[pod-gateway] Update to common v3, order of default was inversed (#944)

* order of default was inversed

* Update to common 3.0.1
This commit is contained in:
Angel Nunez Mencias 2021-06-11 10:06:57 +02:00 committed by GitHub
parent 9664be3916
commit 138e4161cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 152 additions and 264 deletions

View File

@ -2,7 +2,7 @@ apiVersion: v2
appVersion: 1.2.6 appVersion: 1.2.6
description: Admision controller to change the default gateway and DNS server of PODs description: Admision controller to change the default gateway and DNS server of PODs
name: pod-gateway name: pod-gateway
version: 2.1.1 version: 3.0.0
kubeVersion: ">=1.16.0-0" kubeVersion: ">=1.16.0-0"
keywords: keywords:
- pod-gateway - pod-gateway
@ -17,4 +17,4 @@ maintainers:
dependencies: dependencies:
- name: common - name: common
repository: https://library-charts.k8s-at-home.com repository: https://library-charts.k8s-at-home.com
version: 2.5.0 version: 3.0.2

View File

@ -1,6 +1,6 @@
# pod-gateway # pod-gateway
![Version: 2.1.1](https://img.shields.io/badge/Version-2.1.1-informational?style=flat-square) ![AppVersion: 1.2.6](https://img.shields.io/badge/AppVersion-1.2.6-informational?style=flat-square) ![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 1.2.6](https://img.shields.io/badge/AppVersion-1.2.6-informational?style=flat-square)
Admision controller to change the default gateway and DNS server of PODs Admision controller to change the default gateway and DNS server of PODs
@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://library-charts.k8s-at-home.com | common | 2.5.0 | | https://library-charts.k8s-at-home.com | common | 3.0.2 |
## TL;DR ## TL;DR
@ -100,9 +100,6 @@ certificates. It does not install it as dependency to avoid conflicts.
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh | | DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh |
| additionalVolumeMounts[0].mountPath | string | `"/config"` | |
| additionalVolumeMounts[0].name | string | `"config"` | |
| additionalVolumeMounts[0].readOnly | bool | `true` | |
| addons.vpn.configFileSecret | string | `"openvpn"` | | | addons.vpn.configFileSecret | string | `"openvpn"` | |
| addons.vpn.enabled | bool | `false` | Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect | | addons.vpn.enabled | bool | `false` | Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect |
| addons.vpn.env | string | `nil` | | | addons.vpn.env | string | `nil` | |
@ -115,28 +112,11 @@ certificates. It does not install it as dependency to avoid conflicts.
| addons.vpn.type | string | `"openvpn"` | | | addons.vpn.type | string | `"openvpn"` | |
| addons.vpn.wireguard | string | `nil` | | | addons.vpn.wireguard | string | `nil` | |
| clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name | | clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name |
| command[0] | string | `"/bin/gateway_sidecar.sh"` | | | image.pullPolicy | string | `"IfNotPresent"` | image pull policy of the gateway and inserted helper cotainers |
| image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | image repository of the gateway and inserted helper containers |
| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | | | image.tag | string | `"v1.2.6"` | image tag of the gateway and inserted helper containers |
| image.tag | string | `"v1.2.6"` | |
| initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | |
| initContainers[0].image | string | `nil` | Will be set automatically |
| initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically |
| initContainers[0].name | string | `"routes"` | |
| initContainers[0].securityContext.privileged | bool | `true` | |
| initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | |
| initContainers[0].volumeMounts[0].name | string | `"config"` | |
| initContainers[0].volumeMounts[0].readOnly | bool | `true` | |
| probes.liveness.enabled | bool | `false` | |
| probes.readiness.enabled | bool | `false` | |
| probes.startup.enabled | bool | `false` | |
| publicPorts | string | `nil` | settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD | | publicPorts | string | `nil` | settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD |
| routed_namespaces | list | `[]` | Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap. | | routed_namespaces | list | `[]` | Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap. |
| securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | |
| service.clusterIP | string | `"None"` | |
| service.port.port | int | `4789` | |
| service.port.protocol | string | `"UDP"` | |
| service.type | string | `"ClusterIP"` | |
| settings.DNS_LOCAL_CIDRS | string | `"local"` | DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it) | | settings.DNS_LOCAL_CIDRS | string | `"local"` | DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it) |
| settings.NOT_ROUTED_TO_GATEWAY_CIDRS | string | `""` | IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does). | | settings.NOT_ROUTED_TO_GATEWAY_CIDRS | string | `""` | IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does). |
| settings.VPN_BLOCK_OTHER_TRAFFIC | bool | `false` | Prevent non VPN traffic to leave the gateway | | settings.VPN_BLOCK_OTHER_TRAFFIC | bool | `false` | Prevent non VPN traffic to leave the gateway |
@ -146,32 +126,16 @@ certificates. It does not install it as dependency to avoid conflicts.
| settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP | int | `20` | Keep a range of IPs for static assignment in nat.conf | | settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP | int | `20` | Keep a range of IPs for static assignment in nat.conf |
| settings.VXLAN_ID | int | `42` | Vxlan ID to use | | settings.VXLAN_ID | int | `42` | Vxlan ID to use |
| settings.VXLAN_IP_NETWORK | string | `"172.16.0"` | VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges | | settings.VXLAN_IP_NETWORK | string | `"172.16.0"` | VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges |
| webhook.additionalVolumes | list | `[]` | | | webhook | object | `{"gatewayAnnotation":"setGateway","gatewayDefault":true,"gatewayLabel":"setGateway","image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/k8s-at-home/gateway-admision-controller","tag":"v3.3.2"},"namespaceSelector":{"matchLabels":{"routed-gateway":"true"}},"replicas":1,"strategy":{"type":"RollingUpdate"}}` | The webhook is used to mutate the PODs matching the given namespace labels. It inserts an init and sidecard helper containers that connect to the gateway pod created by this chart. |
| webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | | | webhook.gatewayAnnotation | string | `"setGateway"` | annotation name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. |
| webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | | | webhook.gatewayDefault | bool | `true` | default behviour for new PODs in the evaluated namespace |
| webhook.args[2] | string | `"--setGatewayDefault"` | | | webhook.gatewayLabel | string | `"setGateway"` | label name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply. |
| webhook.args[3] | string | `"--setGatewayLabel=setGateway"` | | | webhook.image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy of the webhook |
| webhook.args[4] | string | `"--setGatewayAnnotation=setGateway"` | | | webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | image repository of the webhook |
| webhook.args[5] | string | `"--DNSPolicy=None"` | | | webhook.image.tag | string | `"v3.3.2"` | image tag of the webhook |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | | | webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get evaluated by the webhook. **IMPORTANT**: Do not select the namespace where the webhook is deployed to or you will get locking issues. |
| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | | | webhook.replicas | int | `1` | number of webhook instances to deploy |
| webhook.image.tag | string | `"v3.3.2"` | | | webhook.strategy | object | `{"type":"RollingUpdate"}` | strategy for updates |
| webhook.inserted.init.cmd | string | `"/bin/client_init.sh"` | |
| webhook.inserted.init.mountPath | string | `"/config"` | |
| webhook.inserted.init.pullPolicy | string | `nil` | Will be set automatically |
| webhook.inserted.init.repository | string | `nil` | Will be set automatically |
| webhook.inserted.init.tag | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.cmd | string | `"/bin/client_sidecar.sh"` | |
| webhook.inserted.sidecar.mountPath | string | `"/config"` | |
| webhook.inserted.sidecar.pullPolicy | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.repository | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.tag | string | `nil` | Will be set automatically |
| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed |
| webhook.replicas | int | `1` | |
| webhook.service.port.path | string | `"/wh/mutating/setgateway"` | |
| webhook.service.port.port | int | `8080` | |
| webhook.service.port.protocol | string | `"HTTPS"` | |
| webhook.strategy.type | string | `"RollingUpdate"` | |
## Changelog ## Changelog
@ -179,7 +143,7 @@ All notable changes to this application Helm chart will be documented in this fi
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [2.1.1] ### [3.0.0]
#### Added #### Added
@ -188,7 +152,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
#### Changed #### Changed
- N/A - **BREAKING**: Upgraded the common library dependency to version 3.0.1. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored).
Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.1/charts/stable/common/) for the up-to-date values.
#### Removed #### Removed

View File

@ -9,7 +9,7 @@ All notable changes to this application Helm chart will be documented in this fi
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [2.1.1] ### [3.0.0]
#### Added #### Added
@ -18,7 +18,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
#### Changed #### Changed
- N/A - **BREAKING**: Upgraded the common library dependency to version 3.0.2. This introduces several breaking changes (`service`, `ingress` and `persistence` keys have been refactored).
Be sure to check out the [library chart](https://github.com/k8s-at-home/library-charts/blob/common-3.0.2/charts/stable/common/) for the up-to-date values.
#### Removed #### Removed

View File

@ -1,22 +1,69 @@
{{/* Make sure all variables are set properly */}} {{/* Make sure all variables are set properly */}}
{{- include "common.values.setup" . }} {{- include "common.values.setup" . }}
{{- $_ := set (first .Values.initContainers ) "image" (printf "%s:%s" .Values.image.repository .Values.image.tag ) -}} {{/* Append the hardcoded settings */}}
{{- $_ := set (first .Values.initContainers ) "imagePullPolicy" .Values.image.pullPolicy -}} {{- define "pod-gateway.harcodedValues" -}}
# -- Command starting DHCP server in the gateway
command:
- /bin/gateway_sidecar.sh
{{/* Append the cert secret to the additionalVolumes */}} securityContext:
{{- define "pod-gateway.settings.volume" -}} capabilities:
name: config add:
configMap: - NET_ADMIN
name: {{ include "pod-gateway.configmap" . }}
defaultMode: 0555 # -- Configure persistence settings for the chart under this key.
{{- end -}} persistence:
config:
enabled: true
type: custom
mountPath: /config
readOnly: true
volumeSpec:
configMap:
name: {{ include "pod-gateway.configmap" . }}
defaultMode: 0555
initContainers:
# -- Configures an initContainer that creates a VXLAN
# In the gateway for client PODs to connect to.
# iptables migh be (see VPN_BLOCK_OTHER_TRAFFIC) setup
# to block traffic not going through the VPN
- name: "routes"
# -- Image for the init container
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
# -- Will be set automatically
# @default -- <image.pullPolicy>
imagePullPolicy: {{ .Values.image.pullPolicy }}
# -- Command starting DHCP server in the gateway
command:
- /bin/gateway_init.sh
securityContext:
privileged: true
volumeMounts:
- name: config
mountPath: /config
readOnly: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
main:
ports:
http:
type: ClusterIP
clusterIP: None
port: 4789
protocol: UDP
{{- $volume := include "pod-gateway.settings.volume" . | fromYaml -}}
{{- if $volume -}}
{{- $additionalVolumes := append .Values.additionalVolumes $volume }}
{{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}}
{{- end -}} {{- end -}}
{{- $_ := mergeOverwrite .Values (include "pod-gateway.harcodedValues" . | fromYaml) -}}
{{/* Render the templates */}} {{/* Render the templates */}}
{{ include "common.all" . }} {{ include "common.all" . }}

View File

@ -22,8 +22,8 @@ webhooks:
service: service:
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
name: {{ include "common.names.fullname" . }}-webhook name: {{ include "common.names.fullname" . }}-webhook
path: {{ .Values.webhook.service.port.path | quote }} path: /wh/mutating/setgateway
port: {{ .Values.webhook.service.port.port }} port: {{ include "pod-gateway.webhookPort" . }}
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None sideEffects: None
timeoutSeconds: 5 timeoutSeconds: 5

View File

@ -1,45 +1,18 @@
{{/* Make sure all variables are set properly */}} {{/* Make sure all variables are set properly */}}
{{- include "common.values.setup" . }} {{- include "common.values.setup" . }}
{{- $_ := set .Values.webhook.inserted.init "repository" .Values.image.repository -}}
{{- $_ := set .Values.webhook.inserted.init "tag" .Values.image.tag -}}
{{- $_ := set .Values.webhook.inserted.init "pullPolicy" .Values.image.pullPolicy -}}
{{- $_ := set .Values.webhook.inserted.sidecar "repository" .Values.image.repository -}}
{{- $_ := set .Values.webhook.inserted.sidecar "tag" .Values.image.tag -}}
{{- $_ := set .Values.webhook.inserted.sidecar "pullPolicy" .Values.image.pullPolicy -}}
{{- define "pod-gateway.webhook-inserted-init-repository" -}}
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.init.repository ) ( .Values.image.tag | default .Values.webhook.inserted.init.tag ) }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-init-pullPolicy" -}}
{{ .Values.webhook.inserted.init.pullPolicy | default .Values.image.pullPolicy }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-sidecar-repository" -}}
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.sidecar.repository ) ( .Values.image.tag | default .Values.webhook.inserted.sidecar.tag ) }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-sidecar-pullPolicy" -}}
{{ .Values.webhook.inserted.sidecar.pullPolicy | default .Values.image.pullPolicy }}
{{- end -}}
{{- define "pod-gateway.gateway" -}} {{- define "pod-gateway.gateway" -}}
{{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }} {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }}
{{- end -}} {{- end -}}
{{- define "pod-gateway.init.image" -}}
{{ printf "%s:%s" .Values.webhook.inserted.init.repository (.Values.webhook.inserted.init.tag | default "latest" ) }}
{{- end -}}
{{- define "pod-gateway.sidecar.image" -}}
{{ printf "%s:%s" .Values.webhook.inserted.sidecar.repository (.Values.webhook.inserted.sidecar.tag | default "latest" ) }}
{{- end -}}
{{- define "pod-gateway.configmap" -}} {{- define "pod-gateway.configmap" -}}
{{ include "common.names.fullname" . }} {{ include "common.names.fullname" . }}
{{- end -}} {{- end -}}
{{- define "pod-gateway.webhookPort" -}}
8080
{{- end -}}
{{- define "pod-gateway.selfSignedIssuer" -}} {{- define "pod-gateway.selfSignedIssuer" -}}
{{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }} {{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }}

View File

@ -1,4 +1,4 @@
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "common.names.fullname" . }}-webhook name: {{ include "common.names.fullname" . }}-webhook
@ -35,29 +35,35 @@ spec:
secretName: {{ include "pod-gateway.servingCertificate" . }} secretName: {{ include "pod-gateway.servingCertificate" . }}
defaultMode: 420 defaultMode: 420
containers: containers:
- name: foo-pod-gateway - name: webhook
image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }} image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }}
args: args:
- --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }} - --webhook-listen-address=:{{ include "pod-gateway.webhookPort" . }}
- --gateway={{ include "pod-gateway.gateway" . }} - --gateway={{ include "pod-gateway.gateway" . }}
- --DNS={{ .Values.DNS }} - --DNS={{ .Values.DNS }}
- --configmapName={{ include "pod-gateway.configmap" . }} - --configmapName={{ include "pod-gateway.configmap" . }}
{{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }} - --setGatewayLabel={{ .Values.webhook.gatewayLabel }}
- --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} - --setGatewayAnnotation={{ .Values.webhook.gatewayAnnotation }}
- --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }} {{ if .Values.webhook.gatewayDefault }}
- --initCmd={{ .Values.webhook.inserted.init.cmd }} - --setGatewayDefault
- --initMountPoint={{ .Values.webhook.inserted.init.mountPath }} {{ end }}
{{- end}} # Static
{{- if ( include "pod-gateway.webhook-inserted-sidecar-repository" . ) }} - --tls-cert-file-path=/tls/tls.crt
- --sidecarImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} - --tls-key-file-path=/tls/tls.key
- --sidecarImagePullPol={{ include "pod-gateway.webhook-inserted-sidecar-pullPolicy" . }} - --DNSPolicy=None
- --sidecarCmd={{ .Values.webhook.inserted.sidecar.cmd }} # Init container
- --sidecarMountPoint={{ .Values.webhook.inserted.sidecar.mountPath }} - --initImage={{ .Values.image.repository }}:{{ .Values.image.tag }}
{{- end}} - --initImagePullPol={{ .Values.image.pullPolicy }}
{{ toYaml .Values.webhook.args | nindent 12 }} - --initCmd=/bin/client_init.sh
- --initMountPoint=/config
# Sidecar container
- --sidecarImage={{ .Values.image.repository }}:{{ .Values.image.tag }}
- --sidecarImagePullPol={{ .Values.image.pullPolicy }}
- --sidecarCmd=/bin/sidecar_init.sh
- --sidecarMountPoint=/config
ports: ports:
- name: http - name: http
containerPort: {{ .Values.webhook.service.port.port }} containerPort: {{ include "pod-gateway.webhookPort" . }}
protocol: TCP protocol: TCP
resources: {} resources: {}
volumeMounts: volumeMounts:
@ -67,8 +73,8 @@ spec:
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /wh/health path: /wh/health
port: {{ .Values.webhook.service.port.port }} port: {{ include "pod-gateway.webhookPort" . }}
scheme: {{ .Values.webhook.service.port.protocol }} scheme: HTTPS
initialDelaySeconds: 1 initialDelaySeconds: 1
timeoutSeconds: 10 timeoutSeconds: 10
periodSeconds: 10 periodSeconds: 10
@ -77,8 +83,8 @@ spec:
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /wh/health path: /wh/health
port: {{ .Values.webhook.service.port.port }} port: {{ include "pod-gateway.webhookPort" . }}
scheme: {{ .Values.webhook.service.port.protocol }} scheme: HTTPS
initialDelaySeconds: 1 initialDelaySeconds: 1
timeoutSeconds: 10 timeoutSeconds: 10
periodSeconds: 10 periodSeconds: 10
@ -87,15 +93,15 @@ spec:
startupProbe: startupProbe:
httpGet: httpGet:
path: /wh/health path: /wh/health
port: {{ .Values.webhook.service.port.port }} port: {{ include "pod-gateway.webhookPort" . }}
scheme: {{ .Values.webhook.service.port.protocol }} scheme: HTTPS
timeoutSeconds: 1 timeoutSeconds: 1
periodSeconds: 1 periodSeconds: 1
successThreshold: 1 successThreshold: 1
failureThreshold: 30 failureThreshold: 30
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
restartPolicy: Always restartPolicy: Always
strategy: strategy:
type: {{ .Values.webhook.strategy.type }} type: {{ .Values.webhook.strategy.type }}

View File

@ -1,32 +1,15 @@
{{- $values := .Values.webhook.service -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "common.names.fullname" . }}-webhook name: {{ include "common.names.fullname" . }}-webhook
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
{{- if $values.labels }}
{{ toYaml $values.labels | nindent 4 }}
{{- end }}
annotations:
{{- if eq ( $values.port.protocol | default "" ) "HTTPS" }}
traefik.ingress.kubernetes.io/service.serversscheme: https
{{- end }}
{{- with $values.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
spec: spec:
type: ClusterIP type: ClusterIP
{{- if $values.clusterIP }} ports:
clusterIP: {{ $values.clusterIP }} - name: http
{{end}} protocol: TCP
{{- if $values.sessionAffinity }} port: {{ include "pod-gateway.webhookPort" . }}
sessionAffinity: {{ $values.sessionAffinity }} targetPort: http
{{- if $values.sessionAffinityConfig }}
sessionAffinityConfig:
{{ toYaml $values.sessionAffinityConfig | nindent 4 }}
{{- end -}}
{{- end }}
{{- include "common.classes.service.ports" (dict "svcType" "ClusterIP" "values" $values ) | trim | nindent 2 }}
selector: selector:
{{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }} {{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }}

View File

@ -6,8 +6,11 @@
# #
image: image:
# -- image repository of the gateway and inserted helper containers
repository: ghcr.io/k8s-at-home/pod-gateway repository: ghcr.io/k8s-at-home/pod-gateway
# -- image pull policy of the gateway and inserted helper cotainers
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- image tag of the gateway and inserted helper containers
tag: v1.2.6 tag: v1.2.6
# -- IP address of the DNS server within the vxlan tunnel. # -- IP address of the DNS server within the vxlan tunnel.
@ -91,64 +94,30 @@ addons:
# Cluster IPs (default k3s) # Cluster IPs (default k3s)
cidr: 10.0.0.0/8 cidr: 10.0.0.0/8
# -- The webhook is used to mutate the PODs matching the given
# You should not need to change the settings bellow this # namespace labels. It inserts an init and sidecard helper containers
# at least you have ready the webhook and pod-gateway containers # that connect to the gateway pod created by this chart.
# documentation # @default -- See below
command:
- /bin/gateway_sidecar.sh
securityContext:
capabilities:
add:
- NET_ADMIN
additionalVolumeMounts:
- name: config
mountPath: /config
readOnly: true
initContainers:
- name: "routes"
# -- Will be set automatically
# @default -- <image.repository>:<image.tag>
image:
# -- Will be set automatically
# @default -- <image.pullPolicy>
imagePullPolicy:
command:
- /bin/gateway_init.sh
securityContext:
privileged: true
volumeMounts:
- name: config
mountPath: /config
readOnly: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
type: ClusterIP
clusterIP: None
port:
port: 4789
protocol: UDP
webhook: webhook:
image: image:
# -- image repository of the webhook
repository: ghcr.io/k8s-at-home/gateway-admision-controller repository: ghcr.io/k8s-at-home/gateway-admision-controller
# -- image pullPolicy of the webhook
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- image tag of the webhook
tag: v3.3.2 tag: v3.3.2
# -- number of webhook instances to deploy
replicas: 1
# -- strategy for updates
strategy:
type: RollingUpdate
# -- Selector for namespace. # -- Selector for namespace.
# All pods in this namespace will get their default gateway changed # All pods in this namespace will get evaluated by the webhook.
# **IMPORTANT**: Do not select the namespace where the webhook
# is deployed to or you will get locking issues.
namespaceSelector: namespaceSelector:
matchLabels: matchLabels:
routed-gateway: "true" routed-gateway: "true"
@ -157,69 +126,13 @@ webhook:
# operator: NotIn # operator: NotIn
# values: ["1"] # values: ["1"]
additionalVolumes: [] # -- default behviour for new PODs in the evaluated namespace
gatewayDefault: true
# -- label name to check when evaluating POD. If true the POD
# will get the gateway. If not set setGatewayDefault will apply.
gatewayLabel: setGateway
inserted: # -- annotation name to check when evaluating POD. If true the POD
init: # will get the gateway. If not set setGatewayDefault will apply.
# -- Will be set automatically gatewayAnnotation: setGateway
# @default -- <image.repository>
repository:
# -- Will be set automatically
# @default -- <image.pullPolicy>
pullPolicy:
# -- Will be set automatically
# @default -- <image.tag>
tag:
cmd: /bin/client_init.sh
mountPath: /config
sidecar:
# -- Will be set automatically
# @default -- <image.repository>
repository:
# -- Will be set automatically
# @default -- <image.pullPolicy>
pullPolicy:
# -- Will be set automatically
# @default -- <image.tag>
tag:
cmd: /bin/client_sidecar.sh
mountPath: /config
replicas: 1
strategy:
type: RollingUpdate
# Args for webhook
# See more information in the container git repository at
# https://github.com/k8s-at-home/gateway-admision-controller
args:
- --tls-cert-file-path=/tls/tls.crt
- --tls-key-file-path=/tls/tls.key
- --setGatewayDefault
- --setGatewayLabel=setGateway
- --setGatewayAnnotation=setGateway
- --DNSPolicy=None
# - --debug
# - --development
# Set by Helm chart:
# --webhook-listen-address=:<set to service port>
# --gateway=<set automatically to 'gateway'>
# --DNS=<set automatically to 'gateway'>
# --initImage
# --initImagePullPol
# --initCmd
# --initMountPoint
# --sidecarImage
# --sidecarImagePullPol
# --sidecarCmd
# --sidecarMountPoint
# --configmapName
service:
port:
path: /wh/mutating/setgateway
protocol: HTTPS
port: 8080