mirror of
https://github.com/k8s-at-home/charts.git
synced 2025-01-23 15:39:02 +00:00
[pod-gateway] Update to common v3, order of default was inversed (#944)
* order of default was inversed * Update to common 3.0.1
This commit is contained in:
Angel Nunez Mencias
GitHub
parent
9664be3916
commit
138e4161cb
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
appVersion: 1.2.6
|
||||
description: Admision controller to change the default gateway and DNS server of PODs
|
||||
name: pod-gateway
|
||||
version: 2.1.1
|
||||
version: 3.0.0
|
||||
kubeVersion: ">=1.16.0-0"
|
||||
keywords:
|
||||
- pod-gateway
|
||||
@ -17,4 +17,4 @@ maintainers:
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.k8s-at-home.com
|
||||
version: 2.5.0
|
||||
version: 3.0.2
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# pod-gateway
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
Admision controller to change the default gateway and DNS server of PODs
|
||||
|
||||
@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://library-charts.k8s-at-home.com | common | 2.5.0 |
|
||||
| https://library-charts.k8s-at-home.com | common | 3.0.2 |
|
||||
|
||||
## TL;DR
|
||||
|
||||
@ -100,9 +100,6 @@ certificates. It does not install it as dependency to avoid conflicts.
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh |
|
||||
| additionalVolumeMounts[0].mountPath | string | `"/config"` | |
|
||||
| additionalVolumeMounts[0].name | string | `"config"` | |
|
||||
| additionalVolumeMounts[0].readOnly | bool | `true` | |
|
||||
| addons.vpn.configFileSecret | string | `"openvpn"` | |
|
||||
| addons.vpn.enabled | bool | `false` | Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect |
|
||||
| addons.vpn.env | string | `nil` | |
|
||||
@ -115,28 +112,11 @@ certificates. It does not install it as dependency to avoid conflicts.
|
||||
| addons.vpn.type | string | `"openvpn"` | |
|
||||
| addons.vpn.wireguard | string | `nil` | |
|
||||
| clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name |
|
||||
| command[0] | string | `"/bin/gateway_sidecar.sh"` | |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | |
|
||||
| image.tag | string | `"v1.2.6"` | |
|
||||
| initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | |
|
||||
| initContainers[0].image | string | `nil` | Will be set automatically |
|
||||
| initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically |
|
||||
| initContainers[0].name | string | `"routes"` | |
|
||||
| initContainers[0].securityContext.privileged | bool | `true` | |
|
||||
| initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | |
|
||||
| initContainers[0].volumeMounts[0].name | string | `"config"` | |
|
||||
| initContainers[0].volumeMounts[0].readOnly | bool | `true` | |
|
||||
| probes.liveness.enabled | bool | `false` | |
|
||||
| probes.readiness.enabled | bool | `false` | |
|
||||
| probes.startup.enabled | bool | `false` | |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | image pull policy of the gateway and inserted helper cotainers |
|
||||
| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | image repository of the gateway and inserted helper containers |
|
||||
| image.tag | string | `"v1.2.6"` | image tag of the gateway and inserted helper containers |
|
||||
| publicPorts | string | `nil` | settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD |
|
||||
| routed_namespaces | list | `[]` | Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap. |
|
||||
| securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | |
|
||||
| service.clusterIP | string | `"None"` | |
|
||||
| service.port.port | int | `4789` | |
|
||||
| service.port.protocol | string | `"UDP"` | |
|
||||
| service.type | string | `"ClusterIP"` | |
|
||||
| settings.DNS_LOCAL_CIDRS | string | `"local"` | DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it) |
|
||||
| settings.NOT_ROUTED_TO_GATEWAY_CIDRS | string | `""` | IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does). |
|
||||
| settings.VPN_BLOCK_OTHER_TRAFFIC | bool | `false` | Prevent non VPN traffic to leave the gateway |
|
||||
@ -146,32 +126,16 @@ certificates. It does not install it as dependency to avoid conflicts.
|
||||
| settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP | int | `20` | Keep a range of IPs for static assignment in nat.conf |
|
||||
| settings.VXLAN_ID | int | `42` | Vxlan ID to use |
|
||||
| settings.VXLAN_IP_NETWORK | string | `"172.16.0"` | VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges |
|
||||
| webhook.additionalVolumes | list | `[]` | |
|
||||
| webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | |
|
||||
| webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | |
|
||||
| webhook.args[2] | string | `"--setGatewayDefault"` | |
|
||||
| webhook.args[3] | string | `"--setGatewayLabel=setGateway"` | |
|
||||
| webhook.args[4] | string | `"--setGatewayAnnotation=setGateway"` | |
|
||||
| webhook.args[5] | string | `"--DNSPolicy=None"` | |
|
||||
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | |
|
||||
| webhook.image.tag | string | `"v3.3.2"` | |
|
||||
| webhook.inserted.init.cmd | string | `"/bin/client_init.sh"` | |
|
||||
| webhook.inserted.init.mountPath | string | `"/config"` | |
|
||||
| webhook.inserted.init.pullPolicy | string | `nil` | Will be set automatically |
|
||||
| webhook.inserted.init.repository | string | `nil` | Will be set automatically |
|
||||
| webhook.inserted.init.tag | string | `nil` | Will be set automatically |
|
||||
| webhook.inserted.sidecar.cmd | string | `"/bin/client_sidecar.sh"` | |
|
||||
| webhook.inserted.sidecar.mountPath | string | `"/config"` | |
|
||||
| webhook.inserted.sidecar.pullPolicy | string | `nil` | Will be set automatically |
|
||||
| webhook.inserted.sidecar.repository | string | `nil` | Will be set automatically |
|
||||
| webhook.inserted.sidecar.tag | string | `nil` | Will be set automatically |
|
||||
| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed |
|
||||
| webhook.replicas | int | `1` | |
|
||||
| webhook.service.port.path | string | `"/wh/mutating/setgateway"` | |
|
||||
| webhook.service.port.port | int | `8080` | |
|
||||
| webhook.service.port.protocol | string | `"HTTPS"` | |
|
||||
| webhook.strategy.type | string | `"RollingUpdate"` | |
|
||||
| webhook | object | `{"gatewayAnnotation":"setGateway","gatewayDefault":true,"gatewayLabel":"setGateway","image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/k8s-at-home/gateway-admision-controller","tag":"v3.3.2"},"namespaceSelector":{"matchLabels":{"routed-gateway":"true"}},"replicas":1,"strategy":{"type":"RollingUpdate"}}` | The webhook is used to mutate the PODs matching the given namespace labels. It inserts an init and sidecard helper containers that connect to the gateway pod created by this chart. |
|
||||
| webhook.gatewayAnnotation | string | `"setGateway"` | annotation name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. |
|
||||
| webhook.gatewayDefault | bool | `true` | default behviour for new PODs in the evaluated namespace |
|
||||
| webhook.gatewayLabel | string | `"setGateway"` | label name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. |
|
||||
| webhook.image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy of the webhook |
|
||||
| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | image repository of the webhook |
|
||||
| webhook.image.tag | string | `"v3.3.2"` | image tag of the webhook |
|
||||
| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get evaluated by the webhook. **IMPORTANT**: Do not select the namespace where the webhook is deployed to or you will get locking issues. |
|
||||
| webhook.replicas | int | `1` | number of webhook instances to deploy |
|
||||
| webhook.strategy | object | `{"type":"RollingUpdate"}` | strategy for updates |
|
||||
|
||||
## Changelog
|
||||
|
||||
@ -179,7 +143,7 @@ All notable changes to this application Helm chart will be documented in this fi
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
### [2.1.1]
|
||||
### [3.0.0]
|
||||
|
||||
#### Added
|
||||
|
||||
@ -188,7 +152,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
|
||||
#### Changed
|
||||
|
||||
- N/A
|
||||
- **BREAKING**: Upgraded the common library dependency to version 3.0.1. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored).
|
||||
Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.1/charts/stable/common/) for the up-to-date values.
|
||||
|
||||
#### Removed
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ All notable changes to this application Helm chart will be documented in this fi
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
### [2.1.1]
|
||||
### [3.0.0]
|
||||
|
||||
#### Added
|
||||
|
||||
@ -18,7 +18,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
|
||||
#### Changed
|
||||
|
||||
- N/A
|
||||
- **BREAKING**: Upgraded the common library dependency to version 3.0.2. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored).
|
||||
Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.2/charts/stable/common/) for the up-to-date values.
|
||||
|
||||
#### Removed
|
||||
|
||||
|
||||
@ -1,22 +1,69 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "common.values.setup" . }}
|
||||
|
||||
{{- $_ := set (first .Values.initContainers ) "image" (printf "%s:%s" .Values.image.repository .Values.image.tag ) -}}
|
||||
{{- $_ := set (first .Values.initContainers ) "imagePullPolicy" .Values.image.pullPolicy -}}
|
||||
{{/* Append the hardcoded settings */}}
|
||||
{{- define "pod-gateway.harcodedValues" -}}
|
||||
# -- Command starting DHCP server in the gateway
|
||||
command:
|
||||
- /bin/gateway_sidecar.sh
|
||||
|
||||
{{/* Append the cert secret to the additionalVolumes */}}
|
||||
{{- define "pod-gateway.settings.volume" -}}
|
||||
name: config
|
||||
configMap:
|
||||
name: {{ include "pod-gateway.configmap" . }}
|
||||
defaultMode: 0555
|
||||
{{- end -}}
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
|
||||
# -- Configure persistence settings for the chart under this key.
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: custom
|
||||
mountPath: /config
|
||||
readOnly: true
|
||||
volumeSpec:
|
||||
configMap:
|
||||
name: {{ include "pod-gateway.configmap" . }}
|
||||
defaultMode: 0555
|
||||
|
||||
initContainers:
|
||||
# -- Configures an initContainer that creates a VXLAN
|
||||
# In the gateway for client PODs to connect to.
|
||||
# iptables migh be (see VPN_BLOCK_OTHER_TRAFFIC) setup
|
||||
# to block traffic not going through the VPN
|
||||
- name: "routes"
|
||||
# -- Image for the init container
|
||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.pullPolicy>
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
# -- Command starting DHCP server in the gateway
|
||||
command:
|
||||
- /bin/gateway_init.sh
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config
|
||||
readOnly: true
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
http:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
port: 4789
|
||||
protocol: UDP
|
||||
|
||||
{{- $volume := include "pod-gateway.settings.volume" . | fromYaml -}}
|
||||
{{- if $volume -}}
|
||||
{{- $additionalVolumes := append .Values.additionalVolumes $volume }}
|
||||
{{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}}
|
||||
{{- end -}}
|
||||
{{- $_ := mergeOverwrite .Values (include "pod-gateway.harcodedValues" . | fromYaml) -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "common.all" . }}
|
||||
|
||||
@ -22,8 +22,8 @@ webhooks:
|
||||
service:
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{ include "common.names.fullname" . }}-webhook
|
||||
path: {{ .Values.webhook.service.port.path | quote }}
|
||||
port: {{ .Values.webhook.service.port.port }}
|
||||
path: /wh/mutating/setgateway
|
||||
port: {{ include "pod-gateway.webhookPort" . }}
|
||||
admissionReviewVersions: ["v1", "v1beta1"]
|
||||
sideEffects: None
|
||||
timeoutSeconds: 5
|
||||
|
||||
@ -1,45 +1,18 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "common.values.setup" . }}
|
||||
|
||||
{{- $_ := set .Values.webhook.inserted.init "repository" .Values.image.repository -}}
|
||||
{{- $_ := set .Values.webhook.inserted.init "tag" .Values.image.tag -}}
|
||||
{{- $_ := set .Values.webhook.inserted.init "pullPolicy" .Values.image.pullPolicy -}}
|
||||
{{- $_ := set .Values.webhook.inserted.sidecar "repository" .Values.image.repository -}}
|
||||
{{- $_ := set .Values.webhook.inserted.sidecar "tag" .Values.image.tag -}}
|
||||
{{- $_ := set .Values.webhook.inserted.sidecar "pullPolicy" .Values.image.pullPolicy -}}
|
||||
|
||||
{{- define "pod-gateway.webhook-inserted-init-repository" -}}
|
||||
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.init.repository ) ( .Values.image.tag | default .Values.webhook.inserted.init.tag ) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.webhook-inserted-init-pullPolicy" -}}
|
||||
{{ .Values.webhook.inserted.init.pullPolicy | default .Values.image.pullPolicy }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.webhook-inserted-sidecar-repository" -}}
|
||||
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.sidecar.repository ) ( .Values.image.tag | default .Values.webhook.inserted.sidecar.tag ) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.webhook-inserted-sidecar-pullPolicy" -}}
|
||||
{{ .Values.webhook.inserted.sidecar.pullPolicy | default .Values.image.pullPolicy }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.gateway" -}}
|
||||
{{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.init.image" -}}
|
||||
{{ printf "%s:%s" .Values.webhook.inserted.init.repository (.Values.webhook.inserted.init.tag | default "latest" ) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.sidecar.image" -}}
|
||||
{{ printf "%s:%s" .Values.webhook.inserted.sidecar.repository (.Values.webhook.inserted.sidecar.tag | default "latest" ) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.configmap" -}}
|
||||
{{ include "common.names.fullname" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "pod-gateway.webhookPort" -}}
|
||||
8080
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "pod-gateway.selfSignedIssuer" -}}
|
||||
{{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-webhook
|
||||
@ -35,29 +35,35 @@ spec:
|
||||
secretName: {{ include "pod-gateway.servingCertificate" . }}
|
||||
defaultMode: 420
|
||||
containers:
|
||||
- name: foo-pod-gateway
|
||||
- name: webhook
|
||||
image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }}
|
||||
args:
|
||||
- --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }}
|
||||
- --webhook-listen-address=:{{ include "pod-gateway.webhookPort" . }}
|
||||
- --gateway={{ include "pod-gateway.gateway" . }}
|
||||
- --DNS={{ .Values.DNS }}
|
||||
- --configmapName={{ include "pod-gateway.configmap" . }}
|
||||
{{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }}
|
||||
- --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }}
|
||||
- --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }}
|
||||
- --initCmd={{ .Values.webhook.inserted.init.cmd }}
|
||||
- --initMountPoint={{ .Values.webhook.inserted.init.mountPath }}
|
||||
{{- end}}
|
||||
{{- if ( include "pod-gateway.webhook-inserted-sidecar-repository" . ) }}
|
||||
- --sidecarImage={{ include "pod-gateway.webhook-inserted-init-repository" . }}
|
||||
- --sidecarImagePullPol={{ include "pod-gateway.webhook-inserted-sidecar-pullPolicy" . }}
|
||||
- --sidecarCmd={{ .Values.webhook.inserted.sidecar.cmd }}
|
||||
- --sidecarMountPoint={{ .Values.webhook.inserted.sidecar.mountPath }}
|
||||
{{- end}}
|
||||
{{ toYaml .Values.webhook.args | nindent 12 }}
|
||||
- --setGatewayLabel={{ .Values.webhook.gatewayLabel }}
|
||||
- --setGatewayAnnotation={{ .Values.webhook.gatewayAnnotation }}
|
||||
{{ if .Values.webhook.gatewayDefault }}
|
||||
- --setGatewayDefault
|
||||
{{ end }}
|
||||
# Static
|
||||
- --tls-cert-file-path=/tls/tls.crt
|
||||
- --tls-key-file-path=/tls/tls.key
|
||||
- --DNSPolicy=None
|
||||
# Init container
|
||||
- --initImage={{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
- --initImagePullPol={{ .Values.image.pullPolicy }}
|
||||
- --initCmd=/bin/client_init.sh
|
||||
- --initMountPoint=/config
|
||||
# Sidecar container
|
||||
- --sidecarImage={{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
- --sidecarImagePullPol={{ .Values.image.pullPolicy }}
|
||||
- --sidecarCmd=/bin/sidecar_init.sh
|
||||
- --sidecarMountPoint=/config
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.webhook.service.port.port }}
|
||||
containerPort: {{ include "pod-gateway.webhookPort" . }}
|
||||
protocol: TCP
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
@ -67,8 +73,8 @@ spec:
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /wh/health
|
||||
port: {{ .Values.webhook.service.port.port }}
|
||||
scheme: {{ .Values.webhook.service.port.protocol }}
|
||||
port: {{ include "pod-gateway.webhookPort" . }}
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 1
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 10
|
||||
@ -77,8 +83,8 @@ spec:
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /wh/health
|
||||
port: {{ .Values.webhook.service.port.port }}
|
||||
scheme: {{ .Values.webhook.service.port.protocol }}
|
||||
port: {{ include "pod-gateway.webhookPort" . }}
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 1
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 10
|
||||
@ -87,15 +93,15 @@ spec:
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /wh/health
|
||||
port: {{ .Values.webhook.service.port.port }}
|
||||
scheme: {{ .Values.webhook.service.port.protocol }}
|
||||
port: {{ include "pod-gateway.webhookPort" . }}
|
||||
scheme: HTTPS
|
||||
timeoutSeconds: 1
|
||||
periodSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 30
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
restartPolicy: Always
|
||||
strategy:
|
||||
type: {{ .Values.webhook.strategy.type }}
|
||||
|
||||
@ -1,32 +1,15 @@
|
||||
{{- $values := .Values.webhook.service -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-webhook
|
||||
labels:
|
||||
{{- include "common.labels" . | nindent 4 }}
|
||||
{{- if $values.labels }}
|
||||
{{ toYaml $values.labels | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if eq ( $values.port.protocol | default "" ) "HTTPS" }}
|
||||
traefik.ingress.kubernetes.io/service.serversscheme: https
|
||||
{{- end }}
|
||||
{{- with $values.annotations }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if $values.clusterIP }}
|
||||
clusterIP: {{ $values.clusterIP }}
|
||||
{{end}}
|
||||
{{- if $values.sessionAffinity }}
|
||||
sessionAffinity: {{ $values.sessionAffinity }}
|
||||
{{- if $values.sessionAffinityConfig }}
|
||||
sessionAffinityConfig:
|
||||
{{ toYaml $values.sessionAffinityConfig | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- include "common.classes.service.ports" (dict "svcType" "ClusterIP" "values" $values ) | trim | nindent 2 }}
|
||||
ports:
|
||||
- name: http
|
||||
protocol: TCP
|
||||
port: {{ include "pod-gateway.webhookPort" . }}
|
||||
targetPort: http
|
||||
selector:
|
||||
{{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }}
|
||||
|
||||
@ -6,8 +6,11 @@
|
||||
#
|
||||
|
||||
image:
|
||||
# -- image repository of the gateway and inserted helper containers
|
||||
repository: ghcr.io/k8s-at-home/pod-gateway
|
||||
# -- image pull policy of the gateway and inserted helper cotainers
|
||||
pullPolicy: IfNotPresent
|
||||
# -- image tag of the gateway and inserted helper containers
|
||||
tag: v1.2.6
|
||||
|
||||
# -- IP address of the DNS server within the vxlan tunnel.
|
||||
@ -91,64 +94,30 @@ addons:
|
||||
# Cluster IPs (default k3s)
|
||||
cidr: 10.0.0.0/8
|
||||
|
||||
|
||||
# You should not need to change the settings bellow this
|
||||
# at least you have ready the webhook and pod-gateway containers
|
||||
# documentation
|
||||
|
||||
command:
|
||||
- /bin/gateway_sidecar.sh
|
||||
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
|
||||
additionalVolumeMounts:
|
||||
- name: config
|
||||
mountPath: /config
|
||||
readOnly: true
|
||||
|
||||
initContainers:
|
||||
- name: "routes"
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.repository>:<image.tag>
|
||||
image:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.pullPolicy>
|
||||
imagePullPolicy:
|
||||
command:
|
||||
- /bin/gateway_init.sh
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config
|
||||
readOnly: true
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
port:
|
||||
port: 4789
|
||||
protocol: UDP
|
||||
|
||||
# -- The webhook is used to mutate the PODs matching the given
|
||||
# namespace labels. It inserts an init and sidecard helper containers
|
||||
# that connect to the gateway pod created by this chart.
|
||||
# @default -- See below
|
||||
webhook:
|
||||
image:
|
||||
# -- image repository of the webhook
|
||||
repository: ghcr.io/k8s-at-home/gateway-admision-controller
|
||||
# -- image pullPolicy of the webhook
|
||||
pullPolicy: IfNotPresent
|
||||
# -- image tag of the webhook
|
||||
tag: v3.3.2
|
||||
|
||||
# -- number of webhook instances to deploy
|
||||
replicas: 1
|
||||
|
||||
# -- strategy for updates
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
|
||||
# -- Selector for namespace.
|
||||
# All pods in this namespace will get their default gateway changed
|
||||
# All pods in this namespace will get evaluated by the webhook.
|
||||
# **IMPORTANT**: Do not select the namespace where the webhook
|
||||
# is deployed to or you will get locking issues.
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
routed-gateway: "true"
|
||||
@ -157,69 +126,13 @@ webhook:
|
||||
# operator: NotIn
|
||||
# values: ["1"]
|
||||
|
||||
additionalVolumes: []
|
||||
# -- default behviour for new PODs in the evaluated namespace
|
||||
gatewayDefault: true
|
||||
|
||||
# -- label name to check when evaluating POD. If true the POD
|
||||
# will get the gateway. If not set setGatewayDefault will apply.
|
||||
gatewayLabel: setGateway
|
||||
|
||||
inserted:
|
||||
init:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.repository>
|
||||
repository:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.pullPolicy>
|
||||
pullPolicy:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.tag>
|
||||
tag:
|
||||
cmd: /bin/client_init.sh
|
||||
mountPath: /config
|
||||
|
||||
sidecar:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.repository>
|
||||
repository:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.pullPolicy>
|
||||
pullPolicy:
|
||||
# -- Will be set automatically
|
||||
# @default -- <image.tag>
|
||||
tag:
|
||||
cmd: /bin/client_sidecar.sh
|
||||
mountPath: /config
|
||||
|
||||
replicas: 1
|
||||
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
|
||||
# Args for webhook
|
||||
# See more information in the container git repository at
|
||||
# https://github.com/k8s-at-home/gateway-admision-controller
|
||||
args:
|
||||
- --tls-cert-file-path=/tls/tls.crt
|
||||
- --tls-key-file-path=/tls/tls.key
|
||||
- --setGatewayDefault
|
||||
- --setGatewayLabel=setGateway
|
||||
- --setGatewayAnnotation=setGateway
|
||||
- --DNSPolicy=None
|
||||
# - --debug
|
||||
# - --development
|
||||
# Set by Helm chart:
|
||||
# --webhook-listen-address=:<set to service port>
|
||||
# --gateway=<set automatically to 'gateway'>
|
||||
# --DNS=<set automatically to 'gateway'>
|
||||
# --initImage
|
||||
# --initImagePullPol
|
||||
# --initCmd
|
||||
# --initMountPoint
|
||||
# --sidecarImage
|
||||
# --sidecarImagePullPol
|
||||
# --sidecarCmd
|
||||
# --sidecarMountPoint
|
||||
# --configmapName
|
||||
|
||||
service:
|
||||
port:
|
||||
path: /wh/mutating/setgateway
|
||||
protocol: HTTPS
|
||||
port: 8080
|
||||
# -- annotation name to check when evaluating POD. If true the POD
|
||||
# will get the gateway. If not set setGatewayDefault will apply.
|
||||
gatewayAnnotation: setGateway
|
||||
|
||||
Loading…
Reference in New Issue
Block a user