproxy.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "haproxy.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "haproxy.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "haproxy.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "haproxy.labels" -}}
helm.sh/chart: {{ include "haproxy.chart" . }}
{{ include "haproxy.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "haproxy.selectorLabels" -}}
app.kubernetes.io/name: {{ include "haproxy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "haproxy.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "haproxy.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create includes name
*/}}
{{- define "haproxy.includes" -}}
{{- printf "%s-%s" (include "haproxy.fullname" .) "includes" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Encode an imagePullSecret string.
*/}}
{{- define "haproxy.imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
{{/* vim: set filetype=mustache: */}}

41
haproxy/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
data:
{{ .Values.configMount.subPath | default "haproxy.cfg" }}: |+
{{ tpl .Values.config . | nindent 4 }}
{{- end }}
{{- if .Values.includes }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "haproxy.includes" . }}
namespace: {{ include "haproxy.namespace" . }}
data:
{{- range $key, $val := .Values.includes }}
{{ $key }}: | {{ $val | nindent 4 }}
{{- end }}
{{- end }}

193
haproxy/templates/daemonset.yaml Normal file
View File

@@ -0,0 +1,193 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.kind "DaemonSet" }}
{{- $useHostNetwork := .Values.daemonset.useHostNetwork -}}
{{- $useHostPort := .Values.daemonset.useHostPort -}}
{{- $hostPorts := .Values.daemonset.hostPorts -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
spec:
minReadySeconds: {{ .Values.minReadySeconds }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
{{- include "haproxy.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "haproxy.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if .Values.checksumConfigMap.enabled }}
checksum/environment: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ tpl (toYaml .Values.podAnnotations) . | indent 8 }}
{{- end }}
spec:
{{- if .Values.shareProcessNamespace.enabled }}
shareProcessNamespace: true
{{- end }}
serviceAccountName: {{ include "haproxy.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- if .Values.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "haproxy.fullname" . }}
{{- else if .Values.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.existingImagePullSecret }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
volumes:
- name: haproxy-config
configMap:
name: {{ include "haproxy.fullname" . }}
{{- if .Values.includes }}
- name: includes
projected:
sources:
- configMap:
name: {{ include "haproxy.includes" . }}
{{- end }}
{{- range $mountedSecret := .Values.mountedSecrets }}
- name: {{ $mountedSecret.volumeName }}
secret:
secretName: {{ $mountedSecret.secretName }}
{{- end }}
{{- with.Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
{{- with.Values.sidecarContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: {{ .Chart.Name }}
{{- if .Values.securityContext.enabled }}
securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.args.enabled }}
args:
{{- range .Values.args.defaults }}
- {{ . }}
{{- end }}
{{- range .Values.args.extraArgs }}
- {{ . }}
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.containerPorts }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- end }}
{{- with .Values.rawContainerPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.extraEnvs }}
env:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.lifecycle) }}
{{ tpl .Values.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: haproxy-config
mountPath: {{ .Values.configMount.mountPath }}
{{- if .Values.configMount.subPath }}
subPath: {{ .Values.configMount.subPath }}
{{- end }}
{{- if .Values.includes }}
- name: includes
mountPath: {{ .Values.includesMountPath }}
{{- end }}
{{- with.Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- range $mountedSecret := .Values.mountedSecrets }}
- name: {{ $mountedSecret.volumeName }}
mountPath: {{ $mountedSecret.mountPath }}
{{- end }}
{{- with.Values.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

198
haproxy/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,198 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.kind "Deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- if .Values.deploymentLabels }}
{{ tpl (toYaml .Values.deploymentLabels) . | indent 4 }}
{{- end }}
annotations:
{{- if .Values.deploymentAnnotations }}
{{ tpl (toYaml .Values.deploymentAnnotations) . | indent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.minReadySeconds }}
{{- if and (not .Values.autoscaling.enabled) (not .Values.keda.enabled) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "haproxy.selectorLabels" . | nindent 6 }}
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "haproxy.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if .Values.checksumConfigMap.enabled }}
checksum/environment: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ tpl (toYaml .Values.podAnnotations) . | indent 8 }}
{{- end }}
spec:
{{- if .Values.shareProcessNamespace.enabled }}
shareProcessNamespace: true
{{- end }}
serviceAccountName: {{ include "haproxy.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- if .Values.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "haproxy.fullname" . }}
{{- else if .Values.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.existingImagePullSecret }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
volumes:
- name: haproxy-config
configMap:
name: {{ include "haproxy.fullname" . }}
{{- if .Values.includes }}
- name: includes
projected:
sources:
- configMap:
name: {{ include "haproxy.includes" . }}
{{- end }}
{{- range $mountedSecret := .Values.mountedSecrets }}
- name: {{ $mountedSecret.volumeName }}
secret:
secretName: {{ $mountedSecret.secretName }}
{{- end }}
{{- with.Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
{{- with.Values.sidecarContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: {{ .Chart.Name }}
{{- if .Values.securityContext.enabled }}
securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.args.enabled }}
args:
{{- range .Values.args.defaults }}
- {{ . }}
{{- end }}
{{- range .Values.args.extraArgs }}
- {{ . }}
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.containerPorts }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- with .Values.rawContainerPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.extraEnvs }}
env:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.lifecycle) }}
{{ tpl .Values.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: haproxy-config
mountPath: {{ .Values.configMount.mountPath }}
{{- if .Values.configMount.subPath }}
subPath: {{ .Values.configMount.subPath }}
{{- end }}
{{- if .Values.includes }}
- name: includes
mountPath: {{ .Values.includesMountPath }}
{{- end }}
{{- with.Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- range $mountedSecret := .Values.mountedSecrets }}
- name: {{ $mountedSecret.volumeName }}
mountPath: {{ $mountedSecret.mountPath }}
{{- end }}
{{- with.Values.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

63
haproxy/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.kind "Deployment") .Values.autoscaling.enabled }}
{{- if not .Values.keda.enabled }}
{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
apiVersion: autoscaling/v2
{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }}
apiVersion: autoscaling/v2beta2
{{- else }}
{{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }}
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "haproxy.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
{{- if .Values.autoscaling.behavior }}
behavior: {{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}
metrics:
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- with .Values.autoscaling.additionalMetrics }}
{{- toYaml . | trim | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

40
haproxy/templates/httproute.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.httpRoute.enabled -}}
{{- $fullName := include "haproxy.fullname" . -}}
{{- $svcPort := .Values.httpRoute.servicePort -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- with .Values.httpRoute.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.httpRoute.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
parentRefs:
{{- with .Values.httpRoute.parentRefs }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.httpRoute.hostnames }}
hostnames:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- range .Values.httpRoute.rules }}
{{- with .matches }}
- matches:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .filters }}
filters:
{{- toYaml . | nindent 8 }}
{{- end }}
backendRefs:
- name: {{ $fullName }}
port: {{ $svcPort }}
{{- end }}
{{- end }}

59
haproxy/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,59 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "haproxy.fullname" . -}}
{{- $svcPort := .Values.ingress.servicePort -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- with .Values.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- toYaml .Values.ingress.tls | nindent 4 }}
{{- end -}}
{{- end }}

54
haproxy/templates/keda.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{/*
Copyright 2021 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.kind "Deployment") .Values.keda.enabled }}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- if .Values.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.keda.scaledObject.annotations | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "haproxy.fullname" . }}
pollingInterval: {{ .Values.keda.pollingInterval }}
cooldownPeriod: {{ .Values.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.keda.minReplicas }}
maxReplicaCount: {{ .Values.keda.maxReplicas }}
triggers:
{{- with .Values.keda.triggers }}
{{ toYaml . | indent 2 }}
{{ end }}
{{- with .Values.keda.fallback }}
fallback:
{{ toYaml . | indent 4 }}
{{- end }}
advanced:
restoreToOriginalReplicaCount: {{ .Values.keda.restoreToOriginalReplicaCount }}
{{- if .Values.keda.behavior }}
horizontalPodAutoscalerConfig:
behavior:
{{ with .Values.keda.behavior -}}
{{ toYaml . | indent 8 }}
{{ end }}
{{- end }}
{{- end }}

41
haproxy/templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.PodDisruptionBudget.enable }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else if .Capabilities.APIVersions.Has "policy/v1beta1" }}
apiVersion: policy/v1beta1
{{- else }}
{{- fail "ERROR: You must have policy/v1 or policy/v1 to use PodDisruptionBudget" }}
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
spec:
{{- if .Values.PodDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.PodDisruptionBudget.maxUnavailable }}
{{- end }}
{{- if .Values.PodDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.PodDisruptionBudget.minAvailable }}
{{- end }}
selector:
matchLabels:
{{- include "haproxy.selectorLabels" . | nindent 6 }}
{{- end }}

85
haproxy/templates/podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,85 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
{{- $useHostNetwork := .Values.daemonset.useHostNetwork -}}
{{- $useHostPort := .Values.daemonset.useHostPort -}}
{{- $hostPorts := .Values.daemonset.hostPorts -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
{{- else }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- NET_BIND_SERVICE
defaultAllowPrivilegeEscalation: false
fsGroup:
rule: MustRunAs
ranges:
- max: 65535
min: 1
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if or $useHostPort $useHostNetwork }}
hostPorts:
{{- range $key, $value := .Values.containerPorts }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- max: 65535
min: 1
volumes:
- configMap
- emptyDir
- projected
- secret
{{- with .Values.podSecurityPolicy.allowedUnsafeSysctls }}
allowedUnsafeSysctls:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

28
haproxy/templates/pullsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.imageCredentials.registry }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ include "haproxy.imagePullSecret" . }}
{{- end }}

34
haproxy/templates/role.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
rules:
- apiGroups:
- "policy"
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ include "haproxy.fullname" . }}
{{- end -}}

33
haproxy/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "haproxy.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "haproxy.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

91
haproxy/templates/service.yaml Normal file
View File

@@ -0,0 +1,91 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- range $key, $value := .Values.service.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
{{- range $key, $value := .Values.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: {{ .Values.service.type }}
selector:
{{- include "haproxy.selectorLabels" . | nindent 4 }}
{{- if .Values.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
{{- end }}
{{- if .Values.service.internalTrafficPolicy }}
internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }}
{{- end }}
{{- with .Values.service.clusterIP }}
clusterIP: {{ . | quote}}
{{- end }}
{{- with .Values.service.loadBalancerIP }}
loadBalancerIP: {{ . | quote }}
{{- end }}
{{- with .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies:
{{- toYaml .Values.service.ipFamilies | nindent 2 }}
{{- end }}
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy | quote }}
{{- end }}
{{- with .Values.service.externalIPs }}
externalIPs:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if or .Values.containerPorts .Values.service.additionalPorts .Values.service.rawAdditionalPorts }}
{{- $nodePorts := .Values.service.nodePorts }}
{{- $servicePortType := .Values.service.type }}
ports:
{{- with .Values.containerPorts }}
{{- range $key, $port := . }}
- name: {{ $key }}
protocol: TCP
port: {{ $port }}
targetPort: {{ $key }}
{{- if and (hasKey $nodePorts $key) (eq $servicePortType "NodePort") }}
nodePort: {{ get $nodePorts $key }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.service.additionalPorts }}
{{- range $key, $port := . }}
- name: {{ $key }}
protocol: TCP
port: {{ $port }}
targetPort: {{ $key }}
{{- if and (hasKey $nodePorts $key) (eq $servicePortType "NodePort") }}
nodePort: {{ get $nodePorts $key }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.service.rawAdditionalPorts }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

32
haproxy/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "haproxy.serviceAccountName" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end }}

37
haproxy/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2022 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "haproxy.fullname" . }}
namespace: {{ include "haproxy.namespace" . }}
labels:
{{- include "haproxy.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.extraLabels }}
{{ toYaml .Values.serviceMonitor.extraLabels | nindent 4 }}
{{- end }}
spec:
endpoints:
{{ .Values.serviceMonitor.endpoints | toYaml | nindent 4 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
{{- include "haproxy.selectorLabels" . | nindent 6 }}
{{- end }}

643
haproxy/values.yaml Normal file
View File

@@ -0,0 +1,643 @@
# Copyright 2020 HAProxy Technologies LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Default values for HAProxy
## Configure Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
annotations: {}
create: true
name:
automountServiceAccountToken: true
## Override namespace for for the whole chart
## If namespaceOverride is set, helm will use it's value instead of .Release.Namespace for all chart components.
## It is useful in case Haproxy is used as a dependency for another helm chart. Value can be overridden in parent chart values.yaml
## Example values.yaml of parent chart:
# namespaceOverride: haproxytech
## Default values for image
image:
repository: docker.io/haproxytech/haproxy-alpine # can be changed to use CE or EE images
tag: "" # overrides the image tag whose default is the chart appVersion
pullPolicy: IfNotPresent
## Automatically Roll Deployments
# ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksumConfigMap:
enabled: true
## Share Process Namespace between Containers in a Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/
shareProcessNamespace:
enabled: false
## Pods: How Pods manage multiple containers
# ref: https://kubernetes.io/docs/concepts/workloads/pods/#workload-resources-for-managing-pods
# ref: https://kubernetes.io/docs/concepts/workloads/pods/#how-pods-manage-multiple-containers
sidecarContainers: []
## Reflex
# ref: https://github.com/cespare/reflex
# ref: https://hub.docker.com/r/acim/go-reflex
# - name: reflex
# image: acim/go-reflex:1.17.3
# command: ["reflex", "-d", "fancy"]
# workingDir: /usr/local/etc/haproxy
# args:
# - -svr
# - "..data"
# - --
# - bash
# - -c
# - 'pkill -SIGUSR2 "haproxy|hapee-lb"'
# ports:
# - name: tcp
# containerPort: 3000
# protocol: TCP
# imagePullPolicy: IfNotPresent
# volumeMounts:
# - name: haproxy-config
# mountPath: /usr/local/etc/haproxy
# resources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 50m
# memory: 64Mi
## Deployment or DaemonSet pod mode
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
kind: Deployment # can be 'Deployment' or 'DaemonSet'
replicaCount: 1 # used only for Deployment mode
## minReadySeconds setting of Deployment or DaemonSet
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 0
## Command line arguments to pass to HAProxy
args:
enabled: true # EE images require disabling this due to S6-overlay
# ref: http://cbonte.github.io/haproxy-dconv/2.6/management.html#3
defaults: ["-f", "/usr/local/etc/haproxy/haproxy.cfg"]
extraArgs: [] # EE images require disabling this due to S6-overlay
## Annotations to add to the deployment metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
deploymentAnnotations: {}
# key: value
deploymentLabels: {}
# key: value
## Controller Container liveness/readiness probe configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
{}
# failureThreshold: 3
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 10
readinessProbe:
{}
# failureThreshold: 3
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 10
startupProbe:
{}
# failureThreshold: 20
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 1
## DaemonSet configuration
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
daemonset:
useHostNetwork: false # also modify dnsPolicy accordingly
useHostPort: false
hostPorts:
http: 80
https: 443
stat: 1024
## Init Containers
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: sysctl
# image: "busybox:musl"
# command:
# - /bin/sh
# - -c
# - sysctl -w net.core.somaxconn=65536
# securityContext:
# privileged: true
## Pod termination grace period
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
terminationGracePeriodSeconds: 60
## Private Registry configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imageCredentials:
registry: null # EE images require setting this
username: null # EE images require setting this
password: null # EE images require setting this
existingImagePullSecret: null
## Container listener port configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
containerPorts: # has to match hostPorts when useHostNetwork is true
http: 80
https: 443
stat: 1024
## Raw container ports configuration (alternative to containerPorts for more control)
## Allows specifying container ports in full Kubernetes format with custom protocols, names, etc.
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#containerport-v1-core
rawContainerPorts: []
# Example:
# - containerPort: 9090
# name: metrics-port
# protocol: TCP
# - containerPort: 8080
# name: custom-http
# protocol: TCP
## Deployment strategy definition
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
strategy: {}
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
## Pod PriorityClass
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
## Container lifecycle handlers
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
## Example preStop for graceful shutdown
# preStop:
# exec:
# command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"]
## Additional envs to the main container
extraEnvs: []
## Example passing the pod IP into a container
# - name: POD_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
## Use envFrom to add env vars from a secret or ConfigMap to the HAProxy container
## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
extraEnvFrom: []
## Example passing the pod IP into a container
# - configMapRef:
# name: ha-env-config
## Additional volumeMounts to the controller main container
extraVolumeMounts: []
## Example empty volume mounts when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# mountPath: /etc/haproxy
# - name: tmp
# mountPath: /tmp
# - name: var-state-haproxy
# mountPath: /var/state/haproxy
## Additional volumes to the controller pod
extraVolumes: []
## Example empty volumes when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# emptyDir: {}
# - name: tmp
# emptyDir: {}
# - name: var-state-haproxy
# emptyDir: {}
## HAProxy daemon configuration
# ref: https://www.haproxy.org/download/2.6/doc/configuration.txt
config: |
global
log stdout format raw local0
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
bind :80
default_backend be_main
backend be_main
server web1 10.0.0.1:8080 check
# Mount path and sub path for config file
configMount:
mountPath: /usr/local/etc/haproxy # EE images use /etc/hapee-VERSION/hapee-lb.cfg
subPath: "" # EE images use hapee-lb.cfg
## Basic features : Maps
# ref: http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#7.3.1-map
# ref: http://cbonte.github.io/haproxy-dconv/2.6/intro.html#3.3.8
includes:
# routes.map: |
# www.example.com/v1 www.example2.com/v2
# api.example.com/v1 api.example2.com/v2
# static.example.com/v1 static.example2.com/v2
# 200.http: |
# HTTP/1.1 200 OK
# Cache-Control: no-cache
# Connection: close
# Content-Type: text/html
# <html><body><h1>200 OK</h1>
# Check passed.
# </body></html>
## Mount path for includes and maps
includesMountPath: /usr/local/etc/haproxy/includes # EE images use /etc/hapee-VERSION
## Additional secrets to mount as volumes
## This is expected to be an array of dictionaries specifying the volume name, secret name and mount path
mountedSecrets: []
# - volumeName: ssl-certificate
# secretName: star-example-com
# mountPath: /usr/local/etc/ssl
## Pod Node assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
## Node Taints and Tolerations for pod-node cheduling through attraction/repelling
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
## Node Affinity for pod-node scheduling constraints
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Topology spread constraints (only used in kind: Deployment)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: kubernetes-ingress
# app.kubernetes.io/instance: kubernetes-ingress
## Pod DNS Config
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
dnsConfig: {}
## Pod DNS Policy
## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ClusterFirst
## Additional labels to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# key: value
## Additional annotations to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# key: value
## Enable RBAC Authorization
## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
rbac:
create: true
## Disableable use of Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
annotations: {}
## Specify pod annotations
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
### WARNING!!! "Apparmor is only available Ubuntu/Debian distributions of Linux."
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
enabled: false
# ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
# Enable only when added kublet arg: --allowed-unsafe-sysctls strings
allowedUnsafeSysctls:
# - net.*
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
### ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
### Sysctls enable only when added kublet arg: --allowed-unsafe-sysctls strings
# sysctls:
# - name: net.ipv4.tcp_rmem
# value: 4096 16060 262144
# - name: net.ipv4.tcp_wmem
# value: 4096 16384 262144
# - name: net.ipv4.tcp_tw_reuse
# value: "1"
# - name: net.ipv4.ip_local_port_range
# value: 1024 65023
# - name: net.ipv4.tcp_max_syn_backlog
# value: "60000"
# - name: net.ipv4.tcp_fin_timeout
# value: "30"
# - name: net.ipv4.tcp_synack_retries
# value: "3"
# - name: net.ipv4.ip_nonlocal_bind
# value: "1"
# - name: net.core.somaxconn
# value: "60000"
## Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext: {}
# enabled: true
# runAsNonRoot: true
# runAsUser: 1000
# runAsGroup: 1000
# allowPrivilegeEscalation: true
# capabilities:
# drop:
# - ALL
# add:
# - NET_BIND_SERVICE
# seccompProfile:
# type: RuntimeDefault
## Compute Resources
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
resources:
# limits:
# cpu: 250m
# memory: 128Mi
requests:
cpu: 250m
memory: 128Mi
## Horizontal Pod Scaler
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 7
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# additionalMetrics:
# - type: Object
# object:
# metric:
# name: requests-per-second
# describedObject:
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# name: main-route
# target:
# type: Value
# value: 10k
## Behavior
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 3600
keda:
enabled: false
minReplicas: 2
maxReplicas: 20
pollingInterval: 30
cooldownPeriod: 300
restoreToOriginalReplicaCount: false
# fallback:
# failureThreshold: 3
# replicas: 6
# behavior: static
scaledObject:
annotations: {}
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Percent
# value: 100
# periodSeconds: 15
triggers: []
# - type: prometheus
# metadata:
# serverAddress: http://<prometheus-host>:9090
# metricName: haproxy_process_idle_time_percent
# threshold: '50'
# query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m]))
## Pod Disruption Budget
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
PodDisruptionBudget:
enable: false
# maxUnavailable: 1
# minAvailable: 1
## Service configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
service:
type: ClusterIP # can be 'ClusterIP', 'NodePort', 'LoadBalancer'
## Service ClusterIP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
clusterIP: ""
## LoadBalancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
## Source IP ranges permitted to access Network Load Balancer
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
loadBalancerSourceRanges: []
## Service ExternalIPs
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
externalIPs: []
## Service annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
## Service labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## IPv4/IPv6 dual-stack
## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
##
# ipFamilies: [IPv4, IPv6]
# ipFamilyPolicy: PreferDualStack
## Service externalTrafficPolicy
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
# externalTrafficPolicy: Cluster
## Service internalTrafficPolicy
## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/
# internalTrafficPolicy: Cluster
## Additional Service ports to use(e.g. port of side container haproxy exporter)
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
additionalPorts: {}
# prometheus: 9101
## Raw additional service ports configuration (alternative to additionalPorts for more control)
## Allows specifying service ports in full Kubernetes format with custom protocols, names, etc.
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#serviceport-v1-core
rawAdditionalPorts: []
# Example:
# - name: metrics-port
# port: 9090
# targetPort: 9090
# protocol: TCP
# - name: custom-service
# port: 8080
# targetPort: custom-http
# protocol: TCP
## NodePort custom port
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport-custom-port
nodePorts: {}
# http: 32080
# https: 32443
serviceMonitor:
## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured
enabled: false
## Specify the labels to add to the ServiceMonitors to be selected for target discovery
extraLabels: {}
## Specify the endpoints
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor
endpoints:
- port: prometheus
path: /metrics
scheme: http
interval: 30s
## Configure Ingress
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
servicePort: 80
## Ingress class
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
className: ""
## Ingress labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## Ingress annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Ingress hosts
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
hosts:
- host: haproxy.domain.com
paths:
- path: /
pathType: ImplementationSpecific
## Ingress TLS
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
tls: []
# - secretName: chart-example-tls
# hosts:
# - haproxy.domain.com
# -- Expose the service via gateway-api HTTPRoute
# Requires Gateway API resources and suitable controller installed within the cluster
# (see: https://gateway-api.sigs.k8s.io/guides/)
httpRoute:
# HTTPRoute enabled.
enabled: false
# HTTPRoute servicePort to route to
servicePort: 80
# HTTPRoute labels
labels: {}
# HTTPRoute annotations.
annotations: {}
# Which Gateways this Route is attached to.
parentRefs:
- name: gateway
sectionName: http
# namespace: default
# Hostnames matching HTTP header.
hostnames:
- chart-example.local
# List of rules and filters applied.
rules:
- matches:
- path:
type: PathPrefix
value: /
# filters:
# - type: RequestHeaderModifier
# requestHeaderModifier:
# set:
# - name: My-Overwrite-Header
# value: this-is-the-only-value
# remove:
# - User-Agent
# - matches:
# - path:
# type: PathPrefix
# value: /echo
# headers:
# - name: version
# value: v2