validate/haproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m9s
Details

Browse Source 
Change-Id: I26d65d84aa31f5cc4cc0835e3fb7269fedc73b45
This commit is contained in:
Scaffolder
2026-04-16 13:10:43 +00:00
commit 65d0ce3ad3
179 changed files with 12011 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
deploy/kubernetes-ingress/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

36
deploy/kubernetes-ingress/Chart.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2019 HAProxy Technologies LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v2
name: kubernetes-ingress
description: A Helm chart for HAProxy Kubernetes Ingress Controller
type: application
version: 1.49.0
appVersion: 3.2.6
kubeVersion: ">=1.23.0-0"
keywords:
- ingress
- haproxy
home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
sources:
- https://github.com/haproxytech/kubernetes-ingress
icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png
maintainers:
- name: Dinko Korunic
email: dkorunic@haproxy.com
engine: gotpl
annotations:
artifacthub.io/changes: |-
- Use Ingress Controller 3.2.6 version for base image
- Add hostNetwork and hostPort support for Deployment (#341)

336
deploy/kubernetes-ingress/README.md Normal file
View File

@@ -0,0 +1,336 @@
# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy")
## HAProxy Kubernetes Ingress Controller
An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration.
Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/).
Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md).
## Introduction
This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
### Prerequisites
- Kubernetes 1.22+ (recommended 1.24+)
- Helm 3.6+ (recommended 3.7+)
## Before you begin
### Setting up a Kubernetes Cluster
The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides.
For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/).
### Install Helm
Get the latest [Helm release](https://github.com/helm/helm#install).
### Adding Helm chart repo
Once you have Helm installed, add the haproxytech Chart Repository as follows:
```console
helm repo add haproxytech https://haproxytech.github.io/helm-charts
helm repo update
```
Alternatively if you want to proceed with just OCI-based repository, skip this step and follow the installation with OCI.
## Installing the chart
To install the chart with Helm v3 as _my-release_ deployment from Chat Repository:
```console
helm install my-release haproxytech/kubernetes-ingress
```
**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter:
```console
helm install haproxytech/kubernetes-ingress \
--name my-release
```
Alternatively also have OCI-based repository available for simplified access:
```console
helm install oci://ghcr.io/haproxytech/helm-charts/kubernetes-ingress --version 1.44.1
```
### Installing with unique name
To auto-generate controller and its resources names when installing, use the following:
```console
helm install haproxytech/kubernetes-ingress \
--generate-name
```
### Installing from a private registry
To install the chart using a private registry for controller into a separate namespace _prod_.
**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`)
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--namespace prod \
--set controller.image.tag=SOMETAG \
--set controller.imageCredentials.registry=myregistry.domain.com \
--set controller.imageCredentials.username=MYUSERNAME \
--set controller.imageCredentials.password=MYPASSWORD
```
Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace:
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--namespace prod \
--set controller.image.tag=SOMETAG \
--set controller.existingImagePullSecret name-of-existing-image-pull-secret
```
### Using values from YAML file
As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm:
_mylb.yaml_:
```yaml
controller:
kind: DaemonSet
ingressClass: haproxy
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
```
And invoking Helm becomes (compare to the previous example):
```console
helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress
```
A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) :
```yaml
controller:
service:
tcpPorts:
- name: mysql
port: 3306
targetPort: 3306
extraArgs:
- --configmap-tcp-services=default/tcp
```
### Installing as DaemonSet
Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well:
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.kind=DaemonSet
```
### Installing in multi-ingress environment
It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers):
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.kind=DaemonSet \
--set controller.ingressClass=haproxy
```
**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation.
### Installing Gateway API support
[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md)
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.gatewayControllerName=haproxy.org/gateway-controller
```
**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed.
### Installing with service annotations
On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however:
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.kind=DaemonSet \
--set controller.ingressClass=haproxy \
--set controller.service.type=LoadBalancer \
--set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \
--set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true"
```
**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string.
### Installing with Horizontal Pod Autoscaler (HPA)
[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller:
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.autoscaling.enabled=true
```
### Installing the ServiceMonitor
If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs.
```console
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm install prometheus prometheus-community/kube-prometheus-stack \
--set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
--set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.serviceMonitor.enabled=true
```
### Installing the PodMonitor
As an alternative to a `ServiceMonitor` you can use a `PodMonitor`, which targets the pods directly instead of using a service.
If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `PodMonitor` definition in order to automate the scraping options according to your needs.
```console
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm install prometheus prometheus-community/kube-prometheus-stack \
--set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
--set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.podMonitor.enabled=true
```
### Installing with Kubernetes Event-driven Autoscaling (KEDA)
[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter.
To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP):
_mykeda.yaml_:
```yaml
controller:
kind: Deployment
serviceMonitor:
enabled: true
keda:
enabled: true
minReplicas: 1
maxReplicas: 5
triggers:
- type: prometheus
metadata:
serverAddress: http://10.96.206.247:9090
metricName: haproxy_frontend_current_sessions
threshold: "100"
query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m]))
```
Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are:
- `haproxy_process_idle_time_percent`
- `haproxy_frontend_current_sessions`
- `haproxy_backend_current_queue`
And to install:
```console
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add kedacore https://kedacore.github.io/charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack \
--set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
--set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
kubectl create namespace keda
helm install keda kedacore/keda --namespace keda
helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml
```
### Installing on Amazon Elastic Kubernetes Service (EKS)
By default AWS LB does not support mixed protocols (TCP and UDP) on the same port yet, resulting in the following error on deploy:
```
Error syncing load balancer: failed to ensure load balancer: mixed protocol is not supported for LoadBalancer
```
This issue can be easily fixed by disabling QUIC support (requires `udp/443` listener) with the following:
```console
helm install my-ingress haproxytech/kubernetes-ingress \
--set controller.service.type=LoadBalancer \
--set controller.service.enablePorts.quic=false
```
### Installing on Azure Managed Kubernetes Service (AKS)
By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes:
```console
helm install ...
--set controller.service.type=LoadBalancer \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
```
## Upgrading the chart
To upgrade the _my-release_ deployment:
```console
helm upgrade my-release haproxytech/kubernetes-ingress
```
By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade.
```console
kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml
kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml
kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml
```
Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and
upgrading CRDs accordingly.
## Uninstalling the chart
To uninstall/delete the _my-release_ deployment:
```console
helm delete my-release
```
## Debugging
It is possible to generate a set of YAML files for testing/debugging:
```console
helm install my-release haproxytech/kubernetes-ingress \
--debug \
--dry-run
```
## Contributing
We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution.

BIN
deploy/kubernetes-ingress/chart-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

6
deploy/kubernetes-ingress/ci/daemonset-customconfig-templated-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
kind: DaemonSet
config: |
rate-limit: "{{ .Values.controller.configVars.rateLimit | required "controller.configVars.rateLimit is required" }}"
configVars:
rateLimit: "ON"

4
deploy/kubernetes-ingress/ci/daemonset-customconfig-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
config:
rate-limit: "ON"

7
deploy/kubernetes-ingress/ci/daemonset-customnodeport-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
controller:
kind: DaemonSet
service:
type: NodePort
ports:
8000: 10000
8001: 10001

2
deploy/kubernetes-ingress/ci/daemonset-default-values.yaml Normal file
View File

@@ -0,0 +1,2 @@
controller:
kind: DaemonSet

4
deploy/kubernetes-ingress/ci/daemonset-disableddefaultbackend-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
defaultBackend:
enabled: false

4
deploy/kubernetes-ingress/ci/daemonset-disabledsecretconfig-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
defaultTLSSecret:
enabled: false

7
deploy/kubernetes-ingress/ci/daemonset-enableports-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
controller:
kind: DaemonSet
service:
enablePorts:
http: false
https: true
stat: false

4
deploy/kubernetes-ingress/ci/daemonset-extraargs-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
extraArgs:
- --namespace-whitelist=default

7
deploy/kubernetes-ingress/ci/daemonset-extraenvs-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
controller:
kind: DaemonSet
extraEnvs:
- name: TEST_STR1
value: foo
- name: TEST_STR2
value: baz

8
deploy/kubernetes-ingress/ci/daemonset-hostport-values.yaml Normal file
View File

@@ -0,0 +1,8 @@
controller:
kind: DaemonSet
daemonset:
useHostPort: true
hostPorts:
http: 80
https: 443
stat: 1024

6
deploy/kubernetes-ingress/ci/daemonset-ingressclass-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
kind: DaemonSet
ingressClass: haproxy
ingressClassResource:
enabled: true
default: true

5
deploy/kubernetes-ingress/ci/daemonset-ipfamily-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
kind: DaemonSet
service:
ipFamilies: [IPv4]
ipFamilyPolicy: SingleStack

5
deploy/kubernetes-ingress/ci/daemonset-kubernetesgateway-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
kind: DaemonSet
kubernetesGateway:
enabled: true
gatewayControllerName: haproxy.org/gateway-controller

4
deploy/kubernetes-ingress/ci/daemonset-nodeport-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
service:
type: NodePort

6
deploy/kubernetes-ingress/ci/daemonset-privileged-ports.values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
kind: DaemonSet
containerPort:
http: 80
https: 443
stat: 1024

5
deploy/kubernetes-ingress/ci/daemonset-publishservice-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
kind: DaemonSet
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

5
deploy/kubernetes-ingress/ci/daemonset-serviceannotation-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
kind: DaemonSet
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

7
deploy/kubernetes-ingress/ci/daemonset-strategy-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
controller:
kind: DaemonSet
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1

4
deploy/kubernetes-ingress/ci/daemonset-unprivileged-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
unprivileged: true
allowPrivilegedPorts: true

5
deploy/kubernetes-ingress/ci/deployment-customconfig-templated-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
config: |
rate-limit: "{{ .Values.controller.configVars.rateLimit | required "controller.configVars.rateLimit is required" }}"
configVars:
rateLimit: "ON"

3
deploy/kubernetes-ingress/ci/deployment-customconfig-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
config:
rate-limit: "ON"

6
deploy/kubernetes-ingress/ci/deployment-customnodeport-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
service:
type: NodePort
ports:
8000: 10000
8001: 10001

1
deploy/kubernetes-ingress/ci/deployment-default-values.yaml Normal file
View File

@@ -0,0 +1 @@
#

2
deploy/kubernetes-ingress/ci/deployment-disableddefaultbackend-values.yaml Normal file
View File

@@ -0,0 +1,2 @@
defaultBackend:
enabled: false

3
deploy/kubernetes-ingress/ci/deployment-disabledsecretconfig-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
defaultTLSSecret:
enabled: false

6
deploy/kubernetes-ingress/ci/deployment-enableports-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
service:
enablePorts:
http: false
https: true
stat: false

3
deploy/kubernetes-ingress/ci/deployment-extraargs-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
extraArgs:
- --namespace-whitelist=default

6
deploy/kubernetes-ingress/ci/deployment-extraenvs-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
extraEnvs:
- name: TEST_STR1
value: foo
- name: TEST_STR2
value: baz

25
deploy/kubernetes-ingress/ci/deployment-hpa-values.yaml Normal file
View File

@@ -0,0 +1,25 @@
controller:
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
behavior:
scaleUp:
policies:
- type: Percent
value: 900
periodSeconds: 60
scaleDown:
stabilizationWindowSeconds: 600
policies:
- type: Pods
value: 1
periodSeconds: 600
defaultBackend:
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 50

5
deploy/kubernetes-ingress/ci/deployment-ingressclass-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
ingressClass: haproxy
ingressClassResource:
enabled: true
default: true

4
deploy/kubernetes-ingress/ci/deployment-ipfamily-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
service:
ipFamilies: [IPv4]
ipFamilyPolicy: SingleStack

4
deploy/kubernetes-ingress/ci/deployment-kubernetesgateway-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kubernetesGateway:
enabled: true
gatewayControllerName: haproxy.org/gateway-controller

3
deploy/kubernetes-ingress/ci/deployment-nodeport-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
service:
type: NodePort

5
deploy/kubernetes-ingress/ci/deployment-podannotations-templated-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
podAnnotations: |
my-checksum: {{ $.Values.myCustomVar | toYaml | sha256sum }}
myCustomVar:
FOO: BAR

3
deploy/kubernetes-ingress/ci/deployment-podmonitor-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
podMonitor:
enabled: true

5
deploy/kubernetes-ingress/ci/deployment-privileged-ports.values.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
containerPort:
http: 80
https: 443
stat: 1024

4
deploy/kubernetes-ingress/ci/deployment-publishservice-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
kind: DaemonSet
publishService:
enabled: true

5
deploy/kubernetes-ingress/ci/deployment-replicacount-unset.yaml Normal file
View File

@@ -0,0 +1,5 @@
controller:
replicaCount: null
defaultBackend:
replicaCount: null

6
deploy/kubernetes-ingress/ci/deployment-strategy-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1

3
deploy/kubernetes-ingress/ci/deployment-unprivileged-values.yaml Normal file
View File

@@ -0,0 +1,3 @@
controller:
unprivileged: true
allowPrivilegedPorts: true

109
deploy/kubernetes-ingress/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,109 @@
HAProxy Kubernetes Ingress Controller has been successfully installed.
Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}".
Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type.
{{- if .Values.rbac.create}}
RBAC authorization is enabled.
{{- else}}
RBAC authorization is disabled.
{{- end}}
{{- if .Values.controller.ingressClass}}
Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for
Ingress resource.
{{- end}}
{{- if .Values.controller.gatewayControllerName}}
Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure
that Gateway API CRDs are installed in Kubernetes.
{{- end}}
Service ports mapped are:
{{- if eq .Values.controller.kind "Deployment" }}
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- end }}
{{- end }}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- $hostIP := .Values.controller.daemonset.hostIP -}}
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ index $hostPorts $key | default $value }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .port }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- end }}
Node IP can be found with:
$ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}"
The following ingress resource routes traffic to pods that match the following:
* service name: web
* client's Host header: webdemo.com
* path begins with /
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
ingress.class: "haproxy"
spec:
rules:
- host: webdemo.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it
with helm chart option controller.ingressClass.
For more examples and up to date documentation, please visit:
* Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
* Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/
* Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation
* Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md

259
deploy/kubernetes-ingress/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,259 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kubernetes-ingress.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "kubernetes-ingress.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kubernetes-ingress.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubernetes-ingress.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create HAProxy Ingress Chart labels
*/}}
{{- define "kubernetes-ingress.helmChartLabels" -}}
helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Create HAProxy Ingress Selector labels
*/}}
{{- define "kubernetes-ingress.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create HAProxy Ingress labels
*/}}
{{- define "kubernetes-ingress.labels" -}}
{{ include "kubernetes-ingress.selectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Create CRD Job selector labels
*/}}
{{- define "kubernetes-ingress.crdJobSelectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create CRD Job labels
*/}}
{{- define "kubernetes-ingress.crdJobLabels" -}}
{{ include "kubernetes-ingress.crdJobSelectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Create Service Proxy selector labels
*/}}
{{- define "kubernetes-ingress.serviceProxySelectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create Service Proxy labels
*/}}
{{- define "kubernetes-ingress.serviceProxyLabels" -}}
{{ include "kubernetes-ingress.serviceProxySelectorLabels" . }}
{{ include "kubernetes-ingress.helmChartLabels" . }}
{{- end }}
{{/*
Encode an imagePullSecret string.
*/}}
{{- define "kubernetes-ingress.imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
{{/*
Encode an imagePullSecret string for the default backend.
*/}}
{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
{{/*
Generate default certificate for HAProxy.
*/}}
{{- define "kubernetes-ingress.gen-certs" -}}
{{- $ca := genCA "kubernetes-ingress-ca" 365 -}}
{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}}
{{- $cert := genSignedCert $cn nil nil 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Create the name of the controller service account to use.
*/}}
{{- define "kubernetes-ingress.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}}
{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}}
{{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.defaultBackend.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
*/}}
{{- define "kubernetes-ingress.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default cert secret name.
*/}}
{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the path for the publish-service.
By default this will use the <namespace>/<service-name> matching the controller's service name.
Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride`
*/}}
{{- define "kubernetes-ingress.publishServicePath" -}}
{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}}
{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the syslog-server annotation
*/}}
{{- define "kubernetes-ingress.syslogServer" -}}
{{- range $key, $val := .Values.controller.logging.traffic -}}
{{- printf "%s:%s, " $key $val }}
{{- end -}}
{{- end -}}
{{/*
Render controller pod sysctls.
Input: .Values.controller.sysctls (map[string]string)
Also keeps the existing allowPrivilegedPorts behaviour by adding
net.ipv4.ip_unprivileged_port_start=0 unless explicitly overridden via controller.sysctls.
*/}}
{{- define "kubernetes-ingress.controller.sysctls" -}}
{{- $sysctls := .Values.controller.sysctls | default dict -}}
{{- $keys := keys $sysctls | sortAlpha -}}
{{- $needPrivPorts := and .Values.controller.unprivileged .Values.controller.allowPrivilegedPorts (not (hasKey $sysctls "net.ipv4.ip_unprivileged_port_start")) -}}
{{- if or (gt (len $keys) 0) $needPrivPorts -}}
sysctls:
{{- range $name := $keys }}
- name: {{ $name }}
value: {{ index $sysctls $name | quote }}
{{- end }}
{{- if $needPrivPorts }}
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified ServiceMonitor name.
*/}}
{{- define "kubernetes-ingress.serviceMonitorName" -}}
{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified PodMonitor name.
*/}}
{{- define "kubernetes-ingress.podMonitorName" -}}
{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.podMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a FQDN for the Service metrics.
*/}}
{{- define "kubernetes-ingress.serviceMetricsName" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }}
{{- end -}}
{{/*
Create a default fully qualified unique CRD job name.
*/}}
{{- define "kubernetes-ingress.crdjob.fullname" -}}
{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a FQDN for the proxy pods.
*/}}
{{- define "kubernetes-ingress.serviceProxyName" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 58 | trimSuffix "-") "proxy" }}
{{- end -}}
{{/* vim: set filetype=mustache: */}}

158
deploy/kubernetes-ingress/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,158 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts
verbs:
- get
- list
- watch
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
- apiGroups:
- ""
resources:
- services
- pods
verbs:
- update
{{- end }}
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
- ingresses/status
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- core.haproxy.org
resources:
- '*'
verbs:
- get
- list
- watch
- update
- apiGroups:
- ingress.v1.haproxy.org
- ingress.v1.haproxy.com
- ingress.v3.haproxy.org
- ingress.v3.haproxy.com
resources:
- "*"
verbs:
- get
- list
- watch
- update
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- if .Values.controller.kubernetesGateway.enabled }}
- apiGroups:
- "gateway.networking.k8s.io"
resources:
- referencegrants
- gateways
- gatewayclasses
- tcproutes
verbs:
- get
- list
- watch
- apiGroups:
- "gateway.networking.k8s.io"
resources:
- gatewayclasses/status
- gateways/status
- tcproutes/status
verbs:
- update
{{- end }}
- apiGroups:
- "apps"
resources:
- replicasets
- deployments
- daemonsets
verbs:
- get
- list
- watch
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- "*"
{{- end }}
{{- end -}}

33
deploy/kubernetes-ingress/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kubernetes-ingress.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- end -}}

38
deploy/kubernetes-ingress/templates/controller-configmap.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.configAnnotations }}
annotations:
{{ toYaml .Values.controller.configAnnotations | indent 4 }}
{{- end }}
data:
{{- if .Values.controller.logging.traffic }}
syslog-server: {{ include "kubernetes-ingress.syslogServer" . }}
{{- end }}
{{- if .Values.controller.config }}
{{- if eq "string" (printf "%T" .Values.controller.config) }}
{{ tpl .Values.controller.config . | indent 2 }}
{{- else }}
{{ toYaml .Values.controller.config | indent 2 }}
{{- end }}
{{- end }}

112
deploy/kubernetes-ingress/templates/controller-crdjob.yaml Normal file
View File

@@ -0,0 +1,112 @@
{{/*
Copyright 2023 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.crdJobLabels" . | nindent 4 }}
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
helm.sh/hook: post-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
{{- with .Values.controller.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.crdjob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.crdjob.ttlSecondsAfterFinished }}
{{- end }}
{{- end }}
backoffLimit: 0
template:
metadata:
labels:
{{- include "kubernetes-ingress.crdJobSelectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.crdjob.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.crdjob.podAnnotations) }}
{{ tpl .Values.crdjob.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.crdjob.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
containers:
- name: crd
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
command:
- /haproxy-ingress-controller
- --job-check-crd
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
resources:
{{- toYaml .Values.crdjob.resources | nindent 12 }}
{{- end }}
{{- with .Values.crdjob.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.crdjob.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

300
deploy/kubernetes-ingress/templates/controller-daemonset.yaml Normal file
View File

@@ -0,0 +1,300 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "DaemonSet" }}
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}}
{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- $hostIP := .Values.controller.daemonset.hostIP -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.controller.minReadySeconds }}
{{- with .Values.controller.strategy }}
updateStrategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
securityContext:
{{- if .Values.controller.unprivileged }}
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .port }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
{{- with .Values.controller.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

33
deploy/kubernetes-ingress/templates/controller-defaultcertsecret.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.defaultTLSSecret.enabled }}
{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
data:
{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }}
{{- end }}
{{- end }}

318
deploy/kubernetes-ingress/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,318 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if eq .Values.controller.kind "Deployment" }}
{{- $useHostNetwork := .Values.controller.deployment.useHostNetwork -}}
{{- $useHostPort := .Values.controller.deployment.useHostPort -}}
{{- $hostPorts := .Values.controller.deployment.hostPorts -}}
{{- $hostIP := .Values.controller.deployment.hostIP -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
{{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
securityContext:
{{- if .Values.controller.unprivileged }}
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- end }}
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
{{- if eq .Values.controller.sync.mode "fetch" }}
{{- if .Values.controller.sync.fetchParams.period }}
- --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
{{- end }}
{{- if eq .Values.controller.sync.fetchParams.source "k8s" }}
- --k8s-api-sync-type=k8s
{{- else if eq .Values.controller.sync.fetchParams.source "proxy" }}
- --k8s-api-sync-type=proxy
- --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
{{- end }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if and $useHostPort (index $hostPorts $key) }}
hostPort: {{ index $hostPorts $key }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- if $useHostPort }}
hostPort: {{ .Values.controller.deployment.hostPorts.https }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- if $useHostPort }}
hostPort: {{ .port }}
{{- end }}
{{- if $hostIP }}
hostIP: {{ $hostIP }}
{{- end }}
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
{{- with .Values.controller.extraEnvFrom }}
envFrom:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

67
deploy/kubernetes-ingress/templates/controller-hpa.yaml Normal file
View File

@@ -0,0 +1,67 @@
{{/*
Copyright 2020 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }}
{{- if not .Values.controller.keda.enabled }}
{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: autoscaling/v2
{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }}
apiVersion: autoscaling/v2beta2
{{- else }}
{{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }}
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
{{- if .Values.controller.autoscaling.annotations }}
annotations:
{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }}
{{- end }}
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kubernetes-ingress.fullname" . }}
minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
{{- if .Values.controller.autoscaling.behavior }}
behavior: {{- toYaml .Values.controller.autoscaling.behavior | nindent 4 }}
{{- end }}
metrics:
{{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- if .Values.controller.autoscaling.custom }}
{{- toYaml .Values.controller.autoscaling.custom | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

42
deploy/kubernetes-ingress/templates/controller-ingressclass.yaml Normal file
View File

@@ -0,0 +1,42 @@
{{/*
Copyright 2021 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: IngressClass
metadata:
name: {{ .Values.controller.ingressClassResource.name }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.ingressClassResource.default }}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
spec:
{{- if not .Values.controller.ingressClass }}
controller: haproxy.org/ingress-controller
{{- else }}
controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }}
{{- end }}
{{- if .Values.controller.ingressClassResource.parameters }}
parameters:
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }}
{{- end }}
{{- end }}

57
deploy/kubernetes-ingress/templates/controller-keda.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{/*
Copyright 2021 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
name: {{ include "kubernetes-ingress.fullname" . }}
pollingInterval: {{ .Values.controller.keda.pollingInterval }}
cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.controller.keda.minReplicas }}
maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
triggers:
{{- with .Values.controller.keda.triggers }}
{{ toYaml . | indent 2 }}
{{ end }}
{{- with .Values.controller.keda.fallback }}
fallback:
{{ toYaml . | indent 4 }}
{{- end }}
advanced:
restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig }}
horizontalPodAutoscalerConfig:
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
name: {{ .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
{{- end }}
{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.behavior }}
behavior:
{{ with .Values.controller.keda.horizontalPodAutoscalerConfig.behavior -}}
{{ toYaml . | indent 8 }}
{{ end }}
{{- end }}
{{- end }}
{{- end }}

39
deploy/kubernetes-ingress/templates/controller-poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.PodDisruptionBudget.enable }}
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
spec:
{{- if .Values.controller.PodDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }}
{{- end }}
{{- if .Values.controller.PodDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }}
{{- end }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

37
deploy/kubernetes-ingress/templates/controller-podmonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "kubernetes-ingress.podMonitorName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.podMonitor.extraLabels }}
{{ toYaml .Values.controller.podMonitor.extraLabels | nindent 4 }}
{{- end }}
spec:
podMetricsEndpoints:
{{ .Values.controller.podMonitor.endpoints | toYaml | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "kubernetes-ingress.namespace" . }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

82
deploy/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }}
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }}
{{- $useHostPort := .Values.controller.daemonset.useHostPort }}
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
name: {{ include "kubernetes-ingress.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
allowedCapabilities:
- NET_BIND_SERVICE
defaultAllowPrivilegeEscalation: false
fsGroup:
rule: MustRunAs
ranges:
- max: 65535
min: 1
{{- if $useHostNetwork }}
hostNetwork: true
{{- end }}
{{- if or $useHostPort $useHostNetwork }}
hostPorts:
{{- range $key, $value := .Values.controller.containerPort }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- min: {{ .port }}
max: {{ .port }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- max: 65535
min: 1
volumes:
- configMap
- downwardAPI
- secret
{{- end }}
{{- end }}

283
deploy/kubernetes-ingress/templates/controller-proxy-deployment.yaml Normal file
View File

@@ -0,0 +1,283 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubernetes-ingress.serviceProxyName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- with .Values.controller.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "kubernetes-ingress.serviceProxyLabels" . | nindent 4 }}
{{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
{{- end }}
spec:
{{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
replicas: {{ .Values.controller.sync.proxyParams.replicaCount }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
selector:
matchLabels:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 6 }}
{{- with .Values.controller.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
{{- end }}
spec:
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
imagePullSecrets:
- name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
imagePullSecrets:
- name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
{{- if .Values.controller.allowPrivilegedPorts }}
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
{{- end }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
- --http-bind-port={{ .Values.controller.containerPort.http }}
- --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- --quic-bind-port={{ .Values.controller.containerPort.https }}
- --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
- --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
- --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- --prometheus
- --pprof
{{- end }}
- --proxy-server-mode
- --k8s-api-sync-type=k8s
- --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
{{- if .Values.controller.sync.fetchParams.period }}
- --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
{{- end }}
{{- range .Values.controller.extraArgs }}
- {{ . }}
{{- end }}
{{- if .Values.controller.unprivileged }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
containerPort: {{ .Values.controller.containerPort.https }}
protocol: UDP
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
containerPort: {{ .targetPort }}
protocol: TCP
{{- end }}
{{- with .Values.controller.livenessProbe }}
livenessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.readinessProbe }}
readinessProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.controller.startupProbe }}
startupProbe:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
env:
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.extraEnvs -}}
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
subPath: tmp
- name: tmp
mountPath: /run
subPath: run
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
readOnly: true
mountPath: /var/run/secrets/product-license
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
emptyDir:
medium: Memory
sizeLimit: 64Mi
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: aws-product-license
secret:
secretName: {{ .Values.aws.licenseConfigSecretName }}
optional: true
{{- end }}
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.controller.initContainers }}
initContainers:
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

68
deploy/kubernetes-ingress/templates/controller-proxy-service.yaml Normal file
View File

@@ -0,0 +1,68 @@
{{/*
Copyright 2024 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.serviceProxyName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.serviceProxyLabels" . | nindent 4 }}
{{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._0 }}: {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._1 }}
{{- if .Values.controller.service.labels }}
{{ toYaml .Values.controller.service.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
ports:
{{- if .Values.controller.service.enablePorts.http }}
- name: http
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.http }}
{{- if .Values.controller.service.nodePorts.http }}
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.https }}
- name: https
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
selector:
{{- include "kubernetes-ingress.serviceProxySelectorLabels" . | nindent 4 }}
{{- if .Values.controller.service.sessionAffinity }}
sessionAffinity: {{ .Values.controller.service.sessionAffinity }}
{{- end }}
{{- end }}

28
deploy/kubernetes-ingress/templates/controller-pullsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.imageCredentials.registry }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }}
{{- end }}

34
deploy/kubernetes-ingress/templates/controller-role.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
rules:
- apiGroups:
- "policy"
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ include "kubernetes-ingress.fullname" . }}
{{- end -}}

33
deploy/kubernetes-ingress/templates/controller-rolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kubernetes-ingress.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
{{- end -}}

56
deploy/kubernetes-ingress/templates/controller-service-metrics.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{/*
Copyright 2022 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
The following Service resource will be created upon certain conditions:
- The ServiceMonitor integration is enabled
- A Service resource must be created
The reason for that is that the Ingress Controller would make it available to the outside
sensitive data such as its metrics, and the operator wants to keep these data private
(such as the value of "controller.service.enablePorts.stat=false").
To let the Prometheus Operator being able to scrape the metrics, an additional service
is going to be created, allowing it to expose of these in the internal Kubernetes networking.
*/}}
{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.serviceMetricsName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.service.metrics.labels }}
{{ toYaml .Values.controller.service.metrics.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.metrics.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: {{ .Values.controller.service.metrics.type }}
ports:
- name: stat
port: {{ .Values.controller.service.ports.stat }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.stat }}
{{- if .Values.controller.service.nodePorts.stat }}
nodePort: {{ .Values.controller.service.nodePorts.stat }}
{{- end }}
selector:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 4 }}
{{- end }}

133
deploy/kubernetes-ingress/templates/controller-service.yaml Normal file
View File

@@ -0,0 +1,133 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.controller.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-ingress.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.service.labels }}
{{ toYaml .Values.controller.service.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }}
type: {{ .Values.controller.service.type }}
{{- if .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
{{- end }}
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
ports:
{{- if .Values.controller.service.enablePorts.http }}
- name: http
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.http }}
{{- if .Values.controller.service.nodePorts.http }}
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.https }}
- name: https
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
- name: quic
port: {{ .Values.controller.service.ports.https }}
protocol: UDP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.quic }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.stat }}
- name: stat
port: {{ .Values.controller.service.ports.stat }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.stat }}
{{- if .Values.controller.service.nodePorts.stat }}
nodePort: {{ .Values.controller.service.nodePorts.stat }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
- name: admin
port: {{ .Values.controller.service.ports.admin }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.admin }}
{{- if .Values.controller.service.nodePorts.admin }}
nodePort: {{ .Values.controller.service.nodePorts.admin }}
{{- end }}
{{- end }}
{{- range .Values.controller.service.tcpPorts }}
- name: {{ .name | trunc 15 | trimSuffix "-" }}
port: {{ .port }}
protocol: TCP
targetPort: {{ .targetPort }}
{{- if .nodePort }}
nodePort: {{ .nodePort }}
{{- end }}
{{- end }}
selector:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 4 }}
{{- if .Values.controller.service.sessionAffinity }}
sessionAffinity: {{ .Values.controller.service.sessionAffinity }}
{{- end }}
{{- if .Values.controller.service.ipFamilies }}
ipFamilies:
{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }}
{{- end }}
externalIPs:
{{- if .Values.controller.service.externalIPs }}
{{ toYaml .Values.controller.service.externalIPs | indent 4 }}
{{- end -}}
{{- if (eq .Values.controller.service.type "LoadBalancer") }}
{{- if .Values.controller.service.loadBalancerIP }}
loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}"
{{- end }}
{{- if .Values.controller.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if .Values.controller.service.loadBalancerClass}}
loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}"
{{- end }}
{{- end }}
{{- end }}

28
deploy/kubernetes-ingress/templates/controller-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if or .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kubernetes-ingress.serviceAccountName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end -}}

37
deploy/kubernetes-ingress/templates/controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{/*
Copyright 2019 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "kubernetes-ingress.serviceMonitorName" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.serviceMonitor.extraLabels }}
{{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }}
{{- end }}
spec:
endpoints:
{{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }}
namespaceSelector:
matchNames:
- {{ include "kubernetes-ingress.namespace" . }}
selector:
matchLabels:
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
{{- end }}

27
deploy/kubernetes-ingress/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright 2022 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.namespace.create -}}
apiVersion: v1
kind: Namespace
metadata:
name: {{ include "kubernetes-ingress.namespace" . }}
labels:
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-weight": "-1"
{{- end -}}

690
deploy/kubernetes-ingress/values.yaml Normal file
View File

@@ -0,0 +1,690 @@
# Copyright 2019 HAProxy Technologies LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller
## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation
podSecurityPolicy:
## Specify pod annotations
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
annotations: {}
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
enabled: false
## Enable RBAC Authorization
## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
rbac:
create: true
## Create namespace
## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/
namespace:
create: false
## Configure Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
create: true
name:
automountServiceAccountToken: true
## Namespace override
## Allow the release namespace to be overridden for multi-namespace deployments in combined charts
# namespaceOverride: haproxytech
## AWS Market Place integration
## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere.
## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html
aws:
## Name of the Secret deployed in the desired namespace containing the AWS license files
licenseConfigSecretName: ""
## Controller default values
controller:
name: controller
image:
repository: docker.io/haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images
tag: "" # overrides the image tag whose default is the chart appVersion
pullPolicy: IfNotPresent
## Deployment or DaemonSet pod mode
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
kind: Deployment # can be 'Deployment' or 'DaemonSet'
replicaCount: 2
## minReadySeconds setting of Deployment or DaemonSet
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 0
## Running container without root privileges
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
unprivileged: true
## Allow privileged port binding without root privileges
## ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
## Note: this feature enables net.ipv4.ip_unprivileged_port_start=0 sysctl when running in unprivileged mode
allowPrivilegedPorts: false
## Restricts container syscalls
## ref: https://kubernetes.io/docs/tutorials/security/seccomp/
enableRuntimeDefaultSeccompProfile: true
## Privilege escalation
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
allowPrivilegeEscalation: false
## Init Containers
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: sysctl
# image: "busybox:musl"
# command:
# - /bin/sh
# - -c
# - sysctl -w net.core.somaxconn=65536
# securityContext:
# privileged: true
## Pod sysctls (applies to Deployment/DaemonSet template)
## ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
## Note: when unprivileged=true and allowPrivilegedPorts=true, the chart will also
## set net.ipv4.ip_unprivileged_port_start=0 unless you override it here.
sysctls: {}
# "net.core.somaxconn": "8192"
## Pod termination grace period
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
terminationGracePeriodSeconds: 60
## Private Registry configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imageCredentials:
registry: null
username: null
password: null
existingImagePullSecret: null
## Controller Container listener port configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply
containerPort:
http: 8080
https: 8443
stat: 1024
admin: 6060
## Controller Container liveness/readiness probe configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
httpGet:
path: /healthz
port: 1042
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 1042
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
startupProbe:
httpGet:
path: /healthz
port: 1042
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 30
## IngressClass:
## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md
# k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement.
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
# Note: Uses ingressClass as name for the Ingress Class object if enabled
ingressClassResource:
name: haproxy
default: false
parameters: {}
# k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement.
# k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers
ingressClass: haproxy # typically "haproxy" or null to receive all events
# Gateway API controller, not available in K8s as default but can be installed
# ref: https://gateway-api.sigs.k8s.io/
# ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller
kubernetesGateway:
enabled: false
gatewayControllerName: haproxy.org/gateway-controller
## Additional labels to add to the deployment or daemonset metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
extraLabels: {}
# key: value
## Additional annotations to add to the deployment or daemonset metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
# key: value
## Additional labels to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# key: value
## Additional annotations to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# key: value
## Allows to enable/disable environment variables for finding services
## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615
enableServiceLinks: true
## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise
## secret needs to contain name of the Secret object which has been created manually
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## ref: https://kubernetes.io/docs/concepts/configuration/secret/
defaultTLSSecret:
enabled: true
secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}'
secret: null
## Compute Resources for controller container
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
resources:
# limits:
# cpu: 250m
# memory: 400Mi
requests:
cpu: 250m
memory: 400Mi
## Horizontal Pod Scaler
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 20
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
## HPA annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
# annotationKey: value
## Behavior
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 3600
## Custom metrics (example)
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics
# custom:
# - type: Pods
# pods:
# metricName: haproxy_backend_current_sessions
# targetAverageValue: 2000
## Kubernetes Event-driven Autoscaling: KEDA 2.x
## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/
## Note: mutually exclusive with HPA, enabling KEDA disables HPA
## Node: requires serviceMonitor enabled
keda:
enabled: false
minReplicas: 2
maxReplicas: 20
pollingInterval: 30
cooldownPeriod: 300
restoreToOriginalReplicaCount: false
# fallback:
# failureThreshold: 3
# replicas: 6
# behavior: static
scaledObject:
annotations: {}
horizontalPodAutoscalerConfig: {}
# name: ""
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Percent
# value: 100
# periodSeconds: 15
triggers: []
# - type: prometheus
# metadata:
# serverAddress: http://<prometheus-host>:9090
# metricName: haproxy_process_idle_time_percent
# threshold: '50'
# query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m]))
## Pod Disruption Budget
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
PodDisruptionBudget:
enable: false
# maxUnavailable: 1
# minAvailable: 1
## Pod Node assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
## Node Taints and Tolerations for pod-node cheduling through attraction/repelling
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
## Node Affinity for pod-node scheduling constraints
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Topology spread constraints (only used in kind: Deployment)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: kubernetes-ingress
# app.kubernetes.io/instance: kubernetes-ingress
## Pod DNS Config
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
dnsConfig: {}
## Pod DNS Policy
## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ClusterFirst
## Additional command line arguments to pass to Controller
## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md
extraArgs: []
# - --namespace-whitelist=default
# - --namespace-whitelist=namespace1
# - --namespace-blacklist=namespace2
# - --disable-ipv4
# - --disable-ipv6
# - --disable-http
# - --disable-https
# - --disable-quic
# - --sync-period=10s
## Custom configuration for Controller
## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation
config: {}
# timeout-connect: "250ms"
# servers-increment: "10"
# servers-increment-max-disabled: "10"
# rate-limit: "ON"
# rate-limit-expire: "1m"
# rate-limit-interval: "10s"
# rate-limit-size: "100k"
## Extra annotation for custom configmap for Controller
configAnnotations: {}
# annotationKey: value
## Controller Logging configuration
## Careful: this block will be ignored if you use config.cr-global.
## In this case, move your logging config in entry spec.log_targets in your CR.
logging:
## Controller logging level
## This only relevant to Controller logs
level: info
## HAProxy traffic logs
## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging
traffic: {}
# address: "stdout"
# format: "raw"
# facility: "daemon"
## Mirrors the address of the service's endpoints to the
## load-balancer status of all Ingress objects it satisfies.
publishService:
enabled: true
##
## Override of the publish service
## Must be <namespace>/<service_name>
pathOverride: ""
## Controller Service configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
service:
enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true
type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer'
## Service annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
## Service labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## Health check node port
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
healthCheckNodePort: 0
## Service nodePorts to use for http, https and stat
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
## If empty, random ports will be used
nodePorts: {}
# http: 31080
# https: 31443
# stat: 31024
# admin: 31060
## Service ports to use for http, https and stat
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
ports:
http: 80
https: 443
stat: 1024
admin: 6060
## The controller service ports for http, https and stat can be disabled by
## setting below to false - this could be useful when only deploying haproxy
## as a TCP loadbalancer
## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled
enablePorts:
http: true
https: true
quic: true
stat: true
admin: true
## Target port mappings for http, https and stat
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
targetPorts:
http: http
https: https
quic: quic
stat: stat
admin: admin
## Additional tcp ports to expose
## This is especially useful for TCP services:
## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md
tcpPorts: []
# - name: http-alt
# port: 8080
# targetPort: http-alt
# nodePort: 32080
## Set external traffic policy
## Default is "Cluster", setting it to "Local" preserves source IP
## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
# externalTrafficPolicy: "Local"
## Expose service via external IPs that route to one or more cluster nodes
externalIPs: []
## LoadBalancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
## Source IP ranges permitted to access Network Load Balancer
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
loadBalancerSourceRanges: []
## Class of load balancer implementation
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
loadBalancerClass: null
## Service ClusterIP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
# clusterIP: ""
## IPv4/IPv6 dual-stack
## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
##
# ipFamilies: [IPv4, IPv6]
# ipFamilyPolicy: PreferDualStack
## Service session affinity
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
# sessionAffinity: ""
## Controller Metrics Service configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
metrics:
type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer'
## Service annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
## Service labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## Controller Deployment configuration
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
deployment:
useHostNetwork: false # also modify dnsPolicy accordingly
useHostPort: false
hostIP: null
hostPorts:
http: 80
https: 443
stat: 1024
## Controller DaemonSet configuration
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
daemonset:
useHostNetwork: false # also modify dnsPolicy accordingly
useHostPort: false
hostIP: null
hostPorts:
http: 80
https: 443
stat: 1024
## Controller deployment strategy definition
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
strategy:
type: RollingUpdate
## Controller Pod PriorityClass
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
## Pod runtime class name
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
runtimeClassName: ""
## Controller container lifecycle handlers
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
## Example preStop for graceful shutdown
# preStop:
# exec:
# command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"]
## Set additional environment variables
extraEnvs: []
## Set TZ env to configure timezone on controller containers
# - name: TZ
# value: "Etc/UTC"
## Use envFrom to add env vars from a secret or ConfigMap to the HAProxy container
## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
extraEnvFrom: []
## Example passing the pod IP into a container
# - configMapRef:
# name: ha-env-config
## Add additional containers
extraContainers: []
## Example sidecar
# - name: sidecar
# image: alpine # alpine is a simple Linux OS image
# command: ["/bin/sh"]
# args: ["-c", "while true; do date; sleep 5;done"]
## Additional volumeMounts to the controller main container
extraVolumeMounts: []
## Example empty volume mounts when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# mountPath: /etc/haproxy
# - name: tmp
# mountPath: /tmp
# - name: var-state-haproxy
# mountPath: /var/state/haproxy
## Additional volumes to the controller pod
extraVolumes: []
## Example empty volumes when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# emptyDir: {}
# - name: tmp
# emptyDir: {}
# - name: var-state-haproxy
# emptyDir: {}
## ServiceMonitor
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
## Note: requires Prometheus Operator to be able to work, for example:
## helm install prometheus prometheus-community/kube-prometheus-stack \
## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
serviceMonitor:
## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured
## Should not be enabled when controller.podMonitor.enabled is true
enabled: false
## Specify the labels to add to the ServiceMonitors to be selected for target discovery
extraLabels: {}
## Specify the endpoints
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor
endpoints:
- port: stat
path: /metrics
scheme: http
interval: 30s
## PodMonitor
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
## Note: requires Prometheus Operator to be able to work, for example:
## helm install prometheus prometheus-community/kube-prometheus-stack \
## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
podMonitor:
## Toggle the PodMonitor true if you have Prometheus Operator installed and configured
## Should not be enabled when controller.serviceMonitor.enabled is true
enabled: false
## Specify the labels to add to the PodMonitors to be selected for target discovery
extraLabels: {}
## Specify the endpoints
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#podMonitor
endpoints:
- port: stat
path: /metrics
scheme: http
interval: 30s
params:
scope:
- global
- frontend
- backend
## Controller sync mode with Kubernetes
## Note: requires Enterprise Kubernetes Ingress Controller
## Possible values: 'default' or 'fetch'
## - 'default': the sync is done based on K8s informers (event based)
## - 'fetch': the controller pulls data periodically (from K8s or from proxy)
sync:
mode: default # can be 'default' or 'fetch'
fetchParams: # Mandatory if mode is 'fetch'
# period: 3s # optional, default is 5s
source: k8s # possible values are: 'proxy', 'k8s'
proxyParams: # Mandatory if source is 'proxy'
replicaCount: 3 # number of replicas of the proxy, mandatory if source is 'proxy'
proxySvcLabelSelector: run:haproxy-ingress-proxy # label selector of the proxy service, mandatory if source is 'proxy'
## CRD job default values
crdjob:
## Additional annotations to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# key: value
## Automatic job cleanup
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
ttlSecondsAfterFinished: 600
## Pod Node assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
## Node Taints and Tolerations for pod-node cheduling through attraction/repelling
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
## Node Affinity for pod-node scheduling constraints
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Compute Resources for the CRD Job
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
resources:
# limits:
# cpu: 250m
# memory: 400Mi
requests:
cpu: 250m
memory: 400Mi