From 138e4161cba38fd989d80abdbad9bd26ded89993 Mon Sep 17 00:00:00 2001 From: Angel Nunez Mencias Date: Fri, 11 Jun 2021 10:06:57 +0200 Subject: [PATCH] [pod-gateway] Update to common v3, order of default was inversed (#944) * order of default was inversed * Update to common 3.0.1 --- charts/stable/pod-gateway/Chart.yaml | 4 +- charts/stable/pod-gateway/README.md | 71 +++------ .../pod-gateway/README_CHANGELOG.md.gotmpl | 5 +- .../stable/pod-gateway/templates/common.yaml | 73 +++++++-- .../webhook-admissionregistration.yaml | 4 +- .../pod-gateway/templates/webhook-common.yaml | 35 +---- .../templates/webhook-deployment.yaml | 54 ++++--- .../templates/webhook-service.yaml | 27 +--- charts/stable/pod-gateway/values.yaml | 143 ++++-------------- 9 files changed, 152 insertions(+), 264 deletions(-) diff --git a/charts/stable/pod-gateway/Chart.yaml b/charts/stable/pod-gateway/Chart.yaml index 61e8a94c..0781d97f 100644 --- a/charts/stable/pod-gateway/Chart.yaml +++ b/charts/stable/pod-gateway/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 1.2.6 description: Admision controller to change the default gateway and DNS server of PODs name: pod-gateway -version: 2.1.1 +version: 3.0.0 kubeVersion: ">=1.16.0-0" keywords: - pod-gateway @@ -17,4 +17,4 @@ maintainers: dependencies: - name: common repository: https://library-charts.k8s-at-home.com - version: 2.5.0 + version: 3.0.2 diff --git a/charts/stable/pod-gateway/README.md b/charts/stable/pod-gateway/README.md index 5d39edb8..023f74dd 100644 --- a/charts/stable/pod-gateway/README.md +++ b/charts/stable/pod-gateway/README.md @@ -1,6 +1,6 @@ # pod-gateway -![Version: 2.1.1](https://img.shields.io/badge/Version-2.1.1-informational?style=flat-square) ![AppVersion: 1.2.6](https://img.shields.io/badge/AppVersion-1.2.6-informational?style=flat-square) +![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 1.2.6](https://img.shields.io/badge/AppVersion-1.2.6-informational?style=flat-square) Admision controller to change the default gateway and DNS server of PODs @@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0` | Repository | Name | Version | |------------|------|---------| -| https://library-charts.k8s-at-home.com | common | 2.5.0 | +| https://library-charts.k8s-at-home.com | common | 3.0.2 | ## TL;DR @@ -100,9 +100,6 @@ certificates. It does not install it as dependency to avoid conflicts. | Key | Type | Default | Description | |-----|------|---------|-------------| | DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh | -| additionalVolumeMounts[0].mountPath | string | `"/config"` | | -| additionalVolumeMounts[0].name | string | `"config"` | | -| additionalVolumeMounts[0].readOnly | bool | `true` | | | addons.vpn.configFileSecret | string | `"openvpn"` | | | addons.vpn.enabled | bool | `false` | Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect | | addons.vpn.env | string | `nil` | | @@ -115,28 +112,11 @@ certificates. It does not install it as dependency to avoid conflicts. | addons.vpn.type | string | `"openvpn"` | | | addons.vpn.wireguard | string | `nil` | | | clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name | -| command[0] | string | `"/bin/gateway_sidecar.sh"` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | | -| image.tag | string | `"v1.2.6"` | | -| initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | | -| initContainers[0].image | string | `nil` | Will be set automatically | -| initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically | -| initContainers[0].name | string | `"routes"` | | -| initContainers[0].securityContext.privileged | bool | `true` | | -| initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | | -| initContainers[0].volumeMounts[0].name | string | `"config"` | | -| initContainers[0].volumeMounts[0].readOnly | bool | `true` | | -| probes.liveness.enabled | bool | `false` | | -| probes.readiness.enabled | bool | `false` | | -| probes.startup.enabled | bool | `false` | | +| image.pullPolicy | string | `"IfNotPresent"` | image pull policy of the gateway and inserted helper cotainers | +| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | image repository of the gateway and inserted helper containers | +| image.tag | string | `"v1.2.6"` | image tag of the gateway and inserted helper containers | | publicPorts | string | `nil` | settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD | | routed_namespaces | list | `[]` | Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap. | -| securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | -| service.clusterIP | string | `"None"` | | -| service.port.port | int | `4789` | | -| service.port.protocol | string | `"UDP"` | | -| service.type | string | `"ClusterIP"` | | | settings.DNS_LOCAL_CIDRS | string | `"local"` | DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it) | | settings.NOT_ROUTED_TO_GATEWAY_CIDRS | string | `""` | IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does). | | settings.VPN_BLOCK_OTHER_TRAFFIC | bool | `false` | Prevent non VPN traffic to leave the gateway | @@ -146,32 +126,16 @@ certificates. It does not install it as dependency to avoid conflicts. | settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP | int | `20` | Keep a range of IPs for static assignment in nat.conf | | settings.VXLAN_ID | int | `42` | Vxlan ID to use | | settings.VXLAN_IP_NETWORK | string | `"172.16.0"` | VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges | -| webhook.additionalVolumes | list | `[]` | | -| webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | | -| webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | | -| webhook.args[2] | string | `"--setGatewayDefault"` | | -| webhook.args[3] | string | `"--setGatewayLabel=setGateway"` | | -| webhook.args[4] | string | `"--setGatewayAnnotation=setGateway"` | | -| webhook.args[5] | string | `"--DNSPolicy=None"` | | -| webhook.image.pullPolicy | string | `"IfNotPresent"` | | -| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | | -| webhook.image.tag | string | `"v3.3.2"` | | -| webhook.inserted.init.cmd | string | `"/bin/client_init.sh"` | | -| webhook.inserted.init.mountPath | string | `"/config"` | | -| webhook.inserted.init.pullPolicy | string | `nil` | Will be set automatically | -| webhook.inserted.init.repository | string | `nil` | Will be set automatically | -| webhook.inserted.init.tag | string | `nil` | Will be set automatically | -| webhook.inserted.sidecar.cmd | string | `"/bin/client_sidecar.sh"` | | -| webhook.inserted.sidecar.mountPath | string | `"/config"` | | -| webhook.inserted.sidecar.pullPolicy | string | `nil` | Will be set automatically | -| webhook.inserted.sidecar.repository | string | `nil` | Will be set automatically | -| webhook.inserted.sidecar.tag | string | `nil` | Will be set automatically | -| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed | -| webhook.replicas | int | `1` | | -| webhook.service.port.path | string | `"/wh/mutating/setgateway"` | | -| webhook.service.port.port | int | `8080` | | -| webhook.service.port.protocol | string | `"HTTPS"` | | -| webhook.strategy.type | string | `"RollingUpdate"` | | +| webhook | object | `{"gatewayAnnotation":"setGateway","gatewayDefault":true,"gatewayLabel":"setGateway","image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/k8s-at-home/gateway-admision-controller","tag":"v3.3.2"},"namespaceSelector":{"matchLabels":{"routed-gateway":"true"}},"replicas":1,"strategy":{"type":"RollingUpdate"}}` | The webhook is used to mutate the PODs matching the given namespace labels. It inserts an init and sidecard helper containers that connect to the gateway pod created by this chart. | +| webhook.gatewayAnnotation | string | `"setGateway"` | annotation name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. | +| webhook.gatewayDefault | bool | `true` | default behviour for new PODs in the evaluated namespace | +| webhook.gatewayLabel | string | `"setGateway"` | label name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy of the webhook | +| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | image repository of the webhook | +| webhook.image.tag | string | `"v3.3.2"` | image tag of the webhook | +| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get evaluated by the webhook. **IMPORTANT**: Do not select the namespace where the webhook is deployed to or you will get locking issues. | +| webhook.replicas | int | `1` | number of webhook instances to deploy | +| webhook.strategy | object | `{"type":"RollingUpdate"}` | strategy for updates | ## Changelog @@ -179,7 +143,7 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -### [2.1.1] +### [3.0.0] #### Added @@ -188,7 +152,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), #### Changed -- N/A +- **BREAKING**: Upgraded the common library dependency to version 3.0.1. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored). + Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.1/charts/stable/common/) for the up-to-date values. #### Removed diff --git a/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl index edcb2d18..e29a5e90 100644 --- a/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl +++ b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl @@ -9,7 +9,7 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -### [2.1.1] +### [3.0.0] #### Added @@ -18,7 +18,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), #### Changed -- N/A +- **BREAKING**: Upgraded the common library dependency to version 3.0.2. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored). + Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.2/charts/stable/common/) for the up-to-date values. #### Removed diff --git a/charts/stable/pod-gateway/templates/common.yaml b/charts/stable/pod-gateway/templates/common.yaml index b9349d3f..18641184 100644 --- a/charts/stable/pod-gateway/templates/common.yaml +++ b/charts/stable/pod-gateway/templates/common.yaml @@ -1,22 +1,69 @@ {{/* Make sure all variables are set properly */}} {{- include "common.values.setup" . }} -{{- $_ := set (first .Values.initContainers ) "image" (printf "%s:%s" .Values.image.repository .Values.image.tag ) -}} -{{- $_ := set (first .Values.initContainers ) "imagePullPolicy" .Values.image.pullPolicy -}} +{{/* Append the hardcoded settings */}} +{{- define "pod-gateway.harcodedValues" -}} +# -- Command starting DHCP server in the gateway +command: +- /bin/gateway_sidecar.sh -{{/* Append the cert secret to the additionalVolumes */}} -{{- define "pod-gateway.settings.volume" -}} -name: config -configMap: - name: {{ include "pod-gateway.configmap" . }} - defaultMode: 0555 -{{- end -}} +securityContext: + capabilities: + add: + - NET_ADMIN + +# -- Configure persistence settings for the chart under this key. +persistence: + config: + enabled: true + type: custom + mountPath: /config + readOnly: true + volumeSpec: + configMap: + name: {{ include "pod-gateway.configmap" . }} + defaultMode: 0555 + +initContainers: +# -- Configures an initContainer that creates a VXLAN +# In the gateway for client PODs to connect to. +# iptables migh be (see VPN_BLOCK_OTHER_TRAFFIC) setup +# to block traffic not going through the VPN +- name: "routes" + # -- Image for the init container + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + # -- Will be set automatically + # @default -- + imagePullPolicy: {{ .Values.image.pullPolicy }} + # -- Command starting DHCP server in the gateway + command: + - /bin/gateway_init.sh + securityContext: + privileged: true + volumeMounts: + - name: config + mountPath: /config + readOnly: true + +probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false + +service: + main: + ports: + http: + type: ClusterIP + clusterIP: None + port: 4789 + protocol: UDP -{{- $volume := include "pod-gateway.settings.volume" . | fromYaml -}} -{{- if $volume -}} - {{- $additionalVolumes := append .Values.additionalVolumes $volume }} - {{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}} {{- end -}} +{{- $_ := mergeOverwrite .Values (include "pod-gateway.harcodedValues" . | fromYaml) -}} {{/* Render the templates */}} {{ include "common.all" . }} diff --git a/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml b/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml index 0178162a..a038de5b 100644 --- a/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml +++ b/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml @@ -22,8 +22,8 @@ webhooks: service: namespace: {{ .Release.Namespace | quote }} name: {{ include "common.names.fullname" . }}-webhook - path: {{ .Values.webhook.service.port.path | quote }} - port: {{ .Values.webhook.service.port.port }} + path: /wh/mutating/setgateway + port: {{ include "pod-gateway.webhookPort" . }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 diff --git a/charts/stable/pod-gateway/templates/webhook-common.yaml b/charts/stable/pod-gateway/templates/webhook-common.yaml index b202d572..75b443b1 100644 --- a/charts/stable/pod-gateway/templates/webhook-common.yaml +++ b/charts/stable/pod-gateway/templates/webhook-common.yaml @@ -1,45 +1,18 @@ {{/* Make sure all variables are set properly */}} {{- include "common.values.setup" . }} -{{- $_ := set .Values.webhook.inserted.init "repository" .Values.image.repository -}} -{{- $_ := set .Values.webhook.inserted.init "tag" .Values.image.tag -}} -{{- $_ := set .Values.webhook.inserted.init "pullPolicy" .Values.image.pullPolicy -}} -{{- $_ := set .Values.webhook.inserted.sidecar "repository" .Values.image.repository -}} -{{- $_ := set .Values.webhook.inserted.sidecar "tag" .Values.image.tag -}} -{{- $_ := set .Values.webhook.inserted.sidecar "pullPolicy" .Values.image.pullPolicy -}} - -{{- define "pod-gateway.webhook-inserted-init-repository" -}} -{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.init.repository ) ( .Values.image.tag | default .Values.webhook.inserted.init.tag ) }} -{{- end -}} - -{{- define "pod-gateway.webhook-inserted-init-pullPolicy" -}} -{{ .Values.webhook.inserted.init.pullPolicy | default .Values.image.pullPolicy }} -{{- end -}} - -{{- define "pod-gateway.webhook-inserted-sidecar-repository" -}} -{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.sidecar.repository ) ( .Values.image.tag | default .Values.webhook.inserted.sidecar.tag ) }} -{{- end -}} - -{{- define "pod-gateway.webhook-inserted-sidecar-pullPolicy" -}} -{{ .Values.webhook.inserted.sidecar.pullPolicy | default .Values.image.pullPolicy }} -{{- end -}} - {{- define "pod-gateway.gateway" -}} {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }} {{- end -}} -{{- define "pod-gateway.init.image" -}} -{{ printf "%s:%s" .Values.webhook.inserted.init.repository (.Values.webhook.inserted.init.tag | default "latest" ) }} -{{- end -}} - -{{- define "pod-gateway.sidecar.image" -}} -{{ printf "%s:%s" .Values.webhook.inserted.sidecar.repository (.Values.webhook.inserted.sidecar.tag | default "latest" ) }} -{{- end -}} - {{- define "pod-gateway.configmap" -}} {{ include "common.names.fullname" . }} {{- end -}} +{{- define "pod-gateway.webhookPort" -}} +8080 +{{- end -}} + {{- define "pod-gateway.selfSignedIssuer" -}} {{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }} diff --git a/charts/stable/pod-gateway/templates/webhook-deployment.yaml b/charts/stable/pod-gateway/templates/webhook-deployment.yaml index 3a71fff4..c626ac0c 100644 --- a/charts/stable/pod-gateway/templates/webhook-deployment.yaml +++ b/charts/stable/pod-gateway/templates/webhook-deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.names.fullname" . }}-webhook @@ -35,29 +35,35 @@ spec: secretName: {{ include "pod-gateway.servingCertificate" . }} defaultMode: 420 containers: - - name: foo-pod-gateway + - name: webhook image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }} args: - - --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }} + - --webhook-listen-address=:{{ include "pod-gateway.webhookPort" . }} - --gateway={{ include "pod-gateway.gateway" . }} - --DNS={{ .Values.DNS }} - --configmapName={{ include "pod-gateway.configmap" . }} - {{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }} - - --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} - - --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }} - - --initCmd={{ .Values.webhook.inserted.init.cmd }} - - --initMountPoint={{ .Values.webhook.inserted.init.mountPath }} - {{- end}} - {{- if ( include "pod-gateway.webhook-inserted-sidecar-repository" . ) }} - - --sidecarImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} - - --sidecarImagePullPol={{ include "pod-gateway.webhook-inserted-sidecar-pullPolicy" . }} - - --sidecarCmd={{ .Values.webhook.inserted.sidecar.cmd }} - - --sidecarMountPoint={{ .Values.webhook.inserted.sidecar.mountPath }} - {{- end}} - {{ toYaml .Values.webhook.args | nindent 12 }} + - --setGatewayLabel={{ .Values.webhook.gatewayLabel }} + - --setGatewayAnnotation={{ .Values.webhook.gatewayAnnotation }} + {{ if .Values.webhook.gatewayDefault }} + - --setGatewayDefault + {{ end }} + # Static + - --tls-cert-file-path=/tls/tls.crt + - --tls-key-file-path=/tls/tls.key + - --DNSPolicy=None + # Init container + - --initImage={{ .Values.image.repository }}:{{ .Values.image.tag }} + - --initImagePullPol={{ .Values.image.pullPolicy }} + - --initCmd=/bin/client_init.sh + - --initMountPoint=/config + # Sidecar container + - --sidecarImage={{ .Values.image.repository }}:{{ .Values.image.tag }} + - --sidecarImagePullPol={{ .Values.image.pullPolicy }} + - --sidecarCmd=/bin/sidecar_init.sh + - --sidecarMountPoint=/config ports: - name: http - containerPort: {{ .Values.webhook.service.port.port }} + containerPort: {{ include "pod-gateway.webhookPort" . }} protocol: TCP resources: {} volumeMounts: @@ -67,8 +73,8 @@ spec: livenessProbe: httpGet: path: /wh/health - port: {{ .Values.webhook.service.port.port }} - scheme: {{ .Values.webhook.service.port.protocol }} + port: {{ include "pod-gateway.webhookPort" . }} + scheme: HTTPS initialDelaySeconds: 1 timeoutSeconds: 10 periodSeconds: 10 @@ -77,8 +83,8 @@ spec: readinessProbe: httpGet: path: /wh/health - port: {{ .Values.webhook.service.port.port }} - scheme: {{ .Values.webhook.service.port.protocol }} + port: {{ include "pod-gateway.webhookPort" . }} + scheme: HTTPS initialDelaySeconds: 1 timeoutSeconds: 10 periodSeconds: 10 @@ -87,15 +93,15 @@ spec: startupProbe: httpGet: path: /wh/health - port: {{ .Values.webhook.service.port.port }} - scheme: {{ .Values.webhook.service.port.protocol }} + port: {{ include "pod-gateway.webhookPort" . }} + scheme: HTTPS timeoutSeconds: 1 periodSeconds: 1 successThreshold: 1 failureThreshold: 30 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File - imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} + imagePullPolicy: {{ .Values.image.pullPolicy }} restartPolicy: Always strategy: type: {{ .Values.webhook.strategy.type }} diff --git a/charts/stable/pod-gateway/templates/webhook-service.yaml b/charts/stable/pod-gateway/templates/webhook-service.yaml index 8377229c..ce627ee2 100644 --- a/charts/stable/pod-gateway/templates/webhook-service.yaml +++ b/charts/stable/pod-gateway/templates/webhook-service.yaml @@ -1,32 +1,15 @@ -{{- $values := .Values.webhook.service -}} apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }}-webhook labels: {{- include "common.labels" . | nindent 4 }} - {{- if $values.labels }} - {{ toYaml $values.labels | nindent 4 }} - {{- end }} - annotations: - {{- if eq ( $values.port.protocol | default "" ) "HTTPS" }} - traefik.ingress.kubernetes.io/service.serversscheme: https - {{- end }} - {{- with $values.annotations }} - {{ toYaml . | nindent 4 }} - {{- end }} spec: type: ClusterIP - {{- if $values.clusterIP }} - clusterIP: {{ $values.clusterIP }} - {{end}} - {{- if $values.sessionAffinity }} - sessionAffinity: {{ $values.sessionAffinity }} - {{- if $values.sessionAffinityConfig }} - sessionAffinityConfig: - {{ toYaml $values.sessionAffinityConfig | nindent 4 }} - {{- end -}} - {{- end }} - {{- include "common.classes.service.ports" (dict "svcType" "ClusterIP" "values" $values ) | trim | nindent 2 }} + ports: + - name: http + protocol: TCP + port: {{ include "pod-gateway.webhookPort" . }} + targetPort: http selector: {{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }} diff --git a/charts/stable/pod-gateway/values.yaml b/charts/stable/pod-gateway/values.yaml index 0dcf7dfd..d932ed84 100644 --- a/charts/stable/pod-gateway/values.yaml +++ b/charts/stable/pod-gateway/values.yaml @@ -6,8 +6,11 @@ # image: + # -- image repository of the gateway and inserted helper containers repository: ghcr.io/k8s-at-home/pod-gateway + # -- image pull policy of the gateway and inserted helper cotainers pullPolicy: IfNotPresent + # -- image tag of the gateway and inserted helper containers tag: v1.2.6 # -- IP address of the DNS server within the vxlan tunnel. @@ -91,64 +94,30 @@ addons: # Cluster IPs (default k3s) cidr: 10.0.0.0/8 - -# You should not need to change the settings bellow this -# at least you have ready the webhook and pod-gateway containers -# documentation - -command: -- /bin/gateway_sidecar.sh - -securityContext: - capabilities: - add: - - NET_ADMIN - -additionalVolumeMounts: -- name: config - mountPath: /config - readOnly: true - -initContainers: -- name: "routes" - # -- Will be set automatically - # @default -- : - image: - # -- Will be set automatically - # @default -- - imagePullPolicy: - command: - - /bin/gateway_init.sh - securityContext: - privileged: true - volumeMounts: - - name: config - mountPath: /config - readOnly: true - -probes: - liveness: - enabled: false - readiness: - enabled: false - startup: - enabled: false - -service: - type: ClusterIP - clusterIP: None - port: - port: 4789 - protocol: UDP - +# -- The webhook is used to mutate the PODs matching the given +# namespace labels. It inserts an init and sidecard helper containers +# that connect to the gateway pod created by this chart. +# @default -- See below webhook: image: + # -- image repository of the webhook repository: ghcr.io/k8s-at-home/gateway-admision-controller + # -- image pullPolicy of the webhook pullPolicy: IfNotPresent + # -- image tag of the webhook tag: v3.3.2 + # -- number of webhook instances to deploy + replicas: 1 + + # -- strategy for updates + strategy: + type: RollingUpdate + # -- Selector for namespace. - # All pods in this namespace will get their default gateway changed + # All pods in this namespace will get evaluated by the webhook. + # **IMPORTANT**: Do not select the namespace where the webhook + # is deployed to or you will get locking issues. namespaceSelector: matchLabels: routed-gateway: "true" @@ -157,69 +126,13 @@ webhook: # operator: NotIn # values: ["1"] - additionalVolumes: [] + # -- default behviour for new PODs in the evaluated namespace + gatewayDefault: true + # -- label name to check when evaluating POD. If true the POD + # will get the gateway. If not set setGatewayDefault will apply. + gatewayLabel: setGateway - inserted: - init: - # -- Will be set automatically - # @default -- - repository: - # -- Will be set automatically - # @default -- - pullPolicy: - # -- Will be set automatically - # @default -- - tag: - cmd: /bin/client_init.sh - mountPath: /config - - sidecar: - # -- Will be set automatically - # @default -- - repository: - # -- Will be set automatically - # @default -- - pullPolicy: - # -- Will be set automatically - # @default -- - tag: - cmd: /bin/client_sidecar.sh - mountPath: /config - - replicas: 1 - - strategy: - type: RollingUpdate - - # Args for webhook - # See more information in the container git repository at - # https://github.com/k8s-at-home/gateway-admision-controller - args: - - --tls-cert-file-path=/tls/tls.crt - - --tls-key-file-path=/tls/tls.key - - --setGatewayDefault - - --setGatewayLabel=setGateway - - --setGatewayAnnotation=setGateway - - --DNSPolicy=None - # - --debug - # - --development - # Set by Helm chart: - # --webhook-listen-address=: - # --gateway= - # --DNS= - # --initImage - # --initImagePullPol - # --initCmd - # --initMountPoint - # --sidecarImage - # --sidecarImagePullPol - # --sidecarCmd - # --sidecarMountPoint - # --configmapName - - service: - port: - path: /wh/mutating/setgateway - protocol: HTTPS - port: 8080 + # -- annotation name to check when evaluating POD. If true the POD + # will get the gateway. If not set setGatewayDefault will apply. + gatewayAnnotation: setGateway